VARIoT IoT vulnerabilities database
| VAR-201102-0172 | CVE-2010-4731 | WebSCADA Multiple products cgi-bin/read.cgi Absolute path traversal vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Absolute path traversal vulnerability in cgi-bin/read.cgi in WebSCADA WS100 and WS200, Easy Connect EC150, Modbus RTU - TCP Gateway MB100, and Serial Ethernet Server SS100 on the IntelliCom NetBiter NB100 and NB200 platforms allows remote authenticated administrators to read arbitrary files via a full pathname in the file parameter, a different vulnerability than CVE-2009-4463. IntelliCom NetBiter products based on the NB100 and NB200 platforms contain multiple vulnerabilities. IntelliCom NetBiter NB100 and NB200 Multiple running on the platform IntelliCom Product cgi-bin/read.cgi Is An absolute path traversal vulnerability exists
| VAR-201102-0159 | CVE-2011-0782 | Google Chrome Service disruption in ( Application crash ) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Google Chrome before 9.0.597.84 on Mac OS X does not properly mitigate an unspecified flaw in the Mac OS X 10.5 SSL libraries, which allows remote attackers to cause a denial of service (application crash) via unknown vectors. Google Chrome is prone to multiple vulnerabilities.
Attackers may exploit these issues to execute arbitrary code in the context of the browser or cause denial-of-service conditions; other attacks are also possible.
Chrome versions prior to 9.0.597.84 are vulnerable. Google Chrome is a web browser developed by Google (Google)
| VAR-201102-0149 | CVE-2011-0776 | Mac OS X Run on Google Chrome Vulnerability in obtaining important information in sandbox implementation |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The sandbox implementation in Google Chrome before 9.0.597.84 on Mac OS X might allow remote attackers to obtain potentially sensitive information about local files via vectors related to the stat system call. Google Chrome is prone to multiple vulnerabilities.
Attackers may exploit these issues to execute arbitrary code in the context of the browser or cause denial-of-service conditions; other attacks are also possible.
Chrome versions prior to 9.0.597.84 are vulnerable. Google Chrome is a web browser developed by Google (Google)
| VAR-201101-0544 | No CVE | Hitachi JP1/NETM/DM Information Disclosure and Denial of Service Vulnerabilities |
CVSS V2: - CVSS V3: - Severity: - |
Hitachi JP1/NETM/DM is prone to a local information-disclosure vulnerability and a denial-of-service vulnerability.
Successfully exploiting these issues may allow an attacker to obtain sensitive information or cause the affected application to crash, denying service to legitimate users. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Hitachi JP1/NETM/DM Products Two Vulnerabilities
SECUNIA ADVISORY ID:
SA43140
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43140/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43140
RELEASE DATE:
2011-02-01
DISCUSS ADVISORY:
http://secunia.com/advisories/43140/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43140/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43140
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Two vulnerabilities have been reported in various Hitachi products,
which can be exploited by malicious, local users to potentially gain
knowledge of sensitive information and malicious people to cause a
DoS (Denial of Service).
1) The permissions for certain files are not properly set, which
allows local users to access files that they are not intended to
access.
2) An unspecified error can be exploited to cause a DoS.
SOLUTION:
Update to fixed versions (please see the vendor's advisory for
details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
HS11-001 (Japanese):
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS11-001/index.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201102-0052 | CVE-2010-3269 | Cisco WRF and ARF Player T27LB Vulnerable to stack-based buffer overflow |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Multiple stack-based buffer overflows in the Cisco WebEx Recording Format (WRF) and Advanced Recording Format (ARF) Players T27LB before SP21 EP3 and T27LC before SP22 allow remote attackers to execute arbitrary code via a crafted (1) .wrf or (2) .arf file, related to use of a function pointer in a callback mechanism. Cisco WebEx is a web conferencing solution. Cisco WebEx provides record format files for storing WebEX meeting notes, and WRF Player is an application for playing back and editing WRF files (files end with a .wrf extension). This vulnerability can be triggered by publishing a .wrf video file in a conference room: .text:6070C272 loc_6070C272: ; CODE XREF: sub_6070C050+255j.text:6070C272 test esi, esi.text:6070C274 jnz short loc_6070C28F.text:6070C276 push ebx.text :6070C277 call dword ptr [ebp+0Ch] ; call to function pointer on the stack.text:6070C27A add esp, 4.text:6070C27D test al, al.text:6070C27F jz loc_6070C374.text:6070C285 mov edi, [ebp+ 0].text:6070C288 mov esi, [ebp+4].text:6070C28B mov eax, [esp+0D98h+var_D80].text:6070C28F.text:6070C28F loc_6070C28F: ; CODE XREF: sub_6070C050+224j.text:6070C28F mov Cl, [edi] ; cl can be controlled, it is read from the malicious .wrf file.text:6070C291 dec esi.text:6070C292 mov [esp+eax+0D 98h+var_C8C], cl ; this mov overflows the stack with user controlled values.text:6070C299 mov ecx, [esp+0D98h+var_D84].text:6070C29D inc edi.text:6070C29E inc eax.text:6070C29F cmp eax, ecx .text:6070C2A1 mov [esp+0D98h+var_D80], eax.text:6070C2A5 jl short loc_6070C272. Cisco WebEx is prone to multiple remote buffer-overflow vulnerabilities because it fails to perform adequate boundary-checks on user-supplied data.
An attacker can exploit these issues to execute arbitrary code with the privileges of the affected application. Failed exploit attempts will result in a denial-of-service condition.
The Cisco WebEx Players are applications that are used to play back
WebEx meeting recordings that have been recorded on the computer of
an on-line meeting attendee. The players can be automatically
installed when the user accesses a recording file that is hosted on a
WebEx server. The player can also be manually installed for offline
playback after downloading the application from www.webex.com
If the WebEx recording player was automatically installed, it will be
automatically upgraded to the latest, non-vulnerable version when
users access a recording file that is hosted on a WebEx server. If
the WebEx recording player was manually installed, users will need to
manually install a new version of the player after downloading the
latest version from www.webex.com
Cisco has released free software updates that address these
vulnerabilities.
Affected Products
=================
Vulnerable Products
+------------------
The vulnerabilities disclosed in this advisory affect the Cisco WebEx
recording players. Microsoft Windows, Apple Mac OS X, and Linux
versions of the player are all affected. Affected versions of the
players are those prior to client builds T27LC SP22 and T27LB SP21
EP3. Customers who have contractual agreements that prevent WebEx
from automatically upgrading a recording player to the latest version
should contact their account manager to determine upgrade options.
To determine whether a Cisco WebEx server is running an affected
version of the WebEx client build, users can log in to their Cisco
WebEx server and go to the Support > Downloads section. The version
of the WebEx client build will be displayed on the right side of the
page under "About Support Center." See "Software Versions and Fixes"
for details.
Details
=======
The WebEx meeting service is a hosted multimedia conferencing
solution that is managed and maintained by Cisco WebEx. The WRF and
ARF file formats are used to store WebEx meeting recordings that have
been recorded on the computer of an on-line meeting attendee. The recording
players can be automatically installed when the user accesses a
recording file that is hosted on a WebEx server (for stream playback
mode). The recording players can also be manually installed after
downloading the application from www.webex.com/downloadplayer.html
to play back recording files locally (for offline
playback mode).
Multiple buffer overflow vulnerabilities exist in the WRF and ARF
players. The vulnerabilities may lead to a crash of the player
application or, in some cases, remote code execution could occur.
To exploit one of these vulnerabilities, the player application would
need to open a malicious WRF or ARF file. An attacker may be able to
accomplish this exploit by providing the malicious recording file
directly to users (for example, by using e-mail) or by directing a
user to a malicious web page.
These vulnerabilities have been assigned the following Common
Vulnerabilities and Exposures (CVE) identifiers:
* CVE-2010-3269
* CVE-2010-3041
* CVE-2010-3042
* CVE-2010-3043
* CVE-2010-3044
Vulnerability Scoring Details
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities
CVSS Base Score - 9.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.7
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities described in this
document could result in a crash of the Cisco WebEx ARF Player or WRF
Player application and, in some cases, allow a remote attacker to
execute arbitrary code on the system with the privileges of the user
who is running the recording player application.
Software Versions and Fixes
===========================
When considering software upgrades, also consult http://www.cisco.com/go/psirt
and any subsequent advisories to determine exposure and a
complete upgrade solution.
These vulnerabilities are first fixed in T27LC SP22 and T27LB SP21
EP3.
The client build will be determined after the software is deployed.
The client build is listed in the Support > Downloads section of the
WebEx page after a user authenticates. WebEx bug fixes are cumulative
in a major release. For example, if release 27.22SP.0 is fixed,
release 27.22SP.1 will also have the software fix.
If a recording player was automatically installed, it will be
automatically upgraded to the latest, nonvulnerable version when
users access a recording file that is hosted on a WebEx server.
If a WebEx recording player was manually installed, users will need
to manually install a new version of the player after downloading the
latest version from www.webex.com/downloadplayer.html
Workarounds
===========
There are no workarounds for the vulnerabilities disclosed in this
advisory.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
Cisco would like to thank these organizations for reporting these
vulnerabilities.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-Feb-01 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security notices.
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - Corelabs Advisory
http://corelabs.coresecurity.com/
Cisco WebEx .atp and .wrf Overflow Vulnerabilities
1. *Advisory Information*
Title: Cisco WebEx .atp and .wrf Overflow Vulnerabilities
Advisory ID: CORE-2010-1001
Advisory URL:
[http://www.coresecurity.com/content/webex-atp-and-wrf-overflow-vulnerabilities]
Date published: 2011-01-31
Date of last update: 2011-01-31
Vendors contacted: Cisco
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Stack-based Buffer Overflow [CWE-121], Stack-based Buffer
Overflow [CWE-121]
Impact: Code execution
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
CVE Name: CVE-2010-3269, CVE-2010-3270
Bugtraq ID: N/A
3. *Vulnerability Description*
There are stack overflows on WebEx [1] that can be exploited by sending
maliciously crafted .atp and .wrf files to a vulnerable WebEx user. When
opened, these files trigger a reliably exploitable stack based buffer
overflow. In the .atp case an exception
handler can be overwritten on the stack, and most registers can be
trivially overwritten.
4. *Vulnerable packages*
. Contact Cisco for a list of vulnerable versions.
5. *Non-vulnerable packages*
. Contact Cisco.
6. *Vendor Information, Solutions and Workarounds*
All clients of WebEx Meeting Center should now be running a patched
version according to Cisco. A non-vulnerable version of WebEx Player
should be available at [http://www.webex.com/downloadplayer.html].
7. *Credits*
These vulnerabilities were discovered and researched by Federico Muttis,
Sebastian Tello and Manuel Muradas from Core Security Technologies
during Bugweek 2010 as part of the "Cisco Baby Cisco!" team [2]. The
publication of this advisory was coordinated by Pedro Varangot.
8. *Technical Description*
8.1. *WebEx Player .wrf Buffer Overflow [CVE-2010-3269]*
WebEx Player can be used to playback recordings of WebEx sessions. These
recordings can be stored using the .wrf closed and undocumented file
format. This vulnerability can also be exploited by publishing a .wrf
video file in a meeting, resulting in the compromise of the meeting's
participants. *WebEx Meeting Center .atp Buffer Overflow [CVE-2010-3270]*
WebEx Meeting Center allows polls to be conducted between all
participants of a WebEx session. By serving a specially crafted .atp
file (used for conducting polls) the meeting host can then abruptly
disconnect from the server, and when another client becomes host and
tries to share the .atp file with the other clients arbitrary code
execution is possible on his workstation. If his connection to the
server is then severed by a malicious payload, the .atp file will be
cycled to the next connected client. We
developed trivial examples that take control of EIP using arbitrary
characters.
9. *Report Timeline*
. 2010-10-04:
Core Security Technologies contacts Cisco PSIRT using their provided PGP
key notifying them of the vulnerabilities and sending an advisory draft,
a proof of concept for the WebEx Player vulnerability, and a proof of
concept for the Meeting Center vulnerability including details of how to
reproduce both vulnerabilities, and details about the behaviour of the
PoC for the Player vulnerability on Windows XP SP2 (which overwrites EIP
with 0x41414141 on that platform). October 18th 2010 (a two weeks
timeframe) is set as a potential release date for the advisory. 2010-10-05:
Cisco PSIRT contacts Core stating that their development team is out of
the office till Friday October 8th. November 15th 2010 is mentioned as
an estimated release date for a fix. 2010-10-05:
Core replies to Cisco PSIRT postponing the release date of this advisory
for one week, to Monday October 25th, in order to contemplate the fact
that Cisco's development team is away from office for the week. Further
changes to the release date will be made after receiving technical
feedback. November the 15th is mentioned to be a possible date to settle
on. 2010-10-11:
Cisco PSIRT replies acknowledging "an exception in WebEx player" but
that doesn't overwrite EIP as Core Security Technologies indicated.
Cisco notifies that they were not able to reproduce the crash in WebEx
Meeting Center. Cisco PSIRT also asks for more detailed information
about the version of WebEx Player used. 2010-10-12:
Core sends the requested information, also attaching new proof of
concept exploits for the WebEx Player vulnerability (that now executes
code and launches "calc.exe"), and further details about the steps
needed to reproduce the WebEx Meeting Center crash. Details about the
system where the proof of concept for the WebEx Player vulnerability was
run are asked. Details about the "exception" are also asked, specially
noting that if other registers are overwritten this should be considered
as a vulnerability that would possibly lead to reliable code execution
even if EIP was not modified (as noted by Core on the e-mail where the
PoC was attached). No reply is received to this e-mail. 2010-10-19:
Core resends the previous e-mail asking for news about reproduction of
the vulnerability on Cisco's side and asking if there was any problem in
the reception or interpretation of the last communication. No reply is
received to this e-mail. 2010-10-28:
Core Security Technologies resends the last e-mail, unilaterally
rescheduling the publication of this advisory to November 8th 2010,
which is closer to Cisco's initial estimation for the release of a fix.
Core states its willingness to reschedule this publication date but only
under firm commitment from Cisco to working seriously towards fixing
this issue in a scheduled timeframe. An updated advisory draft is
attached which includes an updated timeline. 2010-10-30:
Cisco PSIRT replies acknowledging the vulnerability, stating that they
were able to reproduce code execution results in the currently released
version of WebEx, and a crash in their current development version.
Cisco also states that there is not information yet from their
development team about when a fix for this vulnerability will be released. 2010-11-09:
Core replies offering more technical details about exploitation if they
are needed, and reminding Cisco that the crash in their development
version may also be exploitable even if the current proof of concept
exploit only crashes it. The publication date for this advisory is
rescheduled to November 22nd 2010. Core states that they will like to
schedule a firm date for the release of information about this
vulnerability to the public and hence would like to get more information
from Cisco about the schedule for the release of a fix. 2010-11-15:
Cisco states that fixed code will be deployed in mid-December, but since
WebEx Meeting Center runs on a SaaS environment it takes about four or
five weeks for all clients to be running the latest version of the code. 2010-12-06:
Cisco contacts Core since no reply was received in the past two weeks,
and clarifies that a fix will be deployed on December 15th and should be
done on January 11th 2011. 2010-12-06:
Core states that they believe this advisory should be released as soon
as the fix is deployed, since diffing the WebEx binary on the client
side gives full details about the WebEx Meeting Center vulnerability to
an average skilled reverse engineer. Core schedules the publication of
this advisory to December 15th 2010. 2010-12-07:
Cisco contacts Core stating that releasing details about this
vulnerability would endanger customers, since there is no action they
can take to protect themselves because the responsibility of upgrading
the code ran by the customer falls on Cisco. Cisco mentions that "many
of these customers are probably shared between Cisco and Core Security". 2010-12-10:
Cisco contacts Core stating that they have just discovered the WebEx
Meeting Center Vulnerability affects a new set of customers that where
not accounted for originally. These are customers running T27SP21 that
can not be upgraded to SP22. An emergency patch will be released for
SP21 in January 2011, and this sets back the date when all clients
should be running an updated version to the "end of January, beginning
of February."
. 2010-12-14:
Core proposes to split this advisory into two different advisories to
better accommodate the WebEx Meeting Center SaaS release cycle. On one
advisory, the .wrf client side vulnerability would be described, and the
other would be dedicated to the WebEx Meeting Center vulnerability that
may compromise a meeting's host computer. Core believes this mitigates
the risk in a more effective way, since clients can update WebEx Player
by themselves on December 15th (the date when Cisco stated the fixed
version would be released) and no details of the Meeting Center
vulnerability would be released until all clients are running an updated
version. 2010-12-15:
Cisco states they wouldn't like the advisory to be splitted, and that
they prefer Core Security Technologies to go ahead and release
information about both vulnerabilities. 2010-12-15:
Core states that they prefer to release two advisories because these are
two different bugs, in two pieces of software, each one of them with a
differently working update channel determined by the vendor. Core also
informs Cisco that the download link for WebEx Player points to a
vulnerable version as of today, and asks Cisco to clarify what date they
meant as mid-December, since Core would like to know when a fixed
version of WebEx Player will be available for download to be able to
publish the WebEx Player vulnerability. 2010-12-16:
Cisco replies saying that releasing two advisories seems like a good
plan to them. Cisco also states that since many of their customers
observe a lockdown policy during the holidays season, they take a "don't
upgrade" policy of their own until Monday January 10th, 2011. That is
the reason why the download link of WebEx Player has not been changed yet. 2011-01-10:
Core states that they are ready to release this advisory on January
11th, and that releasing two separate advisories seems pointless now
because the release date of both would be very similar, and the original
idea was to mitigate the risk posed by the .wrf vulnerability. Core also
states that they are reviewing the best course of action to take with
the issue regarding clients running the old version of WebEx (T27SP21)
that according to Cisco are unable to upgrade to SP22 since this was not
accounted for previously. 2011-01-13:
Core states that since they have committed previously to release the
advisory taking into account Cisco's consideration about their SaaS
patch deploy model, when factoring the issue of clients running the SP21
version of Meeting Center scheduled by Cisco for emergency update on
January, a release date of January the 31st seems reasonable. This date
should be taken as final and Core Security Technologies believes it
takes into account all information given by Cisco about SaaS updating
timeframes. If this is not the case Cisco is asked to rectify ASAP. 2011-01-14:
Cisco confirms that the timeframe (publishing both vulnerabilities on
January 31st) works for them. 2011-01-31:
The advisory CORE-2010-1001 is published.
10. *References*
[1] [http://www.webex.com/]
[2]
[http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=project&name=Bugweek]
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
[http://corelabs.coresecurity.com].
12. *About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
[http://www.coresecurity.com].
13. *Disclaimer*
The contents of this advisory are copyright (c) 2011 Core Security
Technologies and (c) 2011 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: [http://creativecommons.org/licenses/by-nc-sa/3.0/us/]
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
[http://www.coresecurity.com/files/attachments/core_security_advisories.asc].
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iEYEARECAAYFAk1HJwcACgkQyNibggitWa13VwCfVg6jVkuv3PhqmhNqZFIQO7CB
L1YAni1ONdRqEYczbkvki9r0Y7nr9cIQ
=9HdA
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201102-0307 | CVE-2010-3041 | Cisco WRF and ARF Player T27LB Vulnerable to buffer overflow |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Multiple buffer overflows in the Cisco WebEx Recording Format (WRF) and Advanced Recording Format (ARF) Players T27LB before SP21 EP3 and T27LC before SP22 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted (1) .wrf or (2) .arf file, related to atas32.dll, a different vulnerability than CVE-2010-3042, CVE-2010-3043, and CVE-2010-3044. Cisco WebEx is prone to multiple remote buffer-overflow vulnerabilities because it fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition.
The Cisco WebEx Players are applications that are used to play back
WebEx meeting recordings that have been recorded on the computer of
an on-line meeting attendee. The players can be automatically
installed when the user accesses a recording file that is hosted on a
WebEx server. The player can also be manually installed for offline
playback after downloading the application from www.webex.com
If the WebEx recording player was automatically installed, it will be
automatically upgraded to the latest, non-vulnerable version when
users access a recording file that is hosted on a WebEx server. If
the WebEx recording player was manually installed, users will need to
manually install a new version of the player after downloading the
latest version from www.webex.com
Cisco has released free software updates that address these
vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml.
Affected Products
=================
Vulnerable Products
+------------------
The vulnerabilities disclosed in this advisory affect the Cisco WebEx
recording players. Microsoft Windows, Apple Mac OS X, and Linux
versions of the player are all affected. Affected versions of the
players are those prior to client builds T27LC SP22 and T27LB SP21
EP3. Customers who have contractual agreements that prevent WebEx
from automatically upgrading a recording player to the latest version
should contact their account manager to determine upgrade options.
To determine whether a Cisco WebEx server is running an affected
version of the WebEx client build, users can log in to their Cisco
WebEx server and go to the Support > Downloads section. The version
of the WebEx client build will be displayed on the right side of the
page under "About Support Center." See "Software Versions and Fixes"
for details.
Cisco recommends that users upgrade to the most current version of
the player that is available from www.webex.com/downloadplayer.html
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
The WebEx meeting service is a hosted multimedia conferencing
solution that is managed and maintained by Cisco WebEx. The WRF and
ARF file formats are used to store WebEx meeting recordings that have
been recorded on the computer of an on-line meeting attendee. The
players are applications that are used to play back and edit
recording files (files with .wrf and .arf extensions). The recording
players can be automatically installed when the user accesses a
recording file that is hosted on a WebEx server (for stream playback
mode). The recording players can also be manually installed after
downloading the application from www.webex.com/downloadplayer.html
to play back recording files locally (for offline
playback mode).
Multiple buffer overflow vulnerabilities exist in the WRF and ARF
players. The vulnerabilities may lead to a crash of the player
application or, in some cases, remote code execution could occur.
To exploit one of these vulnerabilities, the player application would
need to open a malicious WRF or ARF file. An attacker may be able to
accomplish this exploit by providing the malicious recording file
directly to users (for example, by using e-mail) or by directing a
user to a malicious web page. The vulnerability cannot be triggered
by users who are attending a WebEx meeting.
These vulnerabilities have been assigned the following Common
Vulnerabilities and Exposures (CVE) identifiers:
* CVE-2010-3269
* CVE-2010-3041
* CVE-2010-3042
* CVE-2010-3043
* CVE-2010-3044
Vulnerability Scoring Details
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities
CVSS Base Score - 9.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.7
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities described in this
document could result in a crash of the Cisco WebEx ARF Player or WRF
Player application and, in some cases, allow a remote attacker to
execute arbitrary code on the system with the privileges of the user
who is running the recording player application.
Software Versions and Fixes
===========================
When considering software upgrades, also consult http://www.cisco.com/go/psirt
and any subsequent advisories to determine exposure and a
complete upgrade solution.
These vulnerabilities are first fixed in T27LC SP22 and T27LB SP21
EP3. For customers who are running T27LC SP22, the client build will
be represented as 27.22SP.0.9253. The fix for customers who are
running T27LB SP21 will be deployed by WebEx over the next few weeks.
The client build will be determined after the software is deployed.
The client build is listed in the Support > Downloads section of the
WebEx page after a user authenticates. WebEx bug fixes are cumulative
in a major release. For example, if release 27.22SP.0 is fixed,
release 27.22SP.1 will also have the software fix.
If a recording player was automatically installed, it will be
automatically upgraded to the latest, nonvulnerable version when
users access a recording file that is hosted on a WebEx server.
If a WebEx recording player was manually installed, users will need
to manually install a new version of the player after downloading the
latest version from www.webex.com/downloadplayer.html
Workarounds
===========
There are no workarounds for the vulnerabilities disclosed in this
advisory.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
These vulnerabilities were either found during internal testing or
reported to Cisco by a variety of sources, including Core Security,
TippingPoint, and Fortinet's FortiGuard Labs.
Cisco would like to thank these organizations for reporting these
vulnerabilities.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-Feb-01 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
iF4EAREIAAYFAk1IQjoACgkQQXnnBKKRMNCpdQEAg/vWtP38VKH2ZDeL9QMQfx6E
M8nIZdeL2XGonJpT60IA/0APzTbZPE+9rWTi1Z0lJqIgCjHls3jo+sGQWSPvxxkS
=Ur/Y
-----END PGP SIGNATURE-----
| VAR-201102-0310 | CVE-2010-3044 | Cisco WRF and ARF Player T27LB Vulnerable to buffer overflow |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Multiple buffer overflows in the Cisco WebEx Recording Format (WRF) and Advanced Recording Format (ARF) Players T27LB before SP21 EP3 and T27LC before SP22 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted (1) .wrf or (2) .arf file, related to atas32.dll, a different vulnerability than CVE-2010-3041, CVE-2010-3042, and CVE-2010-3043. Cisco WebEx is prone to multiple remote buffer-overflow vulnerabilities because it fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition.
The Cisco WebEx Players are applications that are used to play back
WebEx meeting recordings that have been recorded on the computer of
an on-line meeting attendee. The players can be automatically
installed when the user accesses a recording file that is hosted on a
WebEx server. The player can also be manually installed for offline
playback after downloading the application from www.webex.com
If the WebEx recording player was automatically installed, it will be
automatically upgraded to the latest, non-vulnerable version when
users access a recording file that is hosted on a WebEx server. If
the WebEx recording player was manually installed, users will need to
manually install a new version of the player after downloading the
latest version from www.webex.com
Cisco has released free software updates that address these
vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml.
Affected Products
=================
Vulnerable Products
+------------------
The vulnerabilities disclosed in this advisory affect the Cisco WebEx
recording players. Microsoft Windows, Apple Mac OS X, and Linux
versions of the player are all affected. Affected versions of the
players are those prior to client builds T27LC SP22 and T27LB SP21
EP3. Customers who have contractual agreements that prevent WebEx
from automatically upgrading a recording player to the latest version
should contact their account manager to determine upgrade options.
To determine whether a Cisco WebEx server is running an affected
version of the WebEx client build, users can log in to their Cisco
WebEx server and go to the Support > Downloads section. The version
of the WebEx client build will be displayed on the right side of the
page under "About Support Center." See "Software Versions and Fixes"
for details.
Cisco recommends that users upgrade to the most current version of
the player that is available from www.webex.com/downloadplayer.html
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
The WebEx meeting service is a hosted multimedia conferencing
solution that is managed and maintained by Cisco WebEx. The WRF and
ARF file formats are used to store WebEx meeting recordings that have
been recorded on the computer of an on-line meeting attendee. The
players are applications that are used to play back and edit
recording files (files with .wrf and .arf extensions). The recording
players can be automatically installed when the user accesses a
recording file that is hosted on a WebEx server (for stream playback
mode). The recording players can also be manually installed after
downloading the application from www.webex.com/downloadplayer.html
to play back recording files locally (for offline
playback mode).
Multiple buffer overflow vulnerabilities exist in the WRF and ARF
players. The vulnerabilities may lead to a crash of the player
application or, in some cases, remote code execution could occur.
To exploit one of these vulnerabilities, the player application would
need to open a malicious WRF or ARF file. An attacker may be able to
accomplish this exploit by providing the malicious recording file
directly to users (for example, by using e-mail) or by directing a
user to a malicious web page. The vulnerability cannot be triggered
by users who are attending a WebEx meeting.
These vulnerabilities have been assigned the following Common
Vulnerabilities and Exposures (CVE) identifiers:
* CVE-2010-3269
* CVE-2010-3041
* CVE-2010-3042
* CVE-2010-3043
* CVE-2010-3044
Vulnerability Scoring Details
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities
CVSS Base Score - 9.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.7
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities described in this
document could result in a crash of the Cisco WebEx ARF Player or WRF
Player application and, in some cases, allow a remote attacker to
execute arbitrary code on the system with the privileges of the user
who is running the recording player application.
Software Versions and Fixes
===========================
When considering software upgrades, also consult http://www.cisco.com/go/psirt
and any subsequent advisories to determine exposure and a
complete upgrade solution.
These vulnerabilities are first fixed in T27LC SP22 and T27LB SP21
EP3. For customers who are running T27LC SP22, the client build will
be represented as 27.22SP.0.9253. The fix for customers who are
running T27LB SP21 will be deployed by WebEx over the next few weeks.
The client build will be determined after the software is deployed.
The client build is listed in the Support > Downloads section of the
WebEx page after a user authenticates. WebEx bug fixes are cumulative
in a major release. For example, if release 27.22SP.0 is fixed,
release 27.22SP.1 will also have the software fix.
If a recording player was automatically installed, it will be
automatically upgraded to the latest, nonvulnerable version when
users access a recording file that is hosted on a WebEx server.
If a WebEx recording player was manually installed, users will need
to manually install a new version of the player after downloading the
latest version from www.webex.com/downloadplayer.html
Workarounds
===========
There are no workarounds for the vulnerabilities disclosed in this
advisory.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
These vulnerabilities were either found during internal testing or
reported to Cisco by a variety of sources, including Core Security,
TippingPoint, and Fortinet's FortiGuard Labs.
Cisco would like to thank these organizations for reporting these
vulnerabilities.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-Feb-01 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
iF4EAREIAAYFAk1IQjoACgkQQXnnBKKRMNCpdQEAg/vWtP38VKH2ZDeL9QMQfx6E
M8nIZdeL2XGonJpT60IA/0APzTbZPE+9rWTi1Z0lJqIgCjHls3jo+sGQWSPvxxkS
=Ur/Y
-----END PGP SIGNATURE-----
| VAR-201102-0308 | CVE-2010-3042 | Cisco WRF and ARF Player T27LB Vulnerable to buffer overflow |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Multiple buffer overflows in the Cisco WebEx Recording Format (WRF) and Advanced Recording Format (ARF) Players T27LB before SP21 EP3 and T27LC before SP22 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted (1) .wrf or (2) .arf file, a different vulnerability than CVE-2010-3041, CVE-2010-3043, and CVE-2010-3044. Cisco WebEx is prone to multiple remote buffer-overflow vulnerabilities because it fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition.
The Cisco WebEx Players are applications that are used to play back
WebEx meeting recordings that have been recorded on the computer of
an on-line meeting attendee. The players can be automatically
installed when the user accesses a recording file that is hosted on a
WebEx server. The player can also be manually installed for offline
playback after downloading the application from www.webex.com
If the WebEx recording player was automatically installed, it will be
automatically upgraded to the latest, non-vulnerable version when
users access a recording file that is hosted on a WebEx server. If
the WebEx recording player was manually installed, users will need to
manually install a new version of the player after downloading the
latest version from www.webex.com
Cisco has released free software updates that address these
vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml.
Affected Products
=================
Vulnerable Products
+------------------
The vulnerabilities disclosed in this advisory affect the Cisco WebEx
recording players. Microsoft Windows, Apple Mac OS X, and Linux
versions of the player are all affected. Affected versions of the
players are those prior to client builds T27LC SP22 and T27LB SP21
EP3. Customers who have contractual agreements that prevent WebEx
from automatically upgrading a recording player to the latest version
should contact their account manager to determine upgrade options.
To determine whether a Cisco WebEx server is running an affected
version of the WebEx client build, users can log in to their Cisco
WebEx server and go to the Support > Downloads section. The version
of the WebEx client build will be displayed on the right side of the
page under "About Support Center." See "Software Versions and Fixes"
for details.
Cisco recommends that users upgrade to the most current version of
the player that is available from www.webex.com/downloadplayer.html
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
The WebEx meeting service is a hosted multimedia conferencing
solution that is managed and maintained by Cisco WebEx. The WRF and
ARF file formats are used to store WebEx meeting recordings that have
been recorded on the computer of an on-line meeting attendee. The
players are applications that are used to play back and edit
recording files (files with .wrf and .arf extensions). The recording
players can be automatically installed when the user accesses a
recording file that is hosted on a WebEx server (for stream playback
mode). The recording players can also be manually installed after
downloading the application from www.webex.com/downloadplayer.html
to play back recording files locally (for offline
playback mode).
Multiple buffer overflow vulnerabilities exist in the WRF and ARF
players. The vulnerabilities may lead to a crash of the player
application or, in some cases, remote code execution could occur.
To exploit one of these vulnerabilities, the player application would
need to open a malicious WRF or ARF file. An attacker may be able to
accomplish this exploit by providing the malicious recording file
directly to users (for example, by using e-mail) or by directing a
user to a malicious web page. The vulnerability cannot be triggered
by users who are attending a WebEx meeting.
These vulnerabilities have been assigned the following Common
Vulnerabilities and Exposures (CVE) identifiers:
* CVE-2010-3269
* CVE-2010-3041
* CVE-2010-3042
* CVE-2010-3043
* CVE-2010-3044
Vulnerability Scoring Details
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities
CVSS Base Score - 9.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.7
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities described in this
document could result in a crash of the Cisco WebEx ARF Player or WRF
Player application and, in some cases, allow a remote attacker to
execute arbitrary code on the system with the privileges of the user
who is running the recording player application.
Software Versions and Fixes
===========================
When considering software upgrades, also consult http://www.cisco.com/go/psirt
and any subsequent advisories to determine exposure and a
complete upgrade solution.
These vulnerabilities are first fixed in T27LC SP22 and T27LB SP21
EP3. For customers who are running T27LC SP22, the client build will
be represented as 27.22SP.0.9253. The fix for customers who are
running T27LB SP21 will be deployed by WebEx over the next few weeks.
The client build will be determined after the software is deployed.
The client build is listed in the Support > Downloads section of the
WebEx page after a user authenticates. WebEx bug fixes are cumulative
in a major release. For example, if release 27.22SP.0 is fixed,
release 27.22SP.1 will also have the software fix.
If a recording player was automatically installed, it will be
automatically upgraded to the latest, nonvulnerable version when
users access a recording file that is hosted on a WebEx server.
If a WebEx recording player was manually installed, users will need
to manually install a new version of the player after downloading the
latest version from www.webex.com/downloadplayer.html
Workarounds
===========
There are no workarounds for the vulnerabilities disclosed in this
advisory.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
These vulnerabilities were either found during internal testing or
reported to Cisco by a variety of sources, including Core Security,
TippingPoint, and Fortinet's FortiGuard Labs.
Cisco would like to thank these organizations for reporting these
vulnerabilities.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-Feb-01 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
iF4EAREIAAYFAk1IQjoACgkQQXnnBKKRMNCpdQEAg/vWtP38VKH2ZDeL9QMQfx6E
M8nIZdeL2XGonJpT60IA/0APzTbZPE+9rWTi1Z0lJqIgCjHls3jo+sGQWSPvxxkS
=Ur/Y
-----END PGP SIGNATURE-----
| VAR-201102-0309 | CVE-2010-3043 | Cisco WRF and ARF Player T27LB Vulnerable to buffer overflow |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Multiple buffer overflows in the Cisco WebEx Recording Format (WRF) and Advanced Recording Format (ARF) Players T27LB before SP21 EP3 and T27LC before SP22 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted (1) .wrf or (2) .arf file, a different vulnerability than CVE-2010-3041, CVE-2010-3042, and CVE-2010-3044. Cisco WebEx is prone to multiple remote buffer-overflow vulnerabilities because it fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition.
The Cisco WebEx Players are applications that are used to play back
WebEx meeting recordings that have been recorded on the computer of
an on-line meeting attendee. The players can be automatically
installed when the user accesses a recording file that is hosted on a
WebEx server. The player can also be manually installed for offline
playback after downloading the application from www.webex.com
If the WebEx recording player was automatically installed, it will be
automatically upgraded to the latest, non-vulnerable version when
users access a recording file that is hosted on a WebEx server. If
the WebEx recording player was manually installed, users will need to
manually install a new version of the player after downloading the
latest version from www.webex.com
Cisco has released free software updates that address these
vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml.
Affected Products
=================
Vulnerable Products
+------------------
The vulnerabilities disclosed in this advisory affect the Cisco WebEx
recording players. Microsoft Windows, Apple Mac OS X, and Linux
versions of the player are all affected. Affected versions of the
players are those prior to client builds T27LC SP22 and T27LB SP21
EP3. Customers who have contractual agreements that prevent WebEx
from automatically upgrading a recording player to the latest version
should contact their account manager to determine upgrade options.
To determine whether a Cisco WebEx server is running an affected
version of the WebEx client build, users can log in to their Cisco
WebEx server and go to the Support > Downloads section. The version
of the WebEx client build will be displayed on the right side of the
page under "About Support Center." See "Software Versions and Fixes"
for details.
Cisco recommends that users upgrade to the most current version of
the player that is available from www.webex.com/downloadplayer.html
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
The WebEx meeting service is a hosted multimedia conferencing
solution that is managed and maintained by Cisco WebEx. The WRF and
ARF file formats are used to store WebEx meeting recordings that have
been recorded on the computer of an on-line meeting attendee. The
players are applications that are used to play back and edit
recording files (files with .wrf and .arf extensions). The recording
players can be automatically installed when the user accesses a
recording file that is hosted on a WebEx server (for stream playback
mode). The recording players can also be manually installed after
downloading the application from www.webex.com/downloadplayer.html
to play back recording files locally (for offline
playback mode).
Multiple buffer overflow vulnerabilities exist in the WRF and ARF
players. The vulnerabilities may lead to a crash of the player
application or, in some cases, remote code execution could occur.
To exploit one of these vulnerabilities, the player application would
need to open a malicious WRF or ARF file. An attacker may be able to
accomplish this exploit by providing the malicious recording file
directly to users (for example, by using e-mail) or by directing a
user to a malicious web page. The vulnerability cannot be triggered
by users who are attending a WebEx meeting.
These vulnerabilities have been assigned the following Common
Vulnerabilities and Exposures (CVE) identifiers:
* CVE-2010-3269
* CVE-2010-3041
* CVE-2010-3042
* CVE-2010-3043
* CVE-2010-3044
Vulnerability Scoring Details
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities
CVSS Base Score - 9.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.7
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities described in this
document could result in a crash of the Cisco WebEx ARF Player or WRF
Player application and, in some cases, allow a remote attacker to
execute arbitrary code on the system with the privileges of the user
who is running the recording player application.
Software Versions and Fixes
===========================
When considering software upgrades, also consult http://www.cisco.com/go/psirt
and any subsequent advisories to determine exposure and a
complete upgrade solution.
These vulnerabilities are first fixed in T27LC SP22 and T27LB SP21
EP3. For customers who are running T27LC SP22, the client build will
be represented as 27.22SP.0.9253. The fix for customers who are
running T27LB SP21 will be deployed by WebEx over the next few weeks.
The client build will be determined after the software is deployed.
The client build is listed in the Support > Downloads section of the
WebEx page after a user authenticates. WebEx bug fixes are cumulative
in a major release. For example, if release 27.22SP.0 is fixed,
release 27.22SP.1 will also have the software fix.
If a recording player was automatically installed, it will be
automatically upgraded to the latest, nonvulnerable version when
users access a recording file that is hosted on a WebEx server.
If a WebEx recording player was manually installed, users will need
to manually install a new version of the player after downloading the
latest version from www.webex.com/downloadplayer.html
Workarounds
===========
There are no workarounds for the vulnerabilities disclosed in this
advisory.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
These vulnerabilities were either found during internal testing or
reported to Cisco by a variety of sources, including Core Security,
TippingPoint, and Fortinet's FortiGuard Labs.
Cisco would like to thank these organizations for reporting these
vulnerabilities.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-Feb-01 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
iF4EAREIAAYFAk1IQjoACgkQQXnnBKKRMNCpdQEAg/vWtP38VKH2ZDeL9QMQfx6E
M8nIZdeL2XGonJpT60IA/0APzTbZPE+9rWTi1Z0lJqIgCjHls3jo+sGQWSPvxxkS
=Ur/Y
-----END PGP SIGNATURE-----
| VAR-201102-0053 | CVE-2010-3270 | Cisco WebEx ATP File Remote Stack Buffer Overflow Vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Stack-based buffer overflow in Cisco WebEx Meeting Center T27LB before SP21 EP3 and T27LC before SP22 allows user-assisted remote authenticated users to execute arbitrary code by providing a crafted .atp file and then disconnecting from a meeting. NOTE: since this is a site-specific issue with no expected action for consumers, it might be REJECTed. Since this site has been identified, no general user action is required. Cisco WebEx is a web conferencing solution. There is a stack overflow in the .atp file format provided by Cisco WebEx. The function pointers in the stack can be overwritten, and the DEP and ASLR are disabled, resulting in very stable use of the code. Cisco WebEx is prone to a remote code-execution vulnerability because the application fails to perform adequate boundary checks on user-supplied data.
An attacker can exploit this issue to execute arbitrary code with the privileges of the affected application. Failed exploit attempts will result in a denial-of-service condition. WebEx is the world's largest provider of network communication services, providing carrier-class network conferencing solutions. Currently WebEx has been acquired by Cisco. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - Corelabs Advisory
http://corelabs.coresecurity.com/
Cisco WebEx .atp and .wrf Overflow Vulnerabilities
1. *Advisory Information*
Title: Cisco WebEx .atp and .wrf Overflow Vulnerabilities
Advisory ID: CORE-2010-1001
Advisory URL:
[http://www.coresecurity.com/content/webex-atp-and-wrf-overflow-vulnerabilities]
Date published: 2011-01-31
Date of last update: 2011-01-31
Vendors contacted: Cisco
Release mode: Coordinated release
2. *Vulnerability Description*
There are stack overflows on WebEx [1] that can be exploited by sending
maliciously crafted .atp and .wrf files to a vulnerable WebEx user. When
opened, these files trigger a reliably exploitable stack based buffer
overflow. In the .atp case an exception
handler can be overwritten on the stack, and most registers can be
trivially overwritten.
4. *Vulnerable packages*
. Contact Cisco for a list of vulnerable versions.
5. *Non-vulnerable packages*
. Contact Cisco.
6. *Vendor Information, Solutions and Workarounds*
All clients of WebEx Meeting Center should now be running a patched
version according to Cisco. A non-vulnerable version of WebEx Player
should be available at [http://www.webex.com/downloadplayer.html].
7. *Credits*
These vulnerabilities were discovered and researched by Federico Muttis,
Sebastian Tello and Manuel Muradas from Core Security Technologies
during Bugweek 2010 as part of the "Cisco Baby Cisco!" team [2]. The
publication of this advisory was coordinated by Pedro Varangot.
8. *Technical Description*
8.1. *WebEx Player .wrf Buffer Overflow [CVE-2010-3269]*
WebEx Player can be used to playback recordings of WebEx sessions. These
recordings can be stored using the .wrf closed and undocumented file
format. This vulnerability can also be exploited by publishing a .wrf
video file in a meeting, resulting in the compromise of the meeting's
participants.
/-----
.text:6070C272 loc_6070C272: ; CODE XREF:
sub_6070C050+255j
.text:6070C272 test esi, esi
.text:6070C274 jnz short loc_6070C28F
.text:6070C276 push ebx
.text:6070C277 call dword ptr [ebp+0Ch] ; call to
function pointer on the stack
.text:6070C27A add esp, 4
.text:6070C27D test al, al
.text:6070C27F jz loc_6070C374
.text:6070C285 mov edi, [ebp+0]
.text:6070C288 mov esi, [ebp+4]
.text:6070C28B mov eax, [esp+0D98h+var_D80]
.text:6070C28F
.text:6070C28F loc_6070C28F: ; CODE XREF:
sub_6070C050+224j
.text:6070C28F mov cl, [edi] ; cl can be
controlled, it is read from the malicious .wrf file
.text:6070C291 dec esi
.text:6070C292 mov [esp+eax+0D98h+var_C8C], cl ;
this mov overflows the stack with user controlled values
.text:6070C299 mov ecx, [esp+0D98h+var_D84]
.text:6070C29D inc edi
.text:6070C29E inc eax
.text:6070C29F cmp eax, ecx
.text:6070C2A1 mov [esp+0D98h+var_D80], eax
.text:6070C2A5 jl short loc_6070C272
- -----/
8.2. If his connection to the
server is then severed by a malicious payload, the .atp file will be
cycled to the next connected client. We
developed trivial examples that take control of EIP using arbitrary
characters.
9. *Report Timeline*
. 2010-10-04:
Core Security Technologies contacts Cisco PSIRT using their provided PGP
key notifying them of the vulnerabilities and sending an advisory draft,
a proof of concept for the WebEx Player vulnerability, and a proof of
concept for the Meeting Center vulnerability including details of how to
reproduce both vulnerabilities, and details about the behaviour of the
PoC for the Player vulnerability on Windows XP SP2 (which overwrites EIP
with 0x41414141 on that platform). October 18th 2010 (a two weeks
timeframe) is set as a potential release date for the advisory. 2010-10-05:
Cisco PSIRT contacts Core stating that their development team is out of
the office till Friday October 8th. November 15th 2010 is mentioned as
an estimated release date for a fix. 2010-10-05:
Core replies to Cisco PSIRT postponing the release date of this advisory
for one week, to Monday October 25th, in order to contemplate the fact
that Cisco's development team is away from office for the week. Further
changes to the release date will be made after receiving technical
feedback. November the 15th is mentioned to be a possible date to settle
on. 2010-10-11:
Cisco PSIRT replies acknowledging "an exception in WebEx player" but
that doesn't overwrite EIP as Core Security Technologies indicated. Cisco PSIRT also asks for more detailed information
about the version of WebEx Player used. 2010-10-12:
Core sends the requested information, also attaching new proof of
concept exploits for the WebEx Player vulnerability (that now executes
code and launches "calc.exe"), and further details about the steps
needed to reproduce the WebEx Meeting Center crash. Details about the
system where the proof of concept for the WebEx Player vulnerability was
run are asked. Details about the "exception" are also asked, specially
noting that if other registers are overwritten this should be considered
as a vulnerability that would possibly lead to reliable code execution
even if EIP was not modified (as noted by Core on the e-mail where the
PoC was attached). No reply is received to this e-mail. 2010-10-19:
Core resends the previous e-mail asking for news about reproduction of
the vulnerability on Cisco's side and asking if there was any problem in
the reception or interpretation of the last communication. No reply is
received to this e-mail. 2010-10-28:
Core Security Technologies resends the last e-mail, unilaterally
rescheduling the publication of this advisory to November 8th 2010,
which is closer to Cisco's initial estimation for the release of a fix.
Core states its willingness to reschedule this publication date but only
under firm commitment from Cisco to working seriously towards fixing
this issue in a scheduled timeframe. An updated advisory draft is
attached which includes an updated timeline. 2010-10-30:
Cisco PSIRT replies acknowledging the vulnerability, stating that they
were able to reproduce code execution results in the currently released
version of WebEx, and a crash in their current development version.
Cisco also states that there is not information yet from their
development team about when a fix for this vulnerability will be released. 2010-11-09:
Core replies offering more technical details about exploitation if they
are needed, and reminding Cisco that the crash in their development
version may also be exploitable even if the current proof of concept
exploit only crashes it. The publication date for this advisory is
rescheduled to November 22nd 2010. Core states that they will like to
schedule a firm date for the release of information about this
vulnerability to the public and hence would like to get more information
from Cisco about the schedule for the release of a fix. 2010-11-15:
Cisco states that fixed code will be deployed in mid-December, but since
WebEx Meeting Center runs on a SaaS environment it takes about four or
five weeks for all clients to be running the latest version of the code. 2010-12-06:
Cisco contacts Core since no reply was received in the past two weeks,
and clarifies that a fix will be deployed on December 15th and should be
done on January 11th 2011. 2010-12-06:
Core states that they believe this advisory should be released as soon
as the fix is deployed, since diffing the WebEx binary on the client
side gives full details about the WebEx Meeting Center vulnerability to
an average skilled reverse engineer. Core schedules the publication of
this advisory to December 15th 2010. 2010-12-07:
Cisco contacts Core stating that releasing details about this
vulnerability would endanger customers, since there is no action they
can take to protect themselves because the responsibility of upgrading
the code ran by the customer falls on Cisco. Cisco mentions that "many
of these customers are probably shared between Cisco and Core Security". 2010-12-10:
Cisco contacts Core stating that they have just discovered the WebEx
Meeting Center Vulnerability affects a new set of customers that where
not accounted for originally. These are customers running T27SP21 that
can not be upgraded to SP22. An emergency patch will be released for
SP21 in January 2011, and this sets back the date when all clients
should be running an updated version to the "end of January, beginning
of February."
. 2010-12-14:
Core proposes to split this advisory into two different advisories to
better accommodate the WebEx Meeting Center SaaS release cycle. On one
advisory, the .wrf client side vulnerability would be described, and the
other would be dedicated to the WebEx Meeting Center vulnerability that
may compromise a meeting's host computer. Core believes this mitigates
the risk in a more effective way, since clients can update WebEx Player
by themselves on December 15th (the date when Cisco stated the fixed
version would be released) and no details of the Meeting Center
vulnerability would be released until all clients are running an updated
version. 2010-12-15:
Cisco states they wouldn't like the advisory to be splitted, and that
they prefer Core Security Technologies to go ahead and release
information about both vulnerabilities. 2010-12-15:
Core states that they prefer to release two advisories because these are
two different bugs, in two pieces of software, each one of them with a
differently working update channel determined by the vendor. Core also
informs Cisco that the download link for WebEx Player points to a
vulnerable version as of today, and asks Cisco to clarify what date they
meant as mid-December, since Core would like to know when a fixed
version of WebEx Player will be available for download to be able to
publish the WebEx Player vulnerability. 2010-12-16:
Cisco replies saying that releasing two advisories seems like a good
plan to them. Cisco also states that since many of their customers
observe a lockdown policy during the holidays season, they take a "don't
upgrade" policy of their own until Monday January 10th, 2011. That is
the reason why the download link of WebEx Player has not been changed yet. 2011-01-10:
Core states that they are ready to release this advisory on January
11th, and that releasing two separate advisories seems pointless now
because the release date of both would be very similar, and the original
idea was to mitigate the risk posed by the .wrf vulnerability. Core also
states that they are reviewing the best course of action to take with
the issue regarding clients running the old version of WebEx (T27SP21)
that according to Cisco are unable to upgrade to SP22 since this was not
accounted for previously. 2011-01-13:
Core states that since they have committed previously to release the
advisory taking into account Cisco's consideration about their SaaS
patch deploy model, when factoring the issue of clients running the SP21
version of Meeting Center scheduled by Cisco for emergency update on
January, a release date of January the 31st seems reasonable. This date
should be taken as final and Core Security Technologies believes it
takes into account all information given by Cisco about SaaS updating
timeframes. If this is not the case Cisco is asked to rectify ASAP. 2011-01-14:
Cisco confirms that the timeframe (publishing both vulnerabilities on
January 31st) works for them. 2011-01-31:
The advisory CORE-2010-1001 is published.
10. *References*
[1] [http://www.webex.com/]
[2]
[http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=project&name=Bugweek]
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
[http://corelabs.coresecurity.com].
12. *About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
[http://www.coresecurity.com].
13. *Disclaimer*
The contents of this advisory are copyright (c) 2011 Core Security
Technologies and (c) 2011 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: [http://creativecommons.org/licenses/by-nc-sa/3.0/us/]
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
[http://www.coresecurity.com/files/attachments/core_security_advisories.asc].
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iEYEARECAAYFAk1HJwcACgkQyNibggitWa13VwCfVg6jVkuv3PhqmhNqZFIQO7CB
L1YAni1ONdRqEYczbkvki9r0Y7nr9cIQ
=9HdA
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201102-0365 | CVE-2011-1034 | IBM Rational Build Forge Cross-Site Scripting Vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in the UI in IBM Rational Build Forge 7.0.2 allows remote attackers to inject arbitrary web script or HTML via the mod parameter to the fullcontrol program. NOTE: some of these details are obtained from third party information. IBM Rational Build Forge is an automated process execution software that helps customers build, test and publish automated software. Part of the input passed to fullcontrol/ is not properly filtered before returning to the user, and the attacker can exploit the vulnerability for arbitrary HTML and script code attacks to obtain sensitive information or hijack the target user session. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
IBM Rational Build Forge Cross-Site Scripting Vulnerability
SECUNIA ADVISORY ID:
SA43180
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43180/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43180
RELEASE DATE:
2011-02-04
DISCUSS ADVISORY:
http://secunia.com/advisories/43180/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43180/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43180
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in IBM Rational Build Forge, which
can be exploited by malicious people to conduct cross-site scripting
attacks.
Certain input passed to fullcontrol/ is not properly sanitised before
being returned to the user.
The vulnerability is reported in version 7.02.
SOLUTION:
Apply APAR PM05187.
PROVIDED AND/OR DISCOVERED BY:
The vendor credits a customer.
ORIGINAL ADVISORY:
IBM (PM05187):
http://www.ibm.com/support/docview.wss?uid=swg1PM05187
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201102-0369 | CVE-2011-1042 | Google Chrome OS of flimflamd Service disruption in (DoS) Vulnerabilities |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Use-after-free vulnerability in flimflamd in flimflam in Google Chrome OS before 0.9.130.14 Beta allows user-assisted remote attackers to cause a denial of service (daemon crash) by providing the name of a hidden WiFi network that does not respond to connection attempts. Google Chrome OS is a lightweight computer operating system development program developed by Google to develop a cloud operating system dedicated to the Internet. A post-release vulnerability exists in flimflamd in flimflam prior to Google Chrome OS 0.9.130.14 Beta.
Successful exploits will cause the affected application to crash, effectively denying service to legitimate users. Due to the nature of this issue, remote code execution may be possible; this has not been confirmed
| VAR-201101-0497 | No CVE | Huwea HG520/HG530 Wireless Routers Weak Cipher Security Weakness |
CVSS V2: - CVSS V3: - Severity: - |
Huwea HG520/HG530 are prone to a security weakness that may allow attackers to generate default WEP/WPA keys.
Successfully exploiting this issue may allow attackers to generate the WEP/WPA key using the MAC address. This may lead to other attacks.
| VAR-201101-0212 | CVE-2011-0349 | CSG2 Run on Cisco IOS Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in Cisco IOS 12.4(24)MD before 12.4(24)MD2 on the Cisco Content Services Gateway Second Generation (aka CSG2) allows remote attackers to cause a denial of service (device hang or reload) via crafted TCP packets, aka Bug ID CSCth17178, a different vulnerability than CVE-2011-0350. The problem is Bug ID CSCth17178 It is a problem. This vulnerability CVE-2011-0350 Is a different vulnerability.Skillfully crafted by a third party TCP Service disruption via packets (DoS) There is a possibility of being put into a state. Under certain
configurations this vulnerability could allow:
* Customers to access sites that would normally match a billing
policy to be accessed without being charged to the end customer
* Customers to access sites that would normally be denied based on
configured restriction policies
Additionally, Cisco IOS Software Release 12.4(24)MD1 on the Cisco
CSG2 contains two vulnerabilities that can be exploited by a remote,
unauthenticated attacker to create a denial of service condition that
prevents traffic from passing through the CSG2. A three-way handshake is not
required to exploit either of these vulnerabilities.
Workarounds that mitigate these vulnerabilities are not available.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20110126-csg2.shtml.
Affected Products
=================
The service policy bypass vulnerability affects all versions of the
Cisco IOS Software for the CSG2 prior to the first fixed release, as
indicated in the "Software Versions and Fixes" section of this advisory. No other Cisco IOS Software
releases are affected.
Vulnerable Products
+------------------
To determine the version of Cisco IOS Software that is running on the
Cisco CSG2, issue the "show module" command from Cisco IOS Software on
the switch on which the Cisco CSG2 module is installed to identify what
modules and sub-modules are installed on the system.
Cisco CSG2 runs on the Cisco Service and Application Module for IP
(SAMI) card, and is identified in the following example in slot 2 via
the WS-SVC-SAMI-BB-K9 identification:
C7600#show module
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
1 2 Supervisor Engine 720 (Active) WS-SUP720-3BXL JAF1226ARQS
2 1 SAMI Module (csgk9) WS-SVC-SAMI-BB-K9 SAD113906P1
4 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX SAL1127T6XY
Mod MAC addresses Hw Fw Sw Status
--- ---------------------------------- ------ ------------ ------------ -------
1 001e.be6e.a018 to 001e.be6e.a01b 5.6 8.5(2) 12.2(33)SRC5 Ok
2 001d.45f8.f3dc to 001d.45f8.f3e3 2.1 8.7(0.22)FW1 12.4(2010040 Ok
4 001c.587a.ef20 to 001c.587a.ef4f 2.6 12.2(14r)S5 12.2(33)SRC5 Ok
Mod Sub-Module Model Serial Hw Status
---- --------------------------- ------------------ ----------- ------- -------
1 Policy Feature Card 3 WS-F6K-PFC3BXL JAF1226BNQM 1.8 Ok
1 MSFC3 Daughterboard WS-SUP720 JAF1226BNMC 3.1 Ok
2 SAMI Daughterboard 1 SAMI-DC-BB SAD114400L9 1.1 Other
2 SAMI Daughterboard 2 SAMI-DC-BB SAD114207FU 1.1 Other
4 Centralized Forwarding Card WS-F6700-CFC SAL1029VGFK 2.0 Ok
Mod Online Diag Status
---- -------------------
1 Pass
2 Pass
4 Pass
C7600#
After locating the correct slot, issue the "session slot <module number>
processor <3-9>" command to open a console connection to the respective
Cisco CSG2. Once connected to the Cisco CSG2, perform the "show version"
command:
The following example shows that the Cisco CSG2 is running software
Release 12.4(24)MD1:
CSG2#show version
Cisco IOS Software, SAMI Software (SAMI-CSGK9-M), Version 12.4(24)MD1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
The Cisco Content Services Gateway - Second Generation (CSG2) provides
intelligent network capabilities such as flexible policy management
and billing based on deep-packet inspection, as well as subscriber and
application awareness capabilities that enable mobile operators to
quickly and easily offer value-added, differentiated services over their
mobile data networks.
The service policy bypass vulnerability affects configurations that
allow end users to first access non-accounted or billed sites. After a
user accesses a non-accounted site, it is possible to access other sites
that are defined by a billing service policy or to access sites that may
be blocked by other policies by sending specially crafted HTTP packets.
This vulnerability only affects HTTP content traffic. HTTPS and other
traffic types are not affected. A three-way handshake is not required to exploit either of
these vulnerabilities. The vulnerabilities are triggered by TCP traffic
that transits the Cisco CSG2.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding CVSS
at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtk35917 ("Service Policy Bypass Vulnerability")
CVSS Base Score - 6.4
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - Partial
Availability Impact - None
CVSS Temporal Score - 5.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth41891/CSCth17178 ("Crafted TCP packet causes CSG2 to restart")
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the service policy bypass can allow customers
to obtain access to sites that would normally be accounted and billed
according to the billing policy without the billing policy being
engaged. Additionally, customers could gain access to URLs that are
configured in the Cisco CSG2 to be explicitly denied. Due to Cisco
Bug ID CSCtg50821, the Cisco CSG2 may not automatically recover and
may require a manual reload of the SAMI card by issuing the "hw-module
module <x> reset" CLI command from the switch.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS Software table (below) names a Cisco IOS
release train. If a release train is vulnerable, then the earliest
possible releases that contain the fix (along with the anticipated date
of availability for each, if applicable) are listed in the "First Fixed
Release" column of the table. The "Recommended Release" column indicates
the releases which have fixes for all the published vulnerabilities
at the time of this Advisory. A device running a release in the given
train that is earlier than the release in a specific column (less than
the First Fixed Release) is known to be vulnerable. Cisco recommends
upgrading to a release equal to or later than the release in the
"Recommended Releases" column of the table.
+---------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|------------+--------------------------------------------------|
| Affected | |
| 12.x-Based | First Fixed Release |
| Releases | |
|------------+--------------------------------------------------|
| 12.0 - | 12.0 through 12.3 based releases are not |
| 12.3 | affected |
|------------+--------------------------------------------------|
| Affected | First Fixed Release |
| 12.4-Based |--------------------------------------------------|
| Releases | DoS | Service Policy Bypass |
| | Vulnerabilities | Vulnerability |
|------------+------------------+-------------------------------|
| | All 12.4(11)MD | |
| | releases are not | All 12.4(11)MD releases are |
| | affected. | affected. Migrate to a fixed |
| | | release. |
| | All 12.4(15)MD | |
| | releases are not | All 12.4(15)MD releases are |
| | affected. | affected. Migrate to a fixed |
| | | release. |
| | All 12.4(22)MD | |
| 12.4MD | releases are not | All 12.4(22)MD releases are |
| | affected. | affected. Migrate to a fixed |
| | | release. |
| | Releases prior | |
| | to 12.4(24)MD1 | All 12.4(24)MD releases prior |
| | are not | to 12.4(24)MD3 are affected. |
| | affected. | |
| | | First fixed in 12.4(24)MD3 |
| | First fixed in | |
| | 12.4(24)MD2 | |
|------------+------------------+-------------------------------|
| | | All 12.4(22)MDA releases |
| | | prior to 12.4(22)MDA5 are |
| | | affected. First fixed in 12.4 |
| | No releases | (22)MDA5 |
| 12.4MDA | affected. | |
| | | All 12.4(24)MDA releases |
| | | prior to 12.4(24)MDA3 are |
| | | affected. First fixed in 12.4 |
| | | (24)MDA3 |
|------------+--------------------------------------------------|
| Affected | |
| 15.X-Based | First Fixed Release |
| Releases | |
|------------+--------------------------------------------------|
| 15.0 - | 15.0 through 15.1 based releases are not |
| 15.1 | affected |
+---------------------------------------------------------------+
Cisco IOS Software for the CSG2 is located on Cisco Software Download
center at the following location: Cisco Interfaces and Modules --> Cisco
Services Modules --> Cisco Service Application Module for IP.
Workarounds
===========
There are no workarounds for these vulnerabilities.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for software
upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco service
contract, and customers who purchase through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale
should acquire upgrades by contacting the Cisco Technical Assistance
Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be requested
through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is aware of public announcements of the service billing
bypass vulnerability on some external blog sites. However the Cisco
PSIRT is not aware of any malicious use of the vulnerabilities described
in this advisory.
These vulnerabilities were found by both internal testing and when
handling customer support calls.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110126-csg2.shtml
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2011-January-26 | Initial public release. |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities
in Cisco products, obtaining assistance with security
incidents, and registering to receive security information
from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding
Cisco security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iF4EAREIAAYFAk1APx0ACgkQQXnnBKKRMNBE4QD/WfH2GXgAJub+4ech0JhHizBO
98PLNKENutVsJpa0eCUA/2hKwfofNSloEh7i5JZXrwKFcjgBYJcPnDa1W2JRHSfZ
=EZt9
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Cisco Content Services Gateway Security Bypass and Denial of Service
SECUNIA ADVISORY ID:
SA43052
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43052/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43052
RELEASE DATE:
2011-01-27
DISCUSS ADVISORY:
http://secunia.com/advisories/43052/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43052/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43052
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Cisco Content Services
Gateway (CSG2), which can be exploited by malicious people to bypass
certain security restrictions and cause a DoS (Denial of Service).
SOLUTION:
Apply fixes (please see the vendor's advisory for details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
cisco-sa-20110126-csg2:
http://www.cisco.com/en/US/products/products_security_advisory09186a0080b6791d.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor
| VAR-201101-0398 | No CVE | SAP Crystal Reports Server Directory Traversal Vulnerability |
CVSS V2: - CVSS V3: - Severity: HIGH |
To successfully exploit this vulnerability, you need to verify the information legally. SAP Crystal Reports Server is a complete reporting solution for creating, managing, and delivering reports through the web or embedded enterprise applications. A security vulnerability exists in SAP Crystal Reports Server that allows malicious users to obtain sensitive information and manipulate the database. (1) ActiveX control (scriptinghelpers.dll) can use the unsafe \"CreateTextFile()\" method to overwrite existing files; (2) ActiveX control (scriptinghelpers.dll) can use the unsafe \"LaunchProgram()\" method to execute arbitrary programs. (3) ActiveX control (scriptinghelpers.dll) can use the unsafe \"DeleteFile()\" method to delete any program; (4) ActiveX control (scriptinghelpers.dll) can use the unsafe \"Kill()\" method to end any process. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
SAP Crystal Reports Server Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA43060
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43060/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43060
RELEASE DATE:
2011-01-26
DISCUSS ADVISORY:
http://secunia.com/advisories/43060/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43060/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43060
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Dmitry Chastuhin has reported multiple vulnerabilities in SAP Crystal
Reports Server 2008, which can be exploited by malicious users to
disclose potentially sensitive information and by malicious people to
conduct cross-site scripting attacks, manipulate certain data, and
compromise a user's system.
1) Input passed to the "actId" parameter in
InfoViewApp/jsp/common/actionNav.jsp, "backUrl" parameter in
InfoViewApp/jsp/common/error.jsp, and "logonAction" parameter in
InfoViewApp/logon.jsp is not properly sanitised before being returned
to the user. This can be exploited to execute arbitrary HTML and
script code in a user's browser session in context of an affected
site. This can be exploited to display arbitrary files from
local resources via directory traversal attacks.
SOLUTION:
Apply patches (please see the vendor's advisory for details).
PROVIDED AND/OR DISCOVERED BY:
Dmitry Chastuhin, Digital Security Research Group (DSecRG).
ORIGINAL ADVISORY:
SAP:
https://service.sap.com/sap/support/notes/1458310
https://service.sap.com/sap/support/notes/1458309
https://service.sap.com/sap/support/notes/1476930
DSecRG:
http://dsecrg.com/pages/vul/show.php?id=301
http://dsecrg.com/pages/vul/show.php?id=302
http://dsecrg.com/pages/vul/show.php?id=303
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201101-0213 | CVE-2011-0350 | CSG2 Run on Cisco IOS Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in Cisco IOS 12.4(24)MD before 12.4(24)MD2 on the Cisco Content Services Gateway Second Generation (aka CSG2) allows remote attackers to cause a denial of service (device hang or reload) via crafted TCP packets, aka Bug ID CSCth41891, a different vulnerability than CVE-2011-0349. The problem is Bug ID CSCth41891 It is a problem. This vulnerability CVE-2011-0349 Is a different vulnerability.Skillfully crafted by a third party TCP Service disruption via packets (DoS) There is a possibility of being put into a state. Under certain
configurations this vulnerability could allow:
* Customers to access sites that would normally match a billing
policy to be accessed without being charged to the end customer
* Customers to access sites that would normally be denied based on
configured restriction policies
Additionally, Cisco IOS Software Release 12.4(24)MD1 on the Cisco
CSG2 contains two vulnerabilities that can be exploited by a remote,
unauthenticated attacker to create a denial of service condition that
prevents traffic from passing through the CSG2. A three-way handshake is not
required to exploit either of these vulnerabilities.
Workarounds that mitigate these vulnerabilities are not available.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20110126-csg2.shtml.
Affected Products
=================
The service policy bypass vulnerability affects all versions of the
Cisco IOS Software for the CSG2 prior to the first fixed release, as
indicated in the "Software Versions and Fixes" section of this advisory. No other Cisco IOS Software
releases are affected.
Vulnerable Products
+------------------
To determine the version of Cisco IOS Software that is running on the
Cisco CSG2, issue the "show module" command from Cisco IOS Software on
the switch on which the Cisco CSG2 module is installed to identify what
modules and sub-modules are installed on the system.
Cisco CSG2 runs on the Cisco Service and Application Module for IP
(SAMI) card, and is identified in the following example in slot 2 via
the WS-SVC-SAMI-BB-K9 identification:
C7600#show module
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
1 2 Supervisor Engine 720 (Active) WS-SUP720-3BXL JAF1226ARQS
2 1 SAMI Module (csgk9) WS-SVC-SAMI-BB-K9 SAD113906P1
4 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX SAL1127T6XY
Mod MAC addresses Hw Fw Sw Status
--- ---------------------------------- ------ ------------ ------------ -------
1 001e.be6e.a018 to 001e.be6e.a01b 5.6 8.5(2) 12.2(33)SRC5 Ok
2 001d.45f8.f3dc to 001d.45f8.f3e3 2.1 8.7(0.22)FW1 12.4(2010040 Ok
4 001c.587a.ef20 to 001c.587a.ef4f 2.6 12.2(14r)S5 12.2(33)SRC5 Ok
Mod Sub-Module Model Serial Hw Status
---- --------------------------- ------------------ ----------- ------- -------
1 Policy Feature Card 3 WS-F6K-PFC3BXL JAF1226BNQM 1.8 Ok
1 MSFC3 Daughterboard WS-SUP720 JAF1226BNMC 3.1 Ok
2 SAMI Daughterboard 1 SAMI-DC-BB SAD114400L9 1.1 Other
2 SAMI Daughterboard 2 SAMI-DC-BB SAD114207FU 1.1 Other
4 Centralized Forwarding Card WS-F6700-CFC SAL1029VGFK 2.0 Ok
Mod Online Diag Status
---- -------------------
1 Pass
2 Pass
4 Pass
C7600#
After locating the correct slot, issue the "session slot <module number>
processor <3-9>" command to open a console connection to the respective
Cisco CSG2. Once connected to the Cisco CSG2, perform the "show version"
command:
The following example shows that the Cisco CSG2 is running software
Release 12.4(24)MD1:
CSG2#show version
Cisco IOS Software, SAMI Software (SAMI-CSGK9-M), Version 12.4(24)MD1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
The Cisco Content Services Gateway - Second Generation (CSG2) provides
intelligent network capabilities such as flexible policy management
and billing based on deep-packet inspection, as well as subscriber and
application awareness capabilities that enable mobile operators to
quickly and easily offer value-added, differentiated services over their
mobile data networks.
The service policy bypass vulnerability affects configurations that
allow end users to first access non-accounted or billed sites. After a
user accesses a non-accounted site, it is possible to access other sites
that are defined by a billing service policy or to access sites that may
be blocked by other policies by sending specially crafted HTTP packets.
This vulnerability only affects HTTP content traffic. HTTPS and other
traffic types are not affected. A three-way handshake is not required to exploit either of
these vulnerabilities. The vulnerabilities are triggered by TCP traffic
that transits the Cisco CSG2.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding CVSS
at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtk35917 ("Service Policy Bypass Vulnerability")
CVSS Base Score - 6.4
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - Partial
Availability Impact - None
CVSS Temporal Score - 5.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth41891/CSCth17178 ("Crafted TCP packet causes CSG2 to restart")
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the service policy bypass can allow customers
to obtain access to sites that would normally be accounted and billed
according to the billing policy without the billing policy being
engaged. Additionally, customers could gain access to URLs that are
configured in the Cisco CSG2 to be explicitly denied. Due to Cisco
Bug ID CSCtg50821, the Cisco CSG2 may not automatically recover and
may require a manual reload of the SAMI card by issuing the "hw-module
module <x> reset" CLI command from the switch.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS Software table (below) names a Cisco IOS
release train. If a release train is vulnerable, then the earliest
possible releases that contain the fix (along with the anticipated date
of availability for each, if applicable) are listed in the "First Fixed
Release" column of the table. The "Recommended Release" column indicates
the releases which have fixes for all the published vulnerabilities
at the time of this Advisory. A device running a release in the given
train that is earlier than the release in a specific column (less than
the First Fixed Release) is known to be vulnerable. Cisco recommends
upgrading to a release equal to or later than the release in the
"Recommended Releases" column of the table.
+---------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|------------+--------------------------------------------------|
| Affected | |
| 12.x-Based | First Fixed Release |
| Releases | |
|------------+--------------------------------------------------|
| 12.0 - | 12.0 through 12.3 based releases are not |
| 12.3 | affected |
|------------+--------------------------------------------------|
| Affected | First Fixed Release |
| 12.4-Based |--------------------------------------------------|
| Releases | DoS | Service Policy Bypass |
| | Vulnerabilities | Vulnerability |
|------------+------------------+-------------------------------|
| | All 12.4(11)MD | |
| | releases are not | All 12.4(11)MD releases are |
| | affected. | affected. Migrate to a fixed |
| | | release. |
| | All 12.4(15)MD | |
| | releases are not | All 12.4(15)MD releases are |
| | affected. | affected. Migrate to a fixed |
| | | release. |
| | All 12.4(22)MD | |
| 12.4MD | releases are not | All 12.4(22)MD releases are |
| | affected. | affected. Migrate to a fixed |
| | | release. |
| | Releases prior | |
| | to 12.4(24)MD1 | All 12.4(24)MD releases prior |
| | are not | to 12.4(24)MD3 are affected. |
| | affected. | |
| | | First fixed in 12.4(24)MD3 |
| | First fixed in | |
| | 12.4(24)MD2 | |
|------------+------------------+-------------------------------|
| | | All 12.4(22)MDA releases |
| | | prior to 12.4(22)MDA5 are |
| | | affected. First fixed in 12.4 |
| | No releases | (22)MDA5 |
| 12.4MDA | affected. | |
| | | All 12.4(24)MDA releases |
| | | prior to 12.4(24)MDA3 are |
| | | affected. First fixed in 12.4 |
| | | (24)MDA3 |
|------------+--------------------------------------------------|
| Affected | |
| 15.X-Based | First Fixed Release |
| Releases | |
|------------+--------------------------------------------------|
| 15.0 - | 15.0 through 15.1 based releases are not |
| 15.1 | affected |
+---------------------------------------------------------------+
Cisco IOS Software for the CSG2 is located on Cisco Software Download
center at the following location: Cisco Interfaces and Modules --> Cisco
Services Modules --> Cisco Service Application Module for IP.
Workarounds
===========
There are no workarounds for these vulnerabilities.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for software
upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco service
contract, and customers who purchase through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale
should acquire upgrades by contacting the Cisco Technical Assistance
Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be requested
through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is aware of public announcements of the service billing
bypass vulnerability on some external blog sites. However the Cisco
PSIRT is not aware of any malicious use of the vulnerabilities described
in this advisory.
These vulnerabilities were found by both internal testing and when
handling customer support calls.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110126-csg2.shtml
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2011-January-26 | Initial public release. |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities
in Cisco products, obtaining assistance with security
incidents, and registering to receive security information
from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding
Cisco security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iF4EAREIAAYFAk1APx0ACgkQQXnnBKKRMNBE4QD/WfH2GXgAJub+4ech0JhHizBO
98PLNKENutVsJpa0eCUA/2hKwfofNSloEh7i5JZXrwKFcjgBYJcPnDa1W2JRHSfZ
=EZt9
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Cisco Content Services Gateway Security Bypass and Denial of Service
SECUNIA ADVISORY ID:
SA43052
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43052/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43052
RELEASE DATE:
2011-01-27
DISCUSS ADVISORY:
http://secunia.com/advisories/43052/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43052/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43052
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Cisco Content Services
Gateway (CSG2), which can be exploited by malicious people to bypass
certain security restrictions and cause a DoS (Denial of Service).
SOLUTION:
Apply fixes (please see the vendor's advisory for details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
cisco-sa-20110126-csg2:
http://www.cisco.com/en/US/products/products_security_advisory09186a0080b6791d.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor
| VAR-201101-0211 | CVE-2011-0348 | CSG2 Run on Cisco IOS Vulnerabilities that can bypass access and billing restrictions |
CVSS V2: 6.4 CVSS V3: - Severity: MEDIUM |
Cisco IOS 12.4(11)MD, 12.4(15)MD, 12.4(22)MD, 12.4(24)MD before 12.4(24)MD3, 12.4(22)MDA before 12.4(22)MDA5, and 12.4(24)MDA before 12.4(24)MDA3 on the Cisco Content Services Gateway Second Generation (aka CSG2) allows remote attackers to bypass intended access restrictions and intended billing restrictions by sending HTTP traffic to a restricted destination after sending HTTP traffic to an unrestricted destination, aka Bug ID CSCtk35917. The problem is Bug ID CSCtk35917 It is a problem.Third parties may circumvent restrictions such as access and billing. Cisco Content Services Gateway is prone to a security-bypass vulnerability.
Exploiting this issue may allow attackers to access sites that are non-accounted or billed. This may lead to other attacks.
This issue is being tracked by Cisco Bug ID CSCtk35917. Malicious attackers can exploit these vulnerabilities to bypass certain security restrictions, resulting in a denial of service. 1) There is a vulnerability when checking access policies. 2) There is an unknown vulnerability. 3) There is a second unidentified vulnerability. Under certain
configurations this vulnerability could allow:
* Customers to access sites that would normally match a billing
policy to be accessed without being charged to the end customer
* Customers to access sites that would normally be denied based on
configured restriction policies
Additionally, Cisco IOS Software Release 12.4(24)MD1 on the Cisco
CSG2 contains two vulnerabilities that can be exploited by a remote,
unauthenticated attacker to create a denial of service condition that
prevents traffic from passing through the CSG2. These vulnerabilities
require only a single content service to be active on the Cisco CSG2 and
can be exploited via crafted TCP packets. A three-way handshake is not
required to exploit either of these vulnerabilities.
Workarounds that mitigate these vulnerabilities are not available.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20110126-csg2.shtml.
Affected Products
=================
The service policy bypass vulnerability affects all versions of the
Cisco IOS Software for the CSG2 prior to the first fixed release, as
indicated in the "Software Versions and Fixes" section of this advisory.
The two denial of service vulnerabilities only affect Cisco IOS Software
Release 12.4(24)MD1 on the Cisco CSG2. No other Cisco IOS Software
releases are affected.
Vulnerable Products
+------------------
To determine the version of Cisco IOS Software that is running on the
Cisco CSG2, issue the "show module" command from Cisco IOS Software on
the switch on which the Cisco CSG2 module is installed to identify what
modules and sub-modules are installed on the system.
Cisco CSG2 runs on the Cisco Service and Application Module for IP
(SAMI) card, and is identified in the following example in slot 2 via
the WS-SVC-SAMI-BB-K9 identification:
C7600#show module
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
1 2 Supervisor Engine 720 (Active) WS-SUP720-3BXL JAF1226ARQS
2 1 SAMI Module (csgk9) WS-SVC-SAMI-BB-K9 SAD113906P1
4 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX SAL1127T6XY
Mod MAC addresses Hw Fw Sw Status
--- ---------------------------------- ------ ------------ ------------ -------
1 001e.be6e.a018 to 001e.be6e.a01b 5.6 8.5(2) 12.2(33)SRC5 Ok
2 001d.45f8.f3dc to 001d.45f8.f3e3 2.1 8.7(0.22)FW1 12.4(2010040 Ok
4 001c.587a.ef20 to 001c.587a.ef4f 2.6 12.2(14r)S5 12.2(33)SRC5 Ok
Mod Sub-Module Model Serial Hw Status
---- --------------------------- ------------------ ----------- ------- -------
1 Policy Feature Card 3 WS-F6K-PFC3BXL JAF1226BNQM 1.8 Ok
1 MSFC3 Daughterboard WS-SUP720 JAF1226BNMC 3.1 Ok
2 SAMI Daughterboard 1 SAMI-DC-BB SAD114400L9 1.1 Other
2 SAMI Daughterboard 2 SAMI-DC-BB SAD114207FU 1.1 Other
4 Centralized Forwarding Card WS-F6700-CFC SAL1029VGFK 2.0 Ok
Mod Online Diag Status
---- -------------------
1 Pass
2 Pass
4 Pass
C7600#
After locating the correct slot, issue the "session slot <module number>
processor <3-9>" command to open a console connection to the respective
Cisco CSG2. Once connected to the Cisco CSG2, perform the "show version"
command:
The following example shows that the Cisco CSG2 is running software
Release 12.4(24)MD1:
CSG2#show version
Cisco IOS Software, SAMI Software (SAMI-CSGK9-M), Version 12.4(24)MD1, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Wed 07-Apr-10 09:50 by prod_rel_team
--- output truncated ---
Products Confirmed Not Vulnerable
+--------------------------------
The Cisco Content Services Gateway - 1st Generation (CSG) is not
affected by these vulnerabilities.
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
The Cisco Content Services Gateway - Second Generation (CSG2) provides
intelligent network capabilities such as flexible policy management
and billing based on deep-packet inspection, as well as subscriber and
application awareness capabilities that enable mobile operators to
quickly and easily offer value-added, differentiated services over their
mobile data networks. After a
user accesses a non-accounted site, it is possible to access other sites
that are defined by a billing service policy or to access sites that may
be blocked by other policies by sending specially crafted HTTP packets. HTTPS and other
traffic types are not affected.
Both denial of service vulnerabilities require only a single content
service to be active on the Cisco CSG2 and can be exploited via crafted
TCP packets. A three-way handshake is not required to exploit either of
these vulnerabilities. The vulnerabilities are triggered by TCP traffic
that transits the Cisco CSG2.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding CVSS
at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtk35917 ("Service Policy Bypass Vulnerability")
CVSS Base Score - 6.4
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - Partial
Availability Impact - None
CVSS Temporal Score - 5.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth41891/CSCth17178 ("Crafted TCP packet causes CSG2 to restart")
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the service policy bypass can allow customers
to obtain access to sites that would normally be accounted and billed
according to the billing policy without the billing policy being
engaged. Additionally, customers could gain access to URLs that are
configured in the Cisco CSG2 to be explicitly denied.
Successful exploitation of either denial of service vulnerability could
result in the Cisco CSG2 reloading or potentially hanging. Due to Cisco
Bug ID CSCtg50821, the Cisco CSG2 may not automatically recover and
may require a manual reload of the SAMI card by issuing the "hw-module
module <x> reset" CLI command from the switch.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS Software table (below) names a Cisco IOS
release train. If a release train is vulnerable, then the earliest
possible releases that contain the fix (along with the anticipated date
of availability for each, if applicable) are listed in the "First Fixed
Release" column of the table. The "Recommended Release" column indicates
the releases which have fixes for all the published vulnerabilities
at the time of this Advisory. A device running a release in the given
train that is earlier than the release in a specific column (less than
the First Fixed Release) is known to be vulnerable. Cisco recommends
upgrading to a release equal to or later than the release in the
"Recommended Releases" column of the table.
+---------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|------------+--------------------------------------------------|
| Affected | |
| 12.x-Based | First Fixed Release |
| Releases | |
|------------+--------------------------------------------------|
| 12.0 - | 12.0 through 12.3 based releases are not |
| 12.3 | affected |
|------------+--------------------------------------------------|
| Affected | First Fixed Release |
| 12.4-Based |--------------------------------------------------|
| Releases | DoS | Service Policy Bypass |
| | Vulnerabilities | Vulnerability |
|------------+------------------+-------------------------------|
| | All 12.4(11)MD | |
| | releases are not | All 12.4(11)MD releases are |
| | affected. | affected. Migrate to a fixed |
| | | release. |
| | All 12.4(15)MD | |
| | releases are not | All 12.4(15)MD releases are |
| | affected. | affected. Migrate to a fixed |
| | | release. |
| | All 12.4(22)MD | |
| 12.4MD | releases are not | All 12.4(22)MD releases are |
| | affected. | affected. Migrate to a fixed |
| | | release. |
| | Releases prior | |
| | to 12.4(24)MD1 | All 12.4(24)MD releases prior |
| | are not | to 12.4(24)MD3 are affected. |
| | affected. | |
| | | First fixed in 12.4(24)MD3 |
| | First fixed in | |
| | 12.4(24)MD2 | |
|------------+------------------+-------------------------------|
| | | All 12.4(22)MDA releases |
| | | prior to 12.4(22)MDA5 are |
| | | affected. First fixed in 12.4 |
| | No releases | (22)MDA5 |
| 12.4MDA | affected. | |
| | | All 12.4(24)MDA releases |
| | | prior to 12.4(24)MDA3 are |
| | | affected. First fixed in 12.4 |
| | | (24)MDA3 |
|------------+--------------------------------------------------|
| Affected | |
| 15.X-Based | First Fixed Release |
| Releases | |
|------------+--------------------------------------------------|
| 15.0 - | 15.0 through 15.1 based releases are not |
| 15.1 | affected |
+---------------------------------------------------------------+
Cisco IOS Software for the CSG2 is located on Cisco Software Download
center at the following location: Cisco Interfaces and Modules --> Cisco
Services Modules --> Cisco Service Application Module for IP.
Workarounds
===========
There are no workarounds for these vulnerabilities.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for software
upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco service
contract, and customers who purchase through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale
should acquire upgrades by contacting the Cisco Technical Assistance
Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be requested
through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is aware of public announcements of the service billing
bypass vulnerability on some external blog sites. However the Cisco
PSIRT is not aware of any malicious use of the vulnerabilities described
in this advisory.
These vulnerabilities were found by both internal testing and when
handling customer support calls.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110126-csg2.shtml
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
Revision History
================
+------------------------------------------------------------+
| Revision 1.0 | 2011-January-26 | Initial public release. |
+------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities
in Cisco products, obtaining assistance with security
incidents, and registering to receive security information
from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding
Cisco security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iF4EAREIAAYFAk1APx0ACgkQQXnnBKKRMNBE4QD/WfH2GXgAJub+4ech0JhHizBO
98PLNKENutVsJpa0eCUA/2hKwfofNSloEh7i5JZXrwKFcjgBYJcPnDa1W2JRHSfZ
=EZt9
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Cisco Content Services Gateway Security Bypass and Denial of Service
SECUNIA ADVISORY ID:
SA43052
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43052/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43052
RELEASE DATE:
2011-01-27
DISCUSS ADVISORY:
http://secunia.com/advisories/43052/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43052/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43052
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Multiple vulnerabilities have been reported in Cisco Content Services
Gateway (CSG2), which can be exploited by malicious people to bypass
certain security restrictions and cause a DoS (Denial of Service).
SOLUTION:
Apply fixes (please see the vendor's advisory for details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
cisco-sa-20110126-csg2:
http://www.cisco.com/en/US/products/products_security_advisory09186a0080b6791d.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor
| VAR-201101-0473 | No CVE | MuPDF 'closedctd()' PDF File Handling Remote Code Execution Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
MuPDF is prone to a remote code-execution vulnerability.
An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the application or crash the application, denying service to legitimate users.
MuPDF 0.7 is vulnerable; other versions may also be affected.
| VAR-201101-0033 | CVE-2011-0639 | Apple of Mac OS X Vulnerable to arbitrary program execution |
CVSS V2: 6.9 CVSS V3: - Severity: MEDIUM |
Apple Mac OS X does not properly warn the user before enabling additional Human Interface Device (HID) functionality over USB, which allows user-assisted attackers to execute arbitrary programs via crafted USB data, as demonstrated by keyboard and mouse data sent by malware on a smartphone that the user connected to the computer. Apple Mac OS X is a dedicated operating system developed by Apple for Mac computers. A user-assisted attacker can execute arbitrary programs with the help of specially crafted USB data
| VAR-201102-0092 | CVE-2011-0902 | Sun Microsystems SunScreen Firewall of Java Service Vulnerable to arbitrary code execution |
CVSS V2: 6.9 CVSS V3: - Severity: MEDIUM |
Multiple untrusted search path vulnerabilities in the Java Service in Sun Microsystems SunScreen Firewall on SunOS 5.9 allow local users to execute arbitrary code via a modified (1) PATH or (2) LD_LIBRARY_PATH environment variable. SunScreen Firewall is prone to a local privilege-escalation vulnerability.
An attacker can exploit this issue to run arbitrary commands with root privileges