VARIoT IoT vulnerabilities database

VAR-200908-0267 | CVE-2009-2188 | Apple Mac OS of ImageIO and Safari Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Buffer overflow in ImageIO in Apple Mac OS X 10.5 before 10.5.8, and Safari before 4.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an image with crafted EXIF metadata. Apple's ImageIO component is prone to a buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data.
Successful exploits will allow an attacker to run arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions.
This issue affects Mac OS X 10.5 through 10.5.7, Mac OS X Server 10.5 through 10.5.7, and Apple Safari prior to 4.0.3.
NOTE: This vulnerability was previously documented in BID 35954 (Apple Mac OS X 2009-003 Multiple Security Vulnerabilities) but has been given its own record to better document the issue.
I.
II. Impact
The impact of these vulnerabilities vary. Potential consequences
include arbitrary code execution, sensitive information disclosure,
denial of service, or privilege escalation.
III. These
and other updates are available via Software Update or via Apple
Downloads.
IV. Please send
email to <cert@cert.org> with "TA09-218A Feedback VU#426517" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
August 06, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSnsainIHljM+H4irAQLe2wgAg9ZJq3PGtU+CYHa6+n9Gli9l/NeIXQBb
JhKvrXwFYp1uCCs5bVlZ/80Wuq6BJgkv1kojnV6zhqZA7VkPQEhjGofvcUs9MsO8
jXQ6JPdZRd6jWmB4pFHPAD5NOpBV2fJN+JQQuep9xwlap/hITfZfj24+nVFciwXo
PdsptiEvpPcfsdan5ScQB+36MC4fRixUAgV+oWHDTgZJEaO1J2/5QiMK7+jWanXH
3jD6FIVdbJQcUmMDGle7RvURSuiX4jFq3D+lweDCtLwX576qx9m6QRbvnxaX8bfU
HFcStLJRmi2kFEMiqga83lIyhSB1g1t+rWy5MBH+xml0MSYO7V7z6w==
=A6S1
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
1) An error in bzip2 can be exploited to terminate an application
using the library via a specially crafted archive.
For more information:
SA29410
2) An error in CFNetwork can be exploited by a malicious website to
control the URL displayed in a certificate warning when Safari
follows a redirect from a trusted website.
4) An error when handling unsafe content types can be exploited to
execute a malicious JavaScript payload when a specially crafted file
is manually opened.
5) An error when processing four-finger Multi-Touch gestures can be
exploited by a person with physical access to a locked system to
manage applications or use Expose.
NOTE: This vulnerability only affects system having a Multi-Touch
trackpad.
6) An error when processing Canon RAW images can be exploited to
cause a stack-based buffer overflow and potentially execute arbitrary
code.
7) An error in ImageIO when processing OpenEXR images can be
exploited to cause a heap-based buffer overflow and potentially
execute arbitrary code.
8) Multiple errors in ImageIO when processing OpenEXR images can be
exploited to corrupt memory and potentially execute arbitrary code.
10) An error in ImageIO when processing PNG images can be exploited
to dereference an uninitialised pointer and potentially execute
arbitrary code.
11) An error in the "fcntl()" kernel implementation can be exploited
to corrupt kernel memory and execute arbitrary code with system
privileges via e.g. a specially crafted TIOCGWINSZ "fnctl()" call.
12) An error in launchd when servicing via inetd can be exploited to
cause a service hang by opening an overly large number of
connections.
13) A format string error in Login Window when handling application
names can be exploited to potentially execute arbitrary code.
14) The MobileMe preference pane fails to properly delete all
credentials when signing out. This can be exploited to access
previously signed in systems from the same local user account.
15) An error in the kernel when processing AppleTalk response packets
can be exploited to cause a buffer overflow and potentially execute
arbitrary code with system privileges.
16) A synchronization error when sharing file descriptors over local
sockets can be exploited to cause an unexpected system shutdown.
17) A boundary error in the PCRE library used by XQuery can be
exploited to cause a buffer overflow and potentially execute
arbitrary code.
For more information:
SA28923
SOLUTION:
Update to Mac OS X v10.5.8 or apply Security Update 2009-003. of Johns Hopkins University, HiNRG
The vendor also credits:
2) Kevin Day of Your.Org and Jason Mueller of Indiana University
4) Brian Mastenbrook, and Clint Ruoho of Laconic Security
6) Chris Ries of Carnegie Mellon University Computing Services
7) Lurene Grenier of Sourcefire VRT, and Chris Ries of Carnegie
Mellon University Computing Services
10) Tavis Ormandy of the Google Security Team
13) Alfredo Pesoli of 0xcafebabe.it
15) Ilja van Sprundel from IOActive
16) Bennet Yee of Google Inc.
CHANGELOG:
2009-08-06: Added link to "Original Advisory".
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT3757
Chris Evans:
http://scary.beasts.org/security/CESA-2009-011.html
OTHER REFERENCES:
SA28923:
http://secunia.com/advisories/28923/
SA29410:
http://secunia.com/advisories/29410/
SA36030:
http://secunia.com/advisories/36030/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200908-0247 | CVE-2009-0151 | Apple Mac OS of Dock Vulnerability that can prevent locks in screen savers inside |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
The screen saver in Dock in Apple Mac OS X 10.5 before 10.5.8 does not prevent four-finger Multi-Touch gestures, which allows physically proximate attackers to bypass locking and "manage applications or use Expose" via unspecified vectors. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2009-003.
The update addresses new vulnerabilities that affect the CFNetwork, ColorSync, CoreTypes, Dock, Image RAW, ImageIO, launchd, Login Window, MobileMe, Kernel, and XQuery components of Mac OS X. The advisory also contains security updates for seven previously reported issues.
I.
II. Impact
The impact of these vulnerabilities vary. Potential consequences
include arbitrary code execution, sensitive information disclosure,
denial of service, or privilege escalation.
III. These
and other updates are available via Software Update or via Apple
Downloads.
IV. Please send
email to <cert@cert.org> with "TA09-218A Feedback VU#426517" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
August 06, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSnsainIHljM+H4irAQLe2wgAg9ZJq3PGtU+CYHa6+n9Gli9l/NeIXQBb
JhKvrXwFYp1uCCs5bVlZ/80Wuq6BJgkv1kojnV6zhqZA7VkPQEhjGofvcUs9MsO8
jXQ6JPdZRd6jWmB4pFHPAD5NOpBV2fJN+JQQuep9xwlap/hITfZfj24+nVFciwXo
PdsptiEvpPcfsdan5ScQB+36MC4fRixUAgV+oWHDTgZJEaO1J2/5QiMK7+jWanXH
3jD6FIVdbJQcUmMDGle7RvURSuiX4jFq3D+lweDCtLwX576qx9m6QRbvnxaX8bfU
HFcStLJRmi2kFEMiqga83lIyhSB1g1t+rWy5MBH+xml0MSYO7V7z6w==
=A6S1
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
1) An error in bzip2 can be exploited to terminate an application
using the library via a specially crafted archive.
For more information:
SA29410
2) An error in CFNetwork can be exploited by a malicious website to
control the URL displayed in a certificate warning when Safari
follows a redirect from a trusted website.
3) An error when processing ColorSync profiles embedded in a
specially crafted image can be exploited to cause a heap-based buffer
overflow and potentially execute arbitrary code.
4) An error when handling unsafe content types can be exploited to
execute a malicious JavaScript payload when a specially crafted file
is manually opened.
NOTE: This vulnerability only affects system having a Multi-Touch
trackpad.
6) An error when processing Canon RAW images can be exploited to
cause a stack-based buffer overflow and potentially execute arbitrary
code.
7) An error in ImageIO when processing OpenEXR images can be
exploited to cause a heap-based buffer overflow and potentially
execute arbitrary code.
8) Multiple errors in ImageIO when processing OpenEXR images can be
exploited to corrupt memory and potentially execute arbitrary code.
For more information:
SA36030
9) A boundary error in ImageIO when processing EXIF metadata can be
exploited to cause a buffer overflow and potentially execute
arbitrary code via a specially crafted image.
10) An error in ImageIO when processing PNG images can be exploited
to dereference an uninitialised pointer and potentially execute
arbitrary code.
11) An error in the "fcntl()" kernel implementation can be exploited
to corrupt kernel memory and execute arbitrary code with system
privileges via e.g. a specially crafted TIOCGWINSZ "fnctl()" call.
12) An error in launchd when servicing via inetd can be exploited to
cause a service hang by opening an overly large number of
connections.
13) A format string error in Login Window when handling application
names can be exploited to potentially execute arbitrary code.
14) The MobileMe preference pane fails to properly delete all
credentials when signing out. This can be exploited to access
previously signed in systems from the same local user account.
15) An error in the kernel when processing AppleTalk response packets
can be exploited to cause a buffer overflow and potentially execute
arbitrary code with system privileges.
16) A synchronization error when sharing file descriptors over local
sockets can be exploited to cause an unexpected system shutdown.
17) A boundary error in the PCRE library used by XQuery can be
exploited to cause a buffer overflow and potentially execute
arbitrary code. of Johns Hopkins University, HiNRG
The vendor also credits:
2) Kevin Day of Your.Org and Jason Mueller of Indiana University
4) Brian Mastenbrook, and Clint Ruoho of Laconic Security
6) Chris Ries of Carnegie Mellon University Computing Services
7) Lurene Grenier of Sourcefire VRT, and Chris Ries of Carnegie
Mellon University Computing Services
10) Tavis Ormandy of the Google Security Team
13) Alfredo Pesoli of 0xcafebabe.it
15) Ilja van Sprundel from IOActive
16) Bennet Yee of Google Inc.
CHANGELOG:
2009-08-06: Added link to "Original Advisory".
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT3757
Chris Evans:
http://scary.beasts.org/security/CESA-2009-011.html
OTHER REFERENCES:
SA28923:
http://secunia.com/advisories/28923/
SA29410:
http://secunia.com/advisories/29410/
SA36030:
http://secunia.com/advisories/36030/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200908-0264 | CVE-2009-2198 | Apple GarageBand Information Disclosure Vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Apple GarageBand before 5.1 reconfigures Safari to accept all cookies regardless of domain name, which makes it easier for remote web servers to track users. Apple GarageBand is prone to an information-disclosure vulnerability.
Exploiting the issue may allow an attacker to obtain sensitive information that could aid in tracking a user's web activities.
This issue affects versions prior to GarageBand 5.1 for Mac OS X 10.5.7. Apple GarageBand is a set of music production software from Apple (Apple). ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
Apple GarageBand Web Activity Tracking Disclosure
SECUNIA ADVISORY ID:
SA36114
VERIFY ADVISORY:
http://secunia.com/advisories/36114/
DESCRIPTION:
A security issue has been reported in GarageBand, which can be
exploited by malicious people to gain knowledge of sensitive
information.
The problem is caused due to Safari's preferences being changed to
always accept cookies when opening GarageBand. This could allow third
parties and advertisers to track a user's web activity.
SOLUTION:
Update to version 5.1.
http://support.apple.com/downloads/GarageBand_5_1
NOTE: Users of previous versions should also check that their Safari
preferences are set as desired.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://support.apple.com/kb/HT3732
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200909-0290 | CVE-2009-3455 | Apple Safari In any SSL Vulnerability impersonating a server |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Apple Safari, possibly before 4.0.3, on Mac OS X does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. SSL A vulnerability that impersonates a server exists. The problem is CVE-2009-2408 The problem is related to.By attackers, through a crafted certificate SSL There is a possibility of impersonating a server.
Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks or impersonate trusted servers, which will aid in further attacks.
UPDATE (October 5, 2009): The vendor states that Safari on Mac OS X is not affected by this issue. This vulnerability is related to CVE-2009-2408
VAR-200907-0748 | CVE-2009-2408 | plural Mozilla product any in SSL Server spoofing vulnerability |
CVSS V2: 6.8 CVSS V3: 5.9 Severity: MEDIUM |
Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. NOTE: this was originally reported for Firefox before 3.5. plural Mozilla product for, X.509 certificate of Common Name (CN) within the domain name in the field. Mozilla Network Security Services (NSS) is a function library (network security service library) of the Mozilla Foundation in the United States. The product provides cross-platform support for SSL, S/MIME and other Internet security standards. There is a mismatch between the NSS library's handling of the domain name in the SSL certificate between the SSL client and the CA that issued the server certificate. If a malicious user requests a certificate from a hostname with an invalid null character, most CAs will issue a certificate as long as the requester has the domain specified after the null character, but most SSL clients (browsers) will ignore this part of the name, Using a null character before the portion of validation allows an attacker to use a fake certificate in a man-in-the-middle attack to establish a false trust relationship.
A vulnerability was found in xmltok_impl.c (expat) that with
specially crafted XML could be exploited and lead to a denial of
service attack. Related to CVE-2009-2625.
This update provides the latest version of Thunderbird which are not
vulnerable to these issues.
Update:
The mozilla-thunderbird-moztraybiff packages had the wrong release
which prevented it to be upgraded (#53129). The new packages addresses
this problem.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408
http://www.mozilla.org/security/announce/2009/mfsa2009-42.html
https://bugs.gentoo.org/show_bug.cgi?id=280615
https://qa.mandriva.com/53129
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2009.1:
e1c540f94c8b66fa4495de6015ed85db 2009.1/i586/mozilla-thunderbird-moztraybiff-1.2.4-4.1mdv2009.1.i586.rpm
ab2fa7586f21de2f23216def8c542db6 2009.1/SRPMS/mozilla-thunderbird-moztraybiff-1.2.4-4.1mdv2009.1.src.rpm
Mandriva Linux 2009.1/X86_64:
b9ff59f0c11d63a1234365ea55ed5f46 2009.1/x86_64/mozilla-thunderbird-moztraybiff-1.2.4-4.1mdv2009.1.x86_64.rpm
ab2fa7586f21de2f23216def8c542db6 2009.1/SRPMS/mozilla-thunderbird-moztraybiff-1.2.4-4.1mdv2009.1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFKzcjqmqjQ0CJFipgRArPoAKDTymDqJYIxV5BbT+2AwZppDwJIpACeJ4ht
VW9XZMiWqP+lDv+zVbOlvnY=
=ruxq
-----END PGP SIGNATURE-----
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
Debian Security Advisory DSA-1874-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
August 26, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : nss
Vulnerability : several
Problem type : local(remote)
Debian-specific: no
CVE Id(s) : CVE-2009-2404 CVE-2009-2408 CVE-2009-2409
Several vulnerabilities have been discovered in the Network Security
Service libraries.
CVE-2009-2408
Dan Kaminsky discovered that NULL characters in certificate
names could lead to man-in-the-middle attacks by tricking the user
into accepting a rogue certificate.
CVE-2009-2409
Certificates with MD2 hash signatures are no longer accepted
since they're no longer considered cryptograhically secure.
The old stable distribution (etch) doesn't contain nss.
For the stable distribution (lenny), these problems have been fixed in
version 3.12.3.1-0lenny1.
For the unstable distribution (sid), these problems have been fixed in
version 3.12.3.1-1.
We recommend that you upgrade your nss packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 5.0 alias lenny
- --------------------------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/n/nss/nss_3.12.3.1-0lenny1.dsc
Size/MD5 checksum: 1401 1dbc1107598064214fa689733495c56c
http://security.debian.org/pool/updates/main/n/nss/nss_3.12.3.1.orig.tar.gz
Size/MD5 checksum: 5320607 750839c9c018a0984fd94f7a9cc3dd7f
http://security.debian.org/pool/updates/main/n/nss/nss_3.12.3.1-0lenny1.diff.gz
Size/MD5 checksum: 52489 96f62370296f7d18a9748429ac99525f
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d-dbg_3.12.3.1-0lenny1_alpha.deb
Size/MD5 checksum: 3048842 6b764e28ae56542572a4275e50c4d303
http://security.debian.org/pool/updates/main/n/nss/libnss3-dev_3.12.3.1-0lenny1_alpha.deb
Size/MD5 checksum: 267250 b00f4c63a8d27a54fb562029411daf0e
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d_3.12.3.1-0lenny1_alpha.deb
Size/MD5 checksum: 1204106 c8ba098d6cc0af39ab93cd728ca7bb19
http://security.debian.org/pool/updates/main/n/nss/libnss3-tools_3.12.3.1-0lenny1_alpha.deb
Size/MD5 checksum: 342544 2191bbcd5708f719392c8489bde7a0c6
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/n/nss/libnss3-dev_3.12.3.1-0lenny1_amd64.deb
Size/MD5 checksum: 256944 7a31770b748ff56ba45ac55044960b6d
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d_3.12.3.1-0lenny1_amd64.deb
Size/MD5 checksum: 1069628 eea22c2ccef5375689fe581de8152a61
http://security.debian.org/pool/updates/main/n/nss/libnss3-tools_3.12.3.1-0lenny1_amd64.deb
Size/MD5 checksum: 321374 1b86ac1f27fee3287f1418973595a4e9
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d-dbg_3.12.3.1-0lenny1_amd64.deb
Size/MD5 checksum: 3099080 f4112f9f06d87e6139097a27e1419664
arm architecture (ARM)
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d-dbg_3.12.3.1-0lenny1_arm.deb
Size/MD5 checksum: 2900162 21604ffa61b7f5049f0f919030fec0f0
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d_3.12.3.1-0lenny1_arm.deb
Size/MD5 checksum: 1011344 78bc0d853274ca2fc9f36752ed9f9c51
http://security.debian.org/pool/updates/main/n/nss/libnss3-tools_3.12.3.1-0lenny1_arm.deb
Size/MD5 checksum: 308766 e7547e80f6726b91611f9b92d83aa6b3
http://security.debian.org/pool/updates/main/n/nss/libnss3-dev_3.12.3.1-0lenny1_arm.deb
Size/MD5 checksum: 254374 ead00e7f25c47cc4b8b1ed99801c4ab9
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/n/nss/libnss3-dev_3.12.3.1-0lenny1_armel.deb
Size/MD5 checksum: 257820 a17086cca6fdaf26e5a6b3fb84ae476d
http://security.debian.org/pool/updates/main/n/nss/libnss3-tools_3.12.3.1-0lenny1_armel.deb
Size/MD5 checksum: 308198 f24e01f4b2396193a314a965555374e8
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d_3.12.3.1-0lenny1_armel.deb
Size/MD5 checksum: 1017054 d1086599e6a1904548804d538f90c810
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d-dbg_3.12.3.1-0lenny1_armel.deb
Size/MD5 checksum: 2923084 b5e1d56b749941124c8b91f063d44c19
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/n/nss/libnss3-dev_3.12.3.1-0lenny1_hppa.deb
Size/MD5 checksum: 263122 b611c51dae677b42befac5f2e638d941
http://security.debian.org/pool/updates/main/n/nss/libnss3-tools_3.12.3.1-0lenny1_hppa.deb
Size/MD5 checksum: 347148 c725c156c6cd17d09421e066548c673d
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d_3.12.3.1-0lenny1_hppa.deb
Size/MD5 checksum: 1169014 d5858e4c11ca0b88f59c24af1a251eea
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d-dbg_3.12.3.1-0lenny1_hppa.deb
Size/MD5 checksum: 2948790 92a46a3cd9b2db3c7f0d07d817a03ba4
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d_3.12.3.1-0lenny1_i386.deb
Size/MD5 checksum: 957706 21a666157a0a208d8405df062b3276d2
http://security.debian.org/pool/updates/main/n/nss/libnss3-tools_3.12.3.1-0lenny1_i386.deb
Size/MD5 checksum: 304016 9771905fcb4acd6855158c8645722762
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d-dbg_3.12.3.1-0lenny1_i386.deb
Size/MD5 checksum: 2913468 89b7116120a075a7795615d062bd7450
http://security.debian.org/pool/updates/main/n/nss/libnss3-dev_3.12.3.1-0lenny1_i386.deb
Size/MD5 checksum: 254478 7747ea82c2d9e93c6a610d60094fb316
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/n/nss/libnss3-dev_3.12.3.1-0lenny1_ia64.deb
Size/MD5 checksum: 267008 94a0fe98c183a728df7e64826f8b2c46
http://security.debian.org/pool/updates/main/n/nss/libnss3-tools_3.12.3.1-0lenny1_ia64.deb
Size/MD5 checksum: 410780 a834a4f57ddc003570c6eaaafbc87032
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d-dbg_3.12.3.1-0lenny1_ia64.deb
Size/MD5 checksum: 2797788 1a1f375f7713f69acdf01e77f779b28b
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d_3.12.3.1-0lenny1_ia64.deb
Size/MD5 checksum: 1489492 a468da7ac4219e564793d06978a6be07
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/n/nss/libnss3-dev_3.12.3.1-0lenny1_mips.deb
Size/MD5 checksum: 257808 fc1a4db95e71876cf0ffbe0b49327148
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d-dbg_3.12.3.1-0lenny1_mips.deb
Size/MD5 checksum: 3049346 fc35475e7157e1859c154556ecb648b3
http://security.debian.org/pool/updates/main/n/nss/libnss3-tools_3.12.3.1-0lenny1_mips.deb
Size/MD5 checksum: 318740 fbafbce5a6d9498d8cd1fe1d8f1eaebc
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d_3.12.3.1-0lenny1_mips.deb
Size/MD5 checksum: 1038702 0723e7d8621b7d65517cc3945a9790be
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d_3.12.3.1-0lenny1_mipsel.deb
Size/MD5 checksum: 1028286 81e4bcd025b2ee3996de08b9fdb0b23a
http://security.debian.org/pool/updates/main/n/nss/libnss3-tools_3.12.3.1-0lenny1_mipsel.deb
Size/MD5 checksum: 317082 8b16e198a97ffb60df698767fef8cc35
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d-dbg_3.12.3.1-0lenny1_mipsel.deb
Size/MD5 checksum: 2999704 d1f9bf1211ec7aa9458dcdd673a4a709
http://security.debian.org/pool/updates/main/n/nss/libnss3-dev_3.12.3.1-0lenny1_mipsel.deb
Size/MD5 checksum: 257740 82ed6773d6e942a70f1274e4a241bdd9
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/n/nss/libnss3-dev_3.12.3.1-0lenny1_powerpc.deb
Size/MD5 checksum: 255174 6abcf8f6d427c29f704ca156dc201113
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d_3.12.3.1-0lenny1_powerpc.deb
Size/MD5 checksum: 1029684 997fec6bb01c10e9e3c6aa15f0f78386
http://security.debian.org/pool/updates/main/n/nss/libnss3-tools_3.12.3.1-0lenny1_powerpc.deb
Size/MD5 checksum: 334590 1c8056037d5bccdad7977b49d3910065
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d-dbg_3.12.3.1-0lenny1_powerpc.deb
Size/MD5 checksum: 2946754 1739d7e55a79d8e85dc5e668180846ae
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d_3.12.3.1-0lenny1_s390.deb
Size/MD5 checksum: 1178522 0e72b044e78bca218a8d55c20c16e8d5
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d-dbg_3.12.3.1-0lenny1_s390.deb
Size/MD5 checksum: 3020690 7115f25dbf7c31c55e768d48a29c8b46
http://security.debian.org/pool/updates/main/n/nss/libnss3-dev_3.12.3.1-0lenny1_s390.deb
Size/MD5 checksum: 258572 f8bf00777c295c76b0071a1354b011fa
http://security.debian.org/pool/updates/main/n/nss/libnss3-tools_3.12.3.1-0lenny1_s390.deb
Size/MD5 checksum: 346234 accf6855c0b8ea6d087bf062b2ac1d7b
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/n/nss/libnss3-tools_3.12.3.1-0lenny1_sparc.deb
Size/MD5 checksum: 317482 f2f321d58890c1edb386ebc224ac052e
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d_3.12.3.1-0lenny1_sparc.deb
Size/MD5 checksum: 996192 cf17776aa8674a8c7e71527b6534b0e2
http://security.debian.org/pool/updates/main/n/nss/libnss3-dev_3.12.3.1-0lenny1_sparc.deb
Size/MD5 checksum: 257464 2452b9eef9a3c0b786d4dc4afc2d16ae
http://security.debian.org/pool/updates/main/n/nss/libnss3-1d-dbg_3.12.3.1-0lenny1_sparc.deb
Size/MD5 checksum: 2712012 910e98017dabb5adcc109f05f94b1a56
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkqVhkcACgkQXm3vHE4uylpTzACgw3nQF03hRSfcEOdoLuFPoEB6
3qsAoLX3vrb6zwD2aC/NYwDAg6X3mTgf
=u47A
-----END PGP SIGNATURE-----
.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
Network Security Services Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA36093
VERIFY ADVISORY:
http://secunia.com/advisories/36093/
DESCRIPTION:
Some vulnerabilities have been reported in Network Security Services,
which can potentially be exploited by malicious people to bypass
certain security restrictions or to compromise a vulnerable system.
1) An error in the regular expression parser when matching common
names in certificates can be exploited to cause a heap-based buffer
overflow, e.g. via a specially crafted certificate signed by a
trusted CA or when a user accepts a specially crafted certificate.
Successful exploitation may allow execution of arbitrary code.
2) An error exists in the parsing of certain certificate fields,
which can be exploited to e.g. get a client to accept a specially
crafted certificate by mistake.
SOLUTION:
Update to version 3.12.3 or later.
PROVIDED AND/OR DISCOVERED BY:
Red Hat credits:
1) Moxie Marlinspike
2) Dan Kaminsky
ORIGINAL ADVISORY:
https://bugzilla.redhat.com/show_bug.cgi?id=512912
https://bugzilla.redhat.com/show_bug.cgi?id=510251
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200907-0062 | CVE-2009-1168 | Cisco IOS In RFC4893 BGP Service disruption related to routing processing (DoS) Vulnerabilities |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
Cisco IOS 12.0(32)S12 through 12.0(32)S13 and 12.0(33)S3 through 12.0(33)S4, 12.0(32)SY8 through 12.0(32)SY9, 12.2(33)SXI1, 12.2XNC before 12.2(33)XNC2, 12.2XND before 12.2(33)XND1, and 12.4(24)T1; and IOS XE 2.3 through 2.3.1t and 2.4 through 2.4.0; when RFC4893 BGP routing is enabled, allows remote attackers to cause a denial of service (memory corruption and device reload) by using an RFC4271 peer to send an update with a long series of AS numbers, aka Bug ID CSCsy86021. Cisco IOS is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to cause an affected device to reload, denying service to legitimate users.
This issue is being tracked by Cisco Bug ID CSCsy86021. May trigger memory corruption and crash showing %%Software-forced reload error. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
1) An unspecified error exists in the processing of BGP update
messages. constructed from more than 1000 autonomous
systems.
SOLUTION:
Update to a fixed version (please see the vendor advisory for
details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Software Border Gateway Protocol
4-Byte Autonomous System Number
Vulnerabilities
Advisory ID: cisco-sa-20090729-bgp
http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtml
Revision: 1.0
=========
For Public Release 2009 July 29 1600 UTC (GMT)
Summary
=======
Recent versions of Cisco IOS Software support RFC4893 ("BGP Support
for Four-octet AS Number Space") and contain two remote denial of
service (DoS) vulnerabilities when handling specific Border Gateway
Protocol (BGP) updates.
These vulnerabilities affect only devices running Cisco IOS Software
with support for four-octet AS number space (here after referred to as
4-byte AS number) and BGP routing configured.
The first vulnerability could cause an affected device to reload when
processing a BGP update that contains autonomous system (AS) path
segments made up of more than one thousand autonomous systems.
Cisco has released free software updates to address these
vulnerabilities.
No workarounds are available for the first vulnerability.
A workaround is available for the second vulnerability.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtml
Affected Products
=================
Vulnerable Products
+------------------
These vulnerabilities affect only devices running Cisco IOS and
Cisco IOS XE Software (here after both referred to as simply Cisco
IOS) with support for RFC4893 and that have been configured for
BGP routing.
The software table in the section "Software Versions and Fixes" of
this advisory indicates all affected Cisco IOS Software versions that
have support for RFC4893 and are affected by this vulnerability.
A Cisco IOS software version that has support for RFC4893 will allow
configuration of AS numbers using 4 Bytes. The following example
identifies a Cisco device that has 4 byte AS number support:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#router bgp ?
<1-65535> Autonomous system number
<1.0-XX.YY> 4 Octets Autonomous system number
Or:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#router bgp ?
<1-4294967295> Autonomous system number
<1.0-XX.YY> Autonomous system number
The following example identifies a Cisco device that has 2 byte AS
number support:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#router bgp ?
<1-65535> Autonomous system number
A router that is running the BGP process will contain a line in the
configuration that defines the autonomous system number (AS number),
which can be seen by issuing the command line interface (CLI) command
"show running-config".
The canonical textual representation of four byte AS Numbers is
standardized by the IETF through RFC5396 (Textual Representation of
Autonomous System (AS) Numbers). Two major ways for textual
representation have been defined as ASDOT and ASPLAIN. Cisco IOS
routers support both textual representations of AS numbers. For
further information about textual representation of four byte AS
numbers in Cisco IOS Software consult the document "Explaining 4-Byte
Autonomous System (AS) ASPLAIN and ASDOT Notation for Cisco IOS" at
the following link:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6554/ps6599/white_paper_c11_516829.html
Cisco IOS Software with support for RFC4893 is affected by both
vulnerabilities if BGP routing is configured using either ASPLAIN or
ASDOT notation.
The following example identifies a Cisco device that is configured
for BGP using ASPLAIN notation:
router bgp 65536
The following example identifies a Cisco device that is configured
for BGP using ASDOT notation:
router bgp 1.0
To determine the Cisco IOS Software release that is running on a
Cisco product, administrators can log in to the device and issue the
show version command to display the system banner. The system banner
confirms that the device is running Cisco IOS Software by displaying
text similar to "Cisco Internetwork Operating System Software" or
"Cisco IOS Software." The image name displays in parentheses,
followed by "Version" and the Cisco IOS Software release name. Other
Cisco devices do not have the show version command or may provide
different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.3(26) with an installed image name of
C2500-IS-L:
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Mon 17-Mar-08 14:39 by dchih
!--- output truncated
The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.4(20)T with an installed image name of
C1841-ADVENTERPRISEK9-M:
Router#show version
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 20:25 by prod_rel_team
!--- output truncated
Additional information about Cisco IOS Software release naming
conventions is available in "White Paper: Cisco IOS Reference Guide"
at the following link: http://www.cisco.com/warp/public/620/1.html
Products Confirmed Not Vulnerable
+--------------------------------
The following Cisco products are confirmed not vulnerable:
* Cisco IOS Software not explicitly mentioned in this Advisory
* Cisco IOS XR Software
* Cisco IOS NX-OS
No other Cisco products are currently known to be affected by this
vulnerability.
Details
=======
RFC4271 has defined an AS number as a two-octet entity in BGP.
RFC4893 has defined an AS number as a four-octet entity in BGP.
The first vulnerability could cause an affected device to reload when
processing a BGP update that contains AS path segments made up of more
than one thousand autonomous systems. If an affected 4-byte AS number
BGP speaker receives a BGP update from a 2-byte AS number BGP speaker
that contains AS path segments made up of more than one thousand
autonomous systems, the device may crash with memory corruption, and
the error "%%Software-forced reload" will be displayed.
The following three conditions are required for successful
exploitation of this vulnerability:
* Affected Cisco IOS Software device is a 4-byte AS number BGP
speaker
* BGP peering neighbor is a 2-byte AS number BGP speaker
* BGP peering neighbor is capable of sending a BGP update with a
series of greater than one thousand AS numbers
Note: Note: Cisco IOS, Cisco IOS XE, Cisco NX-OS and Cisco IOS XR
Software, as a 2 byte AS number BGP speaker send BGP updates with
a maximum of 255 AS numbers. The following three conditions are
required for successful exploitation of this vulnerability:
* Affected Cisco IOS Software device is a 4-byte AS number BGP
speaker
* BGP peering neighbor is a 2-byte AS number BGP speaker
* BGP peering neighbor is capable of sending a non-RFC compliant
crafted BGP update message
This vulnerability is documented in Cisco Bug ID CSCta33973 and has
been assigned Common Vulnerabilities and Exposures (CVE) ID
CVE-2009-2049.
Further information regarding Cisco support for 4-byte AS number is
available in "Cisco IOS BGP 4-Byte ASN Support" at the following
link:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6554/ps6599/data_sheet_C78-521821.html
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsy86021: Cisco IOS Software BGP Long AS-path Vulnerability
CVSS Base Score - 7.1
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact None
Availability Impact Complete
CVSS Temporal Score - 6.7
Exploitability Functional
Remediation Level Official-Fix
Report Confidence Confirmed
CSCta33973: Cisco IOS Software Crafted BGP Update Message Vulnerability
CVSS Base Score - 5.4
Access Vector Network
Access Complexity High
Authentication None
Confidentiality Impact None
Availability Impact Complete
CVSS Temporal Score - 4.5
Exploitability Functional
Remediation Level Official-Fix
Report Confidence Confirmed
Impact
======
Successful exploitation of the vulnerabilities described in this
document may result in a reload of the device. The issue could result
in repeated exploitation to cause an extended DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|----------+--------------------------------------------------------|
| Affected | |Recommended |
|12.0-Based| First Fixed Release | Release |
| Releases | | |
|----------+-------------------------------------------+------------|
|12.0 |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0DA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0DB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0DC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
| |Releases up to and including 12.0(32)S11 | |
| |are not vulnerable; first fixed in | |
|12.0S |12.0(32)S14; | |
| | | |
| |Releases up to and including 12.0(33)S2 are| |
| |not vulnerable; first fixed in 12.0(33)S5 | |
|----------+-------------------------------------------+------------|
|12.0SC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0SL |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0SP |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0ST |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0SX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0SY |Releases up to and including 12.0(32)SY7 |12.0(32)SY10|
| |are not vulnerable; first fixed in | |
| |12.0(32)SY9a. | |
|----------+-------------------------------------------+------------|
|12.0SZ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0T |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0W |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0WC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0WT |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0WX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XF |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XG |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XH |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XI |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XJ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XK |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XL |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XM |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XN |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XQ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XR |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XS |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XT |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XV |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XW |Not Vulnerable | |
|----------+-------------------------------------------+------------|
| Affected | |Recommended |
|12.1-Based| First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.1 based releases |
|-------------------------------------------------------------------|
| Affected | |Recommended |
|12.2-Based| First Fixed Release | Release |
| Releases | | |
|----------+-------------------------------------------+------------|
|12.2 |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2B |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2BC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2BW |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2BX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2BY |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2BZ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2CX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2CY |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2CZ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2DA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2DD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2DX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2EW |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2EWA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2EX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2EY |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2EZ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2FX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2FY |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2FZ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IRA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IRB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IRC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IXA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IXB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IXC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IXD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IXE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IXF |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IXG |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IXH |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2JA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2JK |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2MB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2MC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2S |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SBC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SCA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SCB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SEA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SEB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SEC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SED |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SEE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SEF |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SEG |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SG |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SGA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SL |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SM |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SO |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SQ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SRA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SRB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SRC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SRD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2STE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SU |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SV |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SVA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SVC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SVD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SVE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SW |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SXA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SXB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SXD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SXE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SXF |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SXH |Not Vulnerable | |
|----------+-------------------------------------------+------------|
| |Releases up to and including 12.2(33)SXI | |
|12.2SXI |are not vulnerable; CSCsy86021 first fixed | |
| |in 12.2(33)SXI2; CSCta33973 first fixed in | |
| |12.2(33)SXI3 | |
|----------+-------------------------------------------+------------|
|12.2SY |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SZ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2T |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2TPC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XF |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XG |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XH |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XI |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XJ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XK |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XL |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XM |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XN |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XNA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XNB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XNC |12.2(33)XNC2 | |
|----------+-------------------------------------------+------------|
|12.2XND |12.2(33)XND1; available 25th August 2009 | |
|----------+-------------------------------------------+------------|
|12.2XO |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XQ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XR |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XS |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XT |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XU |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XV |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XW |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YF |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YG |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YH |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YJ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YK |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YL |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YM |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YN |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YO |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YP |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YQ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YR |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YS |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YT |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YU |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YV |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YW |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YY |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YZ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZF |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZG |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZH |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZJ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZL |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZM |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZP |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZU |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZY |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZYA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
| Affected | |Recommended |
|12.3-Based| First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.3 based releases |
|-------------------------------------------------------------------|
| Affected | |Recommended |
|12.4-Based| First Fixed Release | Release |
| Releases | | |
|----------+-------------------------------------------+------------|
|12.4 |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4JA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4JDA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4JDC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4JDD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4JK |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4JL |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4JMA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4JMB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4JX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4MD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4MDA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4MR |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4SW |Not Vulnerable | |
|----------+-------------------------------------------+------------|
| |Releases up to 12.4(24)T are not | |
|12.4T |vulnerable; first fixed in 12.4(24)T2 | |
| |available on 23-Oct-2009 | |
|----------+-------------------------------------------+------------|
|12.4XA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XF |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XG |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XJ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XK |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XL |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XM |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XN |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XP |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XQ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XR |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XT |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XV |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XW |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XY |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XZ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4YA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4YB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4YD |Not Vulnerable | |
+-------------------------------------------------------------------+
Cisco IOS XE Release Table
+-------------------------
+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|----------+--------------------------------------------------------|
| Affected | |
| 2.1 | There are no affected 2.1 based releases |
| Releases | |
|----------+--------------------------------------------------------|
| Affected | |
| 2.2 | There are no affected 2.2 based releases |
| Releases | |
|----------+--------------------------------------------------------|
| Affected | Releases up to and including 2.3.1t are vulnerable; |
| 2.3 | First fixed in 2.3.2 |
| Releases | |
|----------+--------------------------------------------------------+
| Affected | Releases up to and including 2.4.0 are vulnerable; |
| 2.4 | First fixed in 2.4.1, available 25th August 2009 |
| Releases | |
+----------+--------------------------------------------------------+
Workarounds
===========
For the first vulnerability, there are no workarounds on the affected
device. Neighbors could be configured to discard routes that have
more than one thousand AS numbers in the AS-path segments. This
configuration will help prevent the further propagation of BGP
updates with the AS path segments made up of greater than one
thousand AS numbers.
Note: Configuring "bgp maxas-limit [value]" on the affected device
does not mitigate this vulnerability.
For the second vulnerability, configuring "bgp maxas-limit [value]"
on the affected device does mitigate this vulnerability. Cisco is
recommends using a conservative value of 100 to mitigate this
vulnerability.
Consult the document "Protecting Border Gateway Protocol for the
Enterprise" at the following link for additional best practices on
protecting BGP infrastructures:
http://www.cisco.com/web/about/security/intelligence/protecting_bgp.html
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized
telephone numbers, and instructions and e-mail addresses for use
in various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of malicious exploitation of either of
these vulnerabilities, although we are aware of some customers who
have seen the first vulnerability triggered within their
infrastructures. Further investigation of those incidents seems to
indicate that the vulnerability has been accidentally triggered.
These vulnerabilities were discovered via internal product testing.
Status of this Notice: FINAL
============================
This information is Cisco Highly Confidential - Do not redistribute.
THIS IS A DRAFT VERSION OF A SECURITY NOTICE THAT CONTAINS UNRELEASED
INFORMATION ABOUT CISCO PRODUCTS. DISTRIBUTION WITHIN CISCO IS
LIMITED TO PERSONNEL WITH A NEED TO KNOW. THIS DRAFT MAY CONTAIN
ERRORS OR OMIT IMPORTANT INFORMATION.
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+-------------------------------------------------------------------+
| Revision 1.0 | 2009-July-29 1600 | Initial public release |
+-------------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iD8DBQFKcGNc86n/Gc8U/uARAks6AKCCWLTakna/WbNzMuIbeGPJGJHnbQCfbYEi
I6XwyRZTnktw7RSnT6Y/N1E=
=KmUm
-----END PGP SIGNATURE-----
VAR-200907-0096 | CVE-2009-2049 | Cisco IOS In RFC4893 BGP Service disruption related to routing processing (DoS) Vulnerabilities |
CVSS V2: 5.4 CVSS V3: - Severity: MEDIUM |
Cisco IOS 12.0(32)S12 through 12.0(32)S13 and 12.0(33)S3 through 12.0(33)S4, 12.0(32)SY8 through 12.0(32)SY9, 12.2(33)SXI1 through 12.2(33)SXI2, 12.2XNC before 12.2(33)XNC2, 12.2XND before 12.2(33)XND1, and 12.4(24)T1; and IOS XE 2.3 through 2.3.1t and 2.4 through 2.4.0; when RFC4893 BGP routing is enabled, allows remote attackers to cause a denial of service (device reload) by using an RFC4271 peer to send a malformed update, aka Bug ID CSCta33973. Cisco IOS is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to cause an affected device to reload, denying service to legitimate users.
This issue is being tracked by Cisco Bug ID CSCta33973. May trigger memory corruption and crash with \\%\\%Software-forced reload error. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
1) An unspecified error exists in the processing of BGP update
messages. constructed from more than 1000 autonomous
systems.
SOLUTION:
Update to a fixed version (please see the vendor advisory for
details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Software Border Gateway Protocol
4-Byte Autonomous System Number
Vulnerabilities
Advisory ID: cisco-sa-20090729-bgp
http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtml
Revision: 1.0
=========
For Public Release 2009 July 29 1600 UTC (GMT)
Summary
=======
Recent versions of Cisco IOS Software support RFC4893 ("BGP Support
for Four-octet AS Number Space") and contain two remote denial of
service (DoS) vulnerabilities when handling specific Border Gateway
Protocol (BGP) updates.
These vulnerabilities affect only devices running Cisco IOS Software
with support for four-octet AS number space (here after referred to as
4-byte AS number) and BGP routing configured.
The first vulnerability could cause an affected device to reload when
processing a BGP update that contains autonomous system (AS) path
segments made up of more than one thousand autonomous systems.
Cisco has released free software updates to address these
vulnerabilities.
No workarounds are available for the first vulnerability.
A workaround is available for the second vulnerability.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtml
Affected Products
=================
Vulnerable Products
+------------------
These vulnerabilities affect only devices running Cisco IOS and
Cisco IOS XE Software (here after both referred to as simply Cisco
IOS) with support for RFC4893 and that have been configured for
BGP routing.
The software table in the section "Software Versions and Fixes" of
this advisory indicates all affected Cisco IOS Software versions that
have support for RFC4893 and are affected by this vulnerability.
A Cisco IOS software version that has support for RFC4893 will allow
configuration of AS numbers using 4 Bytes. The following example
identifies a Cisco device that has 4 byte AS number support:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#router bgp ?
<1-65535> Autonomous system number
<1.0-XX.YY> 4 Octets Autonomous system number
Or:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#router bgp ?
<1-4294967295> Autonomous system number
<1.0-XX.YY> Autonomous system number
The following example identifies a Cisco device that has 2 byte AS
number support:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#router bgp ?
<1-65535> Autonomous system number
A router that is running the BGP process will contain a line in the
configuration that defines the autonomous system number (AS number),
which can be seen by issuing the command line interface (CLI) command
"show running-config".
The canonical textual representation of four byte AS Numbers is
standardized by the IETF through RFC5396 (Textual Representation of
Autonomous System (AS) Numbers). Two major ways for textual
representation have been defined as ASDOT and ASPLAIN. Cisco IOS
routers support both textual representations of AS numbers. For
further information about textual representation of four byte AS
numbers in Cisco IOS Software consult the document "Explaining 4-Byte
Autonomous System (AS) ASPLAIN and ASDOT Notation for Cisco IOS" at
the following link:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6554/ps6599/white_paper_c11_516829.html
Cisco IOS Software with support for RFC4893 is affected by both
vulnerabilities if BGP routing is configured using either ASPLAIN or
ASDOT notation.
The following example identifies a Cisco device that is configured
for BGP using ASPLAIN notation:
router bgp 65536
The following example identifies a Cisco device that is configured
for BGP using ASDOT notation:
router bgp 1.0
To determine the Cisco IOS Software release that is running on a
Cisco product, administrators can log in to the device and issue the
show version command to display the system banner. The system banner
confirms that the device is running Cisco IOS Software by displaying
text similar to "Cisco Internetwork Operating System Software" or
"Cisco IOS Software." The image name displays in parentheses,
followed by "Version" and the Cisco IOS Software release name. Other
Cisco devices do not have the show version command or may provide
different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.3(26) with an installed image name of
C2500-IS-L:
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Mon 17-Mar-08 14:39 by dchih
!--- output truncated
The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.4(20)T with an installed image name of
C1841-ADVENTERPRISEK9-M:
Router#show version
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 20:25 by prod_rel_team
!--- output truncated
Additional information about Cisco IOS Software release naming
conventions is available in "White Paper: Cisco IOS Reference Guide"
at the following link: http://www.cisco.com/warp/public/620/1.html
Products Confirmed Not Vulnerable
+--------------------------------
The following Cisco products are confirmed not vulnerable:
* Cisco IOS Software not explicitly mentioned in this Advisory
* Cisco IOS XR Software
* Cisco IOS NX-OS
No other Cisco products are currently known to be affected by this
vulnerability.
Details
=======
RFC4271 has defined an AS number as a two-octet entity in BGP.
RFC4893 has defined an AS number as a four-octet entity in BGP.
The first vulnerability could cause an affected device to reload when
processing a BGP update that contains AS path segments made up of more
than one thousand autonomous systems. If an affected 4-byte AS number
BGP speaker receives a BGP update from a 2-byte AS number BGP speaker
that contains AS path segments made up of more than one thousand
autonomous systems, the device may crash with memory corruption, and
the error "%%Software-forced reload" will be displayed.
The following three conditions are required for successful
exploitation of this vulnerability:
* Affected Cisco IOS Software device is a 4-byte AS number BGP
speaker
* BGP peering neighbor is a 2-byte AS number BGP speaker
* BGP peering neighbor is capable of sending a BGP update with a
series of greater than one thousand AS numbers
Note: Note: Cisco IOS, Cisco IOS XE, Cisco NX-OS and Cisco IOS XR
Software, as a 2 byte AS number BGP speaker send BGP updates with
a maximum of 255 AS numbers. The following three conditions are
required for successful exploitation of this vulnerability:
* Affected Cisco IOS Software device is a 4-byte AS number BGP
speaker
* BGP peering neighbor is a 2-byte AS number BGP speaker
* BGP peering neighbor is capable of sending a non-RFC compliant
crafted BGP update message
This vulnerability is documented in Cisco Bug ID CSCta33973 and has
been assigned Common Vulnerabilities and Exposures (CVE) ID
CVE-2009-2049.
Further information regarding Cisco support for 4-byte AS number is
available in "Cisco IOS BGP 4-Byte ASN Support" at the following
link:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6554/ps6599/data_sheet_C78-521821.html
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsy86021: Cisco IOS Software BGP Long AS-path Vulnerability
CVSS Base Score - 7.1
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact None
Availability Impact Complete
CVSS Temporal Score - 6.7
Exploitability Functional
Remediation Level Official-Fix
Report Confidence Confirmed
CSCta33973: Cisco IOS Software Crafted BGP Update Message Vulnerability
CVSS Base Score - 5.4
Access Vector Network
Access Complexity High
Authentication None
Confidentiality Impact None
Availability Impact Complete
CVSS Temporal Score - 4.5
Exploitability Functional
Remediation Level Official-Fix
Report Confidence Confirmed
Impact
======
Successful exploitation of the vulnerabilities described in this
document may result in a reload of the device. The issue could result
in repeated exploitation to cause an extended DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|----------+--------------------------------------------------------|
| Affected | |Recommended |
|12.0-Based| First Fixed Release | Release |
| Releases | | |
|----------+-------------------------------------------+------------|
|12.0 |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0DA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0DB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0DC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
| |Releases up to and including 12.0(32)S11 | |
| |are not vulnerable; first fixed in | |
|12.0S |12.0(32)S14; | |
| | | |
| |Releases up to and including 12.0(33)S2 are| |
| |not vulnerable; first fixed in 12.0(33)S5 | |
|----------+-------------------------------------------+------------|
|12.0SC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0SL |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0SP |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0ST |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0SX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0SY |Releases up to and including 12.0(32)SY7 |12.0(32)SY10|
| |are not vulnerable; first fixed in | |
| |12.0(32)SY9a. | |
|----------+-------------------------------------------+------------|
|12.0SZ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0T |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0W |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0WC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0WT |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0WX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XF |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XG |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XH |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XI |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XJ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XK |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XL |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XM |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XN |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XQ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XR |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XS |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XT |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XV |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XW |Not Vulnerable | |
|----------+-------------------------------------------+------------|
| Affected | |Recommended |
|12.1-Based| First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.1 based releases |
|-------------------------------------------------------------------|
| Affected | |Recommended |
|12.2-Based| First Fixed Release | Release |
| Releases | | |
|----------+-------------------------------------------+------------|
|12.2 |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2B |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2BC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2BW |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2BX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2BY |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2BZ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2CX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2CY |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2CZ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2DA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2DD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2DX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2EW |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2EWA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2EX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2EY |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2EZ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2FX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2FY |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2FZ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IRA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IRB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IRC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IXA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IXB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IXC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IXD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IXE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IXF |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IXG |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IXH |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2JA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2JK |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2MB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2MC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2S |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SBC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SCA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SCB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SEA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SEB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SEC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SED |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SEE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SEF |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SEG |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SG |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SGA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SL |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SM |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SO |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SQ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SRA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SRB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SRC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SRD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2STE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SU |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SV |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SVA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SVC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SVD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SVE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SW |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SXA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SXB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SXD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SXE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SXF |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SXH |Not Vulnerable | |
|----------+-------------------------------------------+------------|
| |Releases up to and including 12.2(33)SXI | |
|12.2SXI |are not vulnerable; CSCsy86021 first fixed | |
| |in 12.2(33)SXI2; CSCta33973 first fixed in | |
| |12.2(33)SXI3 | |
|----------+-------------------------------------------+------------|
|12.2SY |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SZ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2T |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2TPC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XF |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XG |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XH |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XI |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XJ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XK |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XL |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XM |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XN |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XNA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XNB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XNC |12.2(33)XNC2 | |
|----------+-------------------------------------------+------------|
|12.2XND |12.2(33)XND1; available 25th August 2009 | |
|----------+-------------------------------------------+------------|
|12.2XO |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XQ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XR |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XS |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XT |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XU |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XV |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XW |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YF |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YG |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YH |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YJ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YK |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YL |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YM |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YN |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YO |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YP |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YQ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YR |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YS |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YT |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YU |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YV |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YW |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YY |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YZ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZF |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZG |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZH |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZJ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZL |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZM |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZP |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZU |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZY |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZYA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
| Affected | |Recommended |
|12.3-Based| First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.3 based releases |
|-------------------------------------------------------------------|
| Affected | |Recommended |
|12.4-Based| First Fixed Release | Release |
| Releases | | |
|----------+-------------------------------------------+------------|
|12.4 |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4JA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4JDA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4JDC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4JDD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4JK |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4JL |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4JMA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4JMB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4JX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4MD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4MDA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4MR |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4SW |Not Vulnerable | |
|----------+-------------------------------------------+------------|
| |Releases up to 12.4(24)T are not | |
|12.4T |vulnerable; first fixed in 12.4(24)T2 | |
| |available on 23-Oct-2009 | |
|----------+-------------------------------------------+------------|
|12.4XA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XF |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XG |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XJ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XK |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XL |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XM |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XN |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XP |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XQ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XR |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XT |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XV |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XW |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XY |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XZ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4YA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4YB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4YD |Not Vulnerable | |
+-------------------------------------------------------------------+
Cisco IOS XE Release Table
+-------------------------
+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|----------+--------------------------------------------------------|
| Affected | |
| 2.1 | There are no affected 2.1 based releases |
| Releases | |
|----------+--------------------------------------------------------|
| Affected | |
| 2.2 | There are no affected 2.2 based releases |
| Releases | |
|----------+--------------------------------------------------------|
| Affected | Releases up to and including 2.3.1t are vulnerable; |
| 2.3 | First fixed in 2.3.2 |
| Releases | |
|----------+--------------------------------------------------------+
| Affected | Releases up to and including 2.4.0 are vulnerable; |
| 2.4 | First fixed in 2.4.1, available 25th August 2009 |
| Releases | |
+----------+--------------------------------------------------------+
Workarounds
===========
For the first vulnerability, there are no workarounds on the affected
device. Neighbors could be configured to discard routes that have
more than one thousand AS numbers in the AS-path segments. This
configuration will help prevent the further propagation of BGP
updates with the AS path segments made up of greater than one
thousand AS numbers.
Note: Configuring "bgp maxas-limit [value]" on the affected device
does not mitigate this vulnerability.
For the second vulnerability, configuring "bgp maxas-limit [value]"
on the affected device does mitigate this vulnerability. Cisco is
recommends using a conservative value of 100 to mitigate this
vulnerability.
Consult the document "Protecting Border Gateway Protocol for the
Enterprise" at the following link for additional best practices on
protecting BGP infrastructures:
http://www.cisco.com/web/about/security/intelligence/protecting_bgp.html
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized
telephone numbers, and instructions and e-mail addresses for use
in various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of malicious exploitation of either of
these vulnerabilities, although we are aware of some customers who
have seen the first vulnerability triggered within their
infrastructures. Further investigation of those incidents seems to
indicate that the vulnerability has been accidentally triggered.
These vulnerabilities were discovered via internal product testing.
Status of this Notice: FINAL
============================
This information is Cisco Highly Confidential - Do not redistribute.
THIS IS A DRAFT VERSION OF A SECURITY NOTICE THAT CONTAINS UNRELEASED
INFORMATION ABOUT CISCO PRODUCTS. DISTRIBUTION WITHIN CISCO IS
LIMITED TO PERSONNEL WITH A NEED TO KNOW. THIS DRAFT MAY CONTAIN
ERRORS OR OMIT IMPORTANT INFORMATION.
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+-------------------------------------------------------------------+
| Revision 1.0 | 2009-July-29 1600 | Initial public release |
+-------------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iD8DBQFKcGNc86n/Gc8U/uARAks6AKCCWLTakna/WbNzMuIbeGPJGJHnbQCfbYEi
I6XwyRZTnktw7RSnT6Y/N1E=
=KmUm
-----END PGP SIGNATURE-----
VAR-200907-0059 | CVE-2009-1165 | Cisco Wireless LAN Controller Memory leak vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Memory leak on the Cisco Wireless LAN Controller (WLC) platform 4.x before 4.2.205.0, 5.1 before 5.1.163.0, and 5.0 and 5.2 before 5.2.178.0, as used in Cisco 1500 Series, 2000 Series, 2100 Series, 4100 Series, 4200 Series, and 4400 Series Wireless Services Modules (WiSM), WLC Modules for Integrated Services Routers, and Catalyst 3750G Integrated Wireless LAN Controllers, allows remote attackers to cause a denial of service (memory consumption and device reload) via SSH management connections, aka Bug ID CSCsw40789. plural Cisco Used in products Cisco Wireless LAN Controller Contains a memory leak vulnerability. The problem is Bug ID : CSCsw40789 It is a problem.By a third party SSH Service disruption via management connection (DoS) There is a possibility of being put into a state.
An attacker can exploit this issue to trigger an affected device to crash and reload, denying service to legitimate users.
This issue is being tracked by Cisco BugID CSCsw40789. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers
Advisory ID: cisco-sa-20090727-wlc
http://www.cisco.com/warp/public/707/cisco-sa-20090727-wlc.shtml
Revision 1.0
For Public Release 2009 July 27 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
Multiple vulnerabilities exist in the Cisco Wireless LAN Controller
(WLC) platforms. This security advisory outlines the details of the
following vulnerabilities:
* Malformed HTTP or HTTPS authentication response denial of service
vulnerability
* SSH connections denial of service vulnerability
* Crafted HTTP or HTTPS request denial of service vulnerability
* Crafted HTTP or HTTPS request unauthorized configuration
modification vulnerability
Cisco has released free software updates that address these
vulnerabilities.
* The SSH connections denial of service vulnerability affects
software versions 4.1 and later.
* The crafted HTTP or HTTPS request denial of service vulnerability
affects software versions 4.1 and later.
* The crafted HTTP or HTTPS request unauthorized configuration
modification vulnerability affects software versions 4.1 and
later.
Determination of Software Versions
+---------------------------------
To determine the WLC version that is running in a given environment,
use one of the following methods:
* In the web interface, choose the Monitor tab, click Summary in
the left pane, and note the Software Version field.
Note: Customers who use a WLC Module in an Integrated Services
Router (ISR) will need to issue the service-module
wlan-controller 1/0 session command prior to performing the next
step on the command line. Customers who use a Cisco Catalyst
3750G Switch with an integrated WLC Module will need to issue the
session <Stack-Member-Number> processor 1 session command prior
to performing the next step on the command line.
* From the command-line interface, type show sysinfo and note the
Product Version field, as shown in the following example:
(Cisco Controller) >show sysinfo
Manufacturer's Name.. Cisco Systems Inc.
Product Name......... Cisco Controller
Product Version...... 5.1.151.0
RTOS Version......... Linux-2.6.10_mvl401
Bootloader Version... 4.0.207.0
Build Type........... DATA + WPS
<output suppressed>
Use the show wism module <module number> controller 1 status command
on a Cisco Catalyst 6500 Series/7600 Series Switch if you are using a
WiSM. Note the software version as demonstrated in the following
example, which shows version 5.1.151.0.
Router#show wism module 3 controller 1 status
WiSM Controller 1 in Slot 3
Operational Status of the Controller
: Oper-Up
Service VLAN
: 192
Service Port
: 10
Service Port Mac Address
: 0011.92ff.8742
Service IP Address
: 192.168.10.1
Management IP Address
: 192.168.1.123
Software Version
: 5.1.151.0
Port Channel Number
: 288
Allowed vlan list
: 30,40
Native VLAN ID
: 40
WCP Keep Alive Missed
: 0
Products Confirmed Not Vulnerable
+--------------------------------
The Cisco Wireless Controller 5500 Series is not affected by these
vulnerabilities.
Details
=======
Cisco Wireless LAN Controllers (WLCs) are responsible for system-wide
wireless LAN functions, such as security policies, intrusion
prevention, RF management, quality of service (QoS), and mobility.
These devices communicate with controller-based access points over
any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the
Lightweight Access Point Protocol (LWAPP).
This security advisory describes multiple distinct vulnerabilities in
the WLC family of devices.
* Malformed HTTP or HTTPS authentication response denial of service
vulnerability
An attacker with access to the administrative web interface via
HTTP or HTTPS may cause the device to reload by providing a
malformed response to an authentication request.
Note: The vulnerability can be exploited only via the
administrative web-based interface; Web Authentication features
are not affected.
This vulnerability is documented in Cisco Bug ID CSCsx03715 and
has been assigned Common Vulnerabilities and Exposures (CVE) ID
CVE-2009-1164.
* SSH connections denial of service vulnerability
Affected devices may be susceptible to a memory leak when they
handle SSH management connections.
Note: A three-way handshake is not required to exploit this
vulnerability.
This vulnerability is documented in Cisco Bug ID CSCsw40789 and
has been assigned CVE ID CVE-2009-1165.
Note: The vulnerability can be exploited only via the
administrative web-based interface; Web Authentication features
are not affected.
This vulnerability is documented in Cisco Bug ID CSCsy27708 and
has been assigned CVE ID CVE-2009-1166.
* Crafted HTTP or HTTPS request unauthorized configuration
modification vulnerability
An unauthorized configuration modification vulnerability exists
in all software versions prior to the first fixed release. A
remote, unauthenticated attacker who can submit HTTP or HTTPS
requests to the WLC directly could gain full control of the
affected device.
Note: The vulnerability can be exploited only by submitting such
a request to an IP address that is bound to an administrative
interface or VLAN.
The vulnerability is documented by Cisco Bug ID CSCsy44672 and has
been assigned CVE ID CVE-2009-1167.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsx03715 - Malformed HTTP or HTTPS authentication response denial of service vulnerability
+-----------------------------------------------------
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsw40789 - SSH connections denial of service vulnerability
+-----------------------------------------------------
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsy27708 - Crafted HTTP or HTTPS request denial of service vulnerability
+-----------------------------------------------------
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsy44672 - Crafted HTTP or HTTPS request unauthorized configuration modification vulnerability
+-----------------------------------------------------
CVSS Base Score - 10
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
=====
Successful exploitation of the denial of service (DoS)
vulnerabilities may cause the affected device to reload. Repeated
exploitation could result in a sustained DoS condition.
An unauthenticated, remote attacker may be able to use the
unauthorized configuration modification vulnerability to gain full
control over the Wireless LAN Controller if the attacker is able to
submit a crafted request directly to an administrative interface of
the affected device.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.comw/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
+------------------------------------------------------+
| Vulnerability/ | Affected | First | Recommended |
| Bug ID | Release | Fixed | Release |
| | | Version | |
|----------------+----------+------------+-------------|
| | 4.1 | Not | Not |
| | | Vulnerable | Vulnerable |
| |----------+------------+-------------|
| | 4.1M | Not | Not |
| | | Vulnerable | Vulnerable |
| |----------+------------+-------------|
| | 4.2 | 4.2.205.0 | 4.2.207.0 |
| |----------+------------+-------------|
| Malformed HTTP | 4.2M | Not | Not |
| or HTTPS | | Vulnerable | Vulnerable |
|authentication |----------+------------+-------------|
| response | | Migrate to | 5.2.193.0 |
| denial of | 5.0 | 5.2 or 6.0 | or |
| service | | | 6.0.182.0 |
|vulnerability |----------+------------+-------------|
| (CSCsx03715) | | Migrate to | 5.2.193.0 |
| | 5.1 | 5.2 or 6.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.2 | 5.2.178.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | 6.0 | Not | Not |
| | | Vulnerable | Vulnerable |
|----------------+----------+------------+-------------|
| | 4.1 | Migrate to | 4.2.205.0 |
| | | 4.2 | |
| |----------+------------+-------------|
| | | | 5.2.193.0, |
| | | Migrate to | 6.0.182.0 |
| | 4.1M | 5.2, 6.0, | or |
| | | or 4.2M | 4.2.176.51 |
| | | | Mesh |
| |----------+------------+-------------|
| | 4.2 | 4.2.205.0 | 4.2.207.0 |
| |----------+------------+-------------|
| SSH | 4.2M | Not | Not |
| connections | | Vulnerable | Vulnerable |
|denial of |----------+------------+-------------|
| service | | Migrate to | 5.2.193.0 |
| vulnerability | 5.0 | 5.2 or 6.0 | or |
| (CSCsw40789) | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.1 | 5.1.163.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.2 | 5.2.178.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | 6.0 | Not | Not |
| | | Vulnerable | Vulnerable |
|----------------+----------+------------+-------------|
| | 4.1 | Migrate to | 4.2.205.0 |
| | | 4.2 | |
| |----------+------------+-------------|
| | | | 5.2.193.0, |
| | | Migrate to | 6.0.182.0 |
| | 4.1 M | 5.2, 6.0, | or |
| | | or 4.2M | 4.2.176.51 |
| | | | Mesh |
| |----------+------------+-------------|
| | 4.2 | 4.2.205.0 | 4.2.207.0 |
| |----------+------------+-------------|
| Crafted HTTP | 4.2M | Not | Not |
| request may | | Vulnerable | Vulnerable |
|cause the WLC |----------+------------+-------------|
| to crash | | Migrate to | 5.2.193.0 |
| (CSCsy27708) | 5.0 | 5.2 or 6.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | Migrate to | 5.2.193.0 |
| | 5.1 | 5.2 or 6.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.2 | 5.2.191.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | 6.0 | Not | Not |
| | | Vulnerable | Vulnerable |
|----------------+----------+------------+-------------|
| | 4.1 | Migrate to | 4.2.205.0 |
| | | 4.2 | |
| |----------+------------+-------------|
| | | | 5.2.193.0, |
| | | Migrate to | 6.0.182.0 |
| | 4.1M | 5.2, 6.0, | or |
| | | or 4.2M | 4.2.176.51 |
| | | | Mesh |
| |----------+------------+-------------|
| Crafted HTTP | 4.2 | 4.2.205.0 | 4.2.207.0 |
|or HTTPS |----------+------------+-------------|
| request | 4.2M | Not | Not |
| unauthorized | | Vulnerable | Vulnerable |
|configuration |----------+------------+-------------|
| modification | 5.0 | Migrate to | 5.2.193.0, |
| vulnerability | | 5.2 or 6.0 | 6.0.182.0 |
|(CSCsy44672) |----------+------------+-------------|
| | | Migrate to | 5.2.193.0 |
| | 5.1 | 5.2 or 6.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.2 | 5.2.191.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | 6.0 | Not | Not |
| | | Vulnerable | Vulnerable |
+------------------------------------------------------+
Workarounds
===========
The SSH connections denial of service vulnerability identified by
Cisco Bug ID CSCsw40789 may be remediated by disabling SSH on the
affected device. This workaround requires subsequent management of
the device to be performed using the HTTP/HTTPS web management
interface or the serial console of the device.
Additional mitigations that can be deployed on Cisco devices in the
network are available in the Cisco Applied Mitigation Bulletin
companion document for this advisory, which is available at the
following link:
http://www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing, or
otherwise using such software upgrades, customers agree to be bound by
the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
================================
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory at the time of
release.
The DoS vulnerability documented by CSCsw40789 was discovered during
the resolution of customer support cases.
The unauthorized configuration modification vulnerability documented
by CSCsy44672 was found during internal testing.
The DoS vulnerability documented by CSCsx03715 was discovered by
Christoph Bott of SySS GmbH.
The DoS vulnerability documented by CSCsy27708 was discovered by IBM
Research.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20090727-wlc.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-July-27 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iD8DBQFKbdU786n/Gc8U/uARAkG6AKCKI8yrbakylICPezA8Up2E1t372QCePJmj
RTTknUlr0VuKxVZLT0f8+gQ=
=x8Ly
-----END PGP SIGNATURE-----
VAR-200907-0061 | CVE-2009-1167 | Cisco Wireless LAN Controller Vulnerabilities whose settings are changed |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Unspecified vulnerability on the Cisco Wireless LAN Controller (WLC) platform 4.x before 4.2.205.0 and 5.x before 5.2.191.0, as used in Cisco 1500 Series, 2000 Series, 2100 Series, 4100 Series, 4200 Series, and 4400 Series Wireless Services Modules (WiSM), WLC Modules for Integrated Services Routers, and Catalyst 3750G Integrated Wireless LAN Controllers, allows remote attackers to modify the configuration via a crafted (1) HTTP or (2) HTTPS request, aka Bug ID CSCsy44672. plural Cisco Used in products Cisco Wireless LAN Controller (WLC) Contains a vulnerability that can be changed. The problem is Bug ID : CSCsy44672 It is a problem.Skillfully crafted by a third party HTTP Or HTTPS Settings may be changed via request.
Successful exploits may allow attackers to modify configuration settings, which may compromise the affected device or aid in further attacks.
This issue is being tracked by Cisco Bug ID CSCsy44672. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers
Advisory ID: cisco-sa-20090727-wlc
http://www.cisco.com/warp/public/707/cisco-sa-20090727-wlc.shtml
Revision 1.0
For Public Release 2009 July 27 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
Multiple vulnerabilities exist in the Cisco Wireless LAN Controller
(WLC) platforms. This security advisory outlines the details of the
following vulnerabilities:
* Malformed HTTP or HTTPS authentication response denial of service
vulnerability
* SSH connections denial of service vulnerability
* Crafted HTTP or HTTPS request denial of service vulnerability
* Crafted HTTP or HTTPS request unauthorized configuration
modification vulnerability
Cisco has released free software updates that address these
vulnerabilities.
* The SSH connections denial of service vulnerability affects
software versions 4.1 and later.
Determination of Software Versions
+---------------------------------
To determine the WLC version that is running in a given environment,
use one of the following methods:
* In the web interface, choose the Monitor tab, click Summary in
the left pane, and note the Software Version field.
Note: Customers who use a WLC Module in an Integrated Services
Router (ISR) will need to issue the service-module
wlan-controller 1/0 session command prior to performing the next
step on the command line. Customers who use a Cisco Catalyst
3750G Switch with an integrated WLC Module will need to issue the
session <Stack-Member-Number> processor 1 session command prior
to performing the next step on the command line.
* From the command-line interface, type show sysinfo and note the
Product Version field, as shown in the following example:
(Cisco Controller) >show sysinfo
Manufacturer's Name.. Cisco Systems Inc.
Product Name......... 5.1.151.0
RTOS Version......... Linux-2.6.10_mvl401
Bootloader Version... 4.0.207.0
Build Type........... DATA + WPS
<output suppressed>
Use the show wism module <module number> controller 1 status command
on a Cisco Catalyst 6500 Series/7600 Series Switch if you are using a
WiSM. Note the software version as demonstrated in the following
example, which shows version 5.1.151.0.
Router#show wism module 3 controller 1 status
WiSM Controller 1 in Slot 3
Operational Status of the Controller
: Oper-Up
Service VLAN
: 192
Service Port
: 10
Service Port Mac Address
: 0011.92ff.8742
Service IP Address
: 192.168.10.1
Management IP Address
: 192.168.1.123
Software Version
: 5.1.151.0
Port Channel Number
: 288
Allowed vlan list
: 30,40
Native VLAN ID
: 40
WCP Keep Alive Missed
: 0
Products Confirmed Not Vulnerable
+--------------------------------
The Cisco Wireless Controller 5500 Series is not affected by these
vulnerabilities.
Details
=======
Cisco Wireless LAN Controllers (WLCs) are responsible for system-wide
wireless LAN functions, such as security policies, intrusion
prevention, RF management, quality of service (QoS), and mobility.
These devices communicate with controller-based access points over
any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the
Lightweight Access Point Protocol (LWAPP).
This security advisory describes multiple distinct vulnerabilities in
the WLC family of devices.
* Malformed HTTP or HTTPS authentication response denial of service
vulnerability
An attacker with access to the administrative web interface via
HTTP or HTTPS may cause the device to reload by providing a
malformed response to an authentication request.
Note: The vulnerability can be exploited only via the
administrative web-based interface; Web Authentication features
are not affected.
* SSH connections denial of service vulnerability
Affected devices may be susceptible to a memory leak when they
handle SSH management connections. An attacker could use this
behavior to cause an affected device to crash and reload.
Note: A three-way handshake is not required to exploit this
vulnerability.
Note: The vulnerability can be exploited only via the
administrative web-based interface; Web Authentication features
are not affected.
* Crafted HTTP or HTTPS request unauthorized configuration
modification vulnerability
An unauthorized configuration modification vulnerability exists
in all software versions prior to the first fixed release. A
remote, unauthenticated attacker who can submit HTTP or HTTPS
requests to the WLC directly could gain full control of the
affected device.
Note: The vulnerability can be exploited only by submitting such
a request to an IP address that is bound to an administrative
interface or VLAN.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsx03715 - Malformed HTTP or HTTPS authentication response denial of service vulnerability
+-----------------------------------------------------
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsw40789 - SSH connections denial of service vulnerability
+-----------------------------------------------------
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsy27708 - Crafted HTTP or HTTPS request denial of service vulnerability
+-----------------------------------------------------
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsy44672 - Crafted HTTP or HTTPS request unauthorized configuration modification vulnerability
+-----------------------------------------------------
CVSS Base Score - 10
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
=====
Successful exploitation of the denial of service (DoS)
vulnerabilities may cause the affected device to reload. Repeated
exploitation could result in a sustained DoS condition.
An unauthenticated, remote attacker may be able to use the
unauthorized configuration modification vulnerability to gain full
control over the Wireless LAN Controller if the attacker is able to
submit a crafted request directly to an administrative interface of
the affected device.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.comw/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
+------------------------------------------------------+
| Vulnerability/ | Affected | First | Recommended |
| Bug ID | Release | Fixed | Release |
| | | Version | |
|----------------+----------+------------+-------------|
| | 4.1 | Not | Not |
| | | Vulnerable | Vulnerable |
| |----------+------------+-------------|
| | 4.1M | Not | Not |
| | | Vulnerable | Vulnerable |
| |----------+------------+-------------|
| | 4.2 | 4.2.205.0 | 4.2.207.0 |
| |----------+------------+-------------|
| Malformed HTTP | 4.2M | Not | Not |
| or HTTPS | | Vulnerable | Vulnerable |
|authentication |----------+------------+-------------|
| response | | Migrate to | 5.2.193.0 |
| denial of | 5.0 | 5.2 or 6.0 | or |
| service | | | 6.0.182.0 |
|vulnerability |----------+------------+-------------|
| (CSCsx03715) | | Migrate to | 5.2.193.0 |
| | 5.1 | 5.2 or 6.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.2 | 5.2.178.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | 6.0 | Not | Not |
| | | Vulnerable | Vulnerable |
|----------------+----------+------------+-------------|
| | 4.1 | Migrate to | 4.2.205.0 |
| | | 4.2 | |
| |----------+------------+-------------|
| | | | 5.2.193.0, |
| | | Migrate to | 6.0.182.0 |
| | 4.1M | 5.2, 6.0, | or |
| | | or 4.2M | 4.2.176.51 |
| | | | Mesh |
| |----------+------------+-------------|
| | 4.2 | 4.2.205.0 | 4.2.207.0 |
| |----------+------------+-------------|
| SSH | 4.2M | Not | Not |
| connections | | Vulnerable | Vulnerable |
|denial of |----------+------------+-------------|
| service | | Migrate to | 5.2.193.0 |
| vulnerability | 5.0 | 5.2 or 6.0 | or |
| (CSCsw40789) | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.1 | 5.1.163.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.2 | 5.2.178.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | 6.0 | Not | Not |
| | | Vulnerable | Vulnerable |
|----------------+----------+------------+-------------|
| | 4.1 | Migrate to | 4.2.205.0 |
| | | 4.2 | |
| |----------+------------+-------------|
| | | | 5.2.193.0, |
| | | Migrate to | 6.0.182.0 |
| | 4.1 M | 5.2, 6.0, | or |
| | | or 4.2M | 4.2.176.51 |
| | | | Mesh |
| |----------+------------+-------------|
| | 4.2 | 4.2.205.0 | 4.2.207.0 |
| |----------+------------+-------------|
| Crafted HTTP | 4.2M | Not | Not |
| request may | | Vulnerable | Vulnerable |
|cause the WLC |----------+------------+-------------|
| to crash | | Migrate to | 5.2.193.0 |
| (CSCsy27708) | 5.0 | 5.2 or 6.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | Migrate to | 5.2.193.0 |
| | 5.1 | 5.2 or 6.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.2 | 5.2.191.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | 6.0 | Not | Not |
| | | Vulnerable | Vulnerable |
|----------------+----------+------------+-------------|
| | 4.1 | Migrate to | 4.2.205.0 |
| | | 4.2 | |
| |----------+------------+-------------|
| | | | 5.2.193.0, |
| | | Migrate to | 6.0.182.0 |
| | 4.1M | 5.2, 6.0, | or |
| | | or 4.2M | 4.2.176.51 |
| | | | Mesh |
| |----------+------------+-------------|
| Crafted HTTP | 4.2 | 4.2.205.0 | 4.2.207.0 |
|or HTTPS |----------+------------+-------------|
| request | 4.2M | Not | Not |
| unauthorized | | Vulnerable | Vulnerable |
|configuration |----------+------------+-------------|
| modification | 5.0 | Migrate to | 5.2.193.0, |
| vulnerability | | 5.2 or 6.0 | 6.0.182.0 |
|(CSCsy44672) |----------+------------+-------------|
| | | Migrate to | 5.2.193.0 |
| | 5.1 | 5.2 or 6.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.2 | 5.2.191.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | 6.0 | Not | Not |
| | | Vulnerable | Vulnerable |
+------------------------------------------------------+
Workarounds
===========
The SSH connections denial of service vulnerability identified by
Cisco Bug ID CSCsw40789 may be remediated by disabling SSH on the
affected device. This workaround requires subsequent management of
the device to be performed using the HTTP/HTTPS web management
interface or the serial console of the device.
Additional mitigations that can be deployed on Cisco devices in the
network are available in the Cisco Applied Mitigation Bulletin
companion document for this advisory, which is available at the
following link:
http://www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing, or
otherwise using such software upgrades, customers agree to be bound by
the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
================================
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory at the time of
release.
The DoS vulnerability documented by CSCsw40789 was discovered during
the resolution of customer support cases.
The unauthorized configuration modification vulnerability documented
by CSCsy44672 was found during internal testing.
The DoS vulnerability documented by CSCsx03715 was discovered by
Christoph Bott of SySS GmbH.
The DoS vulnerability documented by CSCsy27708 was discovered by IBM
Research.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20090727-wlc.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-July-27 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
\xa9 2008 - 2009 Cisco Systems, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iD8DBQFKbdU786n/Gc8U/uARAkG6AKCKI8yrbakylICPezA8Up2E1t372QCePJmj
RTTknUlr0VuKxVZLT0f8+gQ=
=x8Ly
-----END PGP SIGNATURE-----
VAR-200907-0060 | CVE-2009-1166 | Cisco Wireless LAN Controller For managing Web Service disruption at the interface (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The administrative web interface on the Cisco Wireless LAN Controller (WLC) platform 4.x before 4.2.205.0 and 5.x before 5.2.191.0, as used in Cisco 1500 Series, 2000 Series, 2100 Series, 4100 Series, 4200 Series, and 4400 Series Wireless Services Modules (WiSM), WLC Modules for Integrated Services Routers, and Catalyst 3750G Integrated Wireless LAN Controllers, allows remote attackers to cause a denial of service (device reload) via a crafted (1) HTTP or (2) HTTPS request, aka Bug ID CSCsy27708. plural Cisco Used in products Cisco Wireless LAN Controller (WLC) For managing Web Interface has a service disruption (DoS) There is a vulnerability that becomes a condition. The problem is Bug ID : CSCsy27708 It is a problem.Skillfully crafted by a third party HTTP Or HTTPS Service disruption via request (DoS) There is a possibility of being put into a state.
An attacker can exploit this issue to trigger an affected device to crash and reload, causing denial-of-service conditions.
This issue is documented by Cisco Bug ID CSCsy27708. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers
Advisory ID: cisco-sa-20090727-wlc
http://www.cisco.com/warp/public/707/cisco-sa-20090727-wlc.shtml
Revision 1.0
For Public Release 2009 July 27 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
Multiple vulnerabilities exist in the Cisco Wireless LAN Controller
(WLC) platforms.
* The SSH connections denial of service vulnerability affects
software versions 4.1 and later.
Determination of Software Versions
+---------------------------------
To determine the WLC version that is running in a given environment,
use one of the following methods:
* In the web interface, choose the Monitor tab, click Summary in
the left pane, and note the Software Version field.
Note: Customers who use a WLC Module in an Integrated Services
Router (ISR) will need to issue the service-module
wlan-controller 1/0 session command prior to performing the next
step on the command line. Customers who use a Cisco Catalyst
3750G Switch with an integrated WLC Module will need to issue the
session <Stack-Member-Number> processor 1 session command prior
to performing the next step on the command line.
* From the command-line interface, type show sysinfo and note the
Product Version field, as shown in the following example:
(Cisco Controller) >show sysinfo
Manufacturer's Name.. Cisco Systems Inc.
Product Name......... Cisco Controller
Product Version...... 5.1.151.0
RTOS Version......... Linux-2.6.10_mvl401
Bootloader Version... 4.0.207.0
Build Type........... DATA + WPS
<output suppressed>
Use the show wism module <module number> controller 1 status command
on a Cisco Catalyst 6500 Series/7600 Series Switch if you are using a
WiSM. Note the software version as demonstrated in the following
example, which shows version 5.1.151.0.
Router#show wism module 3 controller 1 status
WiSM Controller 1 in Slot 3
Operational Status of the Controller
: Oper-Up
Service VLAN
: 192
Service Port
: 10
Service Port Mac Address
: 0011.92ff.8742
Service IP Address
: 192.168.10.1
Management IP Address
: 192.168.1.123
Software Version
: 5.1.151.0
Port Channel Number
: 288
Allowed vlan list
: 30,40
Native VLAN ID
: 40
WCP Keep Alive Missed
: 0
Products Confirmed Not Vulnerable
+--------------------------------
The Cisco Wireless Controller 5500 Series is not affected by these
vulnerabilities.
Details
=======
Cisco Wireless LAN Controllers (WLCs) are responsible for system-wide
wireless LAN functions, such as security policies, intrusion
prevention, RF management, quality of service (QoS), and mobility.
These devices communicate with controller-based access points over
any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the
Lightweight Access Point Protocol (LWAPP).
This security advisory describes multiple distinct vulnerabilities in
the WLC family of devices.
* Malformed HTTP or HTTPS authentication response denial of service
vulnerability
An attacker with access to the administrative web interface via
HTTP or HTTPS may cause the device to reload by providing a
malformed response to an authentication request.
Note: The vulnerability can be exploited only via the
administrative web-based interface; Web Authentication features
are not affected.
* SSH connections denial of service vulnerability
Affected devices may be susceptible to a memory leak when they
handle SSH management connections.
Note: A three-way handshake is not required to exploit this
vulnerability.
Note: The vulnerability can be exploited only via the
administrative web-based interface; Web Authentication features
are not affected.
* Crafted HTTP or HTTPS request unauthorized configuration
modification vulnerability
An unauthorized configuration modification vulnerability exists
in all software versions prior to the first fixed release. A
remote, unauthenticated attacker who can submit HTTP or HTTPS
requests to the WLC directly could gain full control of the
affected device.
Note: The vulnerability can be exploited only by submitting such
a request to an IP address that is bound to an administrative
interface or VLAN.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsx03715 - Malformed HTTP or HTTPS authentication response denial of service vulnerability
+-----------------------------------------------------
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsw40789 - SSH connections denial of service vulnerability
+-----------------------------------------------------
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsy27708 - Crafted HTTP or HTTPS request denial of service vulnerability
+-----------------------------------------------------
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsy44672 - Crafted HTTP or HTTPS request unauthorized configuration modification vulnerability
+-----------------------------------------------------
CVSS Base Score - 10
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
=====
Successful exploitation of the denial of service (DoS)
vulnerabilities may cause the affected device to reload. Repeated
exploitation could result in a sustained DoS condition.
An unauthenticated, remote attacker may be able to use the
unauthorized configuration modification vulnerability to gain full
control over the Wireless LAN Controller if the attacker is able to
submit a crafted request directly to an administrative interface of
the affected device.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.comw/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
+------------------------------------------------------+
| Vulnerability/ | Affected | First | Recommended |
| Bug ID | Release | Fixed | Release |
| | | Version | |
|----------------+----------+------------+-------------|
| | 4.1 | Not | Not |
| | | Vulnerable | Vulnerable |
| |----------+------------+-------------|
| | 4.1M | Not | Not |
| | | Vulnerable | Vulnerable |
| |----------+------------+-------------|
| | 4.2 | 4.2.205.0 | 4.2.207.0 |
| |----------+------------+-------------|
| Malformed HTTP | 4.2M | Not | Not |
| or HTTPS | | Vulnerable | Vulnerable |
|authentication |----------+------------+-------------|
| response | | Migrate to | 5.2.193.0 |
| denial of | 5.0 | 5.2 or 6.0 | or |
| service | | | 6.0.182.0 |
|vulnerability |----------+------------+-------------|
| (CSCsx03715) | | Migrate to | 5.2.193.0 |
| | 5.1 | 5.2 or 6.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.2 | 5.2.178.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | 6.0 | Not | Not |
| | | Vulnerable | Vulnerable |
|----------------+----------+------------+-------------|
| | 4.1 | Migrate to | 4.2.205.0 |
| | | 4.2 | |
| |----------+------------+-------------|
| | | | 5.2.193.0, |
| | | Migrate to | 6.0.182.0 |
| | 4.1M | 5.2, 6.0, | or |
| | | or 4.2M | 4.2.176.51 |
| | | | Mesh |
| |----------+------------+-------------|
| | 4.2 | 4.2.205.0 | 4.2.207.0 |
| |----------+------------+-------------|
| SSH | 4.2M | Not | Not |
| connections | | Vulnerable | Vulnerable |
|denial of |----------+------------+-------------|
| service | | Migrate to | 5.2.193.0 |
| vulnerability | 5.0 | 5.2 or 6.0 | or |
| (CSCsw40789) | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.1 | 5.1.163.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.2 | 5.2.178.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | 6.0 | Not | Not |
| | | Vulnerable | Vulnerable |
|----------------+----------+------------+-------------|
| | 4.1 | Migrate to | 4.2.205.0 |
| | | 4.2 | |
| |----------+------------+-------------|
| | | | 5.2.193.0, |
| | | Migrate to | 6.0.182.0 |
| | 4.1 M | 5.2, 6.0, | or |
| | | or 4.2M | 4.2.176.51 |
| | | | Mesh |
| |----------+------------+-------------|
| | 4.2 | 4.2.205.0 | 4.2.207.0 |
| |----------+------------+-------------|
| Crafted HTTP | 4.2M | Not | Not |
| request may | | Vulnerable | Vulnerable |
|cause the WLC |----------+------------+-------------|
| to crash | | Migrate to | 5.2.193.0 |
| (CSCsy27708) | 5.0 | 5.2 or 6.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | Migrate to | 5.2.193.0 |
| | 5.1 | 5.2 or 6.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.2 | 5.2.191.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | 6.0 | Not | Not |
| | | Vulnerable | Vulnerable |
|----------------+----------+------------+-------------|
| | 4.1 | Migrate to | 4.2.205.0 |
| | | 4.2 | |
| |----------+------------+-------------|
| | | | 5.2.193.0, |
| | | Migrate to | 6.0.182.0 |
| | 4.1M | 5.2, 6.0, | or |
| | | or 4.2M | 4.2.176.51 |
| | | | Mesh |
| |----------+------------+-------------|
| Crafted HTTP | 4.2 | 4.2.205.0 | 4.2.207.0 |
|or HTTPS |----------+------------+-------------|
| request | 4.2M | Not | Not |
| unauthorized | | Vulnerable | Vulnerable |
|configuration |----------+------------+-------------|
| modification | 5.0 | Migrate to | 5.2.193.0, |
| vulnerability | | 5.2 or 6.0 | 6.0.182.0 |
|(CSCsy44672) |----------+------------+-------------|
| | | Migrate to | 5.2.193.0 |
| | 5.1 | 5.2 or 6.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.2 | 5.2.191.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | 6.0 | Not | Not |
| | | Vulnerable | Vulnerable |
+------------------------------------------------------+
Workarounds
===========
The SSH connections denial of service vulnerability identified by
Cisco Bug ID CSCsw40789 may be remediated by disabling SSH on the
affected device. This workaround requires subsequent management of
the device to be performed using the HTTP/HTTPS web management
interface or the serial console of the device.
Additional mitigations that can be deployed on Cisco devices in the
network are available in the Cisco Applied Mitigation Bulletin
companion document for this advisory, which is available at the
following link:
http://www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing, or
otherwise using such software upgrades, customers agree to be bound by
the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
================================
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory at the time of
release.
The DoS vulnerability documented by CSCsw40789 was discovered during
the resolution of customer support cases.
The unauthorized configuration modification vulnerability documented
by CSCsy44672 was found during internal testing.
The DoS vulnerability documented by CSCsx03715 was discovered by
Christoph Bott of SySS GmbH.
The DoS vulnerability documented by CSCsy27708 was discovered by IBM
Research.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20090727-wlc.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-July-27 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
\xa9 2008 - 2009 Cisco Systems, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iD8DBQFKbdU786n/Gc8U/uARAkG6AKCKI8yrbakylICPezA8Up2E1t372QCePJmj
RTTknUlr0VuKxVZLT0f8+gQ=
=x8Ly
-----END PGP SIGNATURE-----
VAR-200908-0426 | CVE-2009-2093 | IBM WPG Enterprise In the console SQL Injection vulnerability |
CVSS V2: 6.5 CVSS V3: - Severity: MEDIUM |
SQL injection vulnerability in the console in IBM WebSphere Partner Gateway (WPG) Enterprise 6.0 before FP8, 6.1 before FP3, 6.1.1 before FP2, and 6.2 before FP1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The issue affects the following:
WebSphere Partner Gateway 6.0 Enterprise
WebSphere Partner Gateway 6.1.0 Enterprise
WebSphere Partner Gateway 6.1.1 Enterprise
WebSphere Partner Gateway 6.2 Enterprise. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia. This can be exploited to manipulate SQL queries by
injecting arbitrary SQL code.
WebSphere Partner Gateway 6.0:
Apply the latest Fix Pack (WPG 6.0 FP8 or later) or APAR JR32608.
WebSphere Partner Gateway 6.1:
Apply the latest Fix Pack (WPG 6.1 FP3, WPG 6.1.1 FP2 or later), or
APAR JR32609 or APAR JR32386.
WebSphere Partner Gateway 6.2:
Apply the latest Fix Pack (WPG 6.2 FP1 or later) or APAR JR32607
(JR33176).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
IBM:
http://www-01.ibm.com/support/docview.wss?uid=swg21382117
IBM ISS X-Force:
http://xforce.iss.net/xforce/xfdb/52393
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200907-0058 | CVE-2009-1164 |
Cisco Wireless LAN Controller For managing Web Service disruption at the interface (DoS) Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-200907-1149 |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The administrative web interface on the Cisco Wireless LAN Controller (WLC) platform 4.2 before 4.2.205.0 and 5.x before 5.2.178.0, as used in Cisco 1500 Series, 2000 Series, 2100 Series, 4100 Series, 4200 Series, and 4400 Series Wireless Services Modules (WiSM), WLC Modules for Integrated Services Routers, and Catalyst 3750G Integrated Wireless LAN Controllers, allows remote attackers to cause a denial of service (device reload) via a malformed response to a (1) HTTP or (2) HTTPS authentication request, aka Bug ID CSCsx03715. plural Cisco Used in products Cisco Wireless LAN Controller (WLC) For managing Web Interface has a service disruption (DoS) There is a vulnerability that becomes a condition. The problem is Bug ID : CSCsx03715 It is a problem.By a third party HTTP Or HTTPS Service disruption through malformed responses to authentication requests (DoS) There is a possibility of being put into a state.
An attacker can exploit this issue to trigger an affected device to reboot, causing denial-of-service conditions. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers
Advisory ID: cisco-sa-20090727-wlc
http://www.cisco.com/warp/public/707/cisco-sa-20090727-wlc.shtml
Revision 1.0
For Public Release 2009 July 27 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
Multiple vulnerabilities exist in the Cisco Wireless LAN Controller
(WLC) platforms. This security advisory outlines the details of the
following vulnerabilities:
* Malformed HTTP or HTTPS authentication response denial of service
vulnerability
* SSH connections denial of service vulnerability
* Crafted HTTP or HTTPS request denial of service vulnerability
* Crafted HTTP or HTTPS request unauthorized configuration
modification vulnerability
Cisco has released free software updates that address these
vulnerabilities.
* The SSH connections denial of service vulnerability affects
software versions 4.1 and later.
* The crafted HTTP or HTTPS request denial of service vulnerability
affects software versions 4.1 and later.
* The crafted HTTP or HTTPS request unauthorized configuration
modification vulnerability affects software versions 4.1 and
later.
Determination of Software Versions
+---------------------------------
To determine the WLC version that is running in a given environment,
use one of the following methods:
* In the web interface, choose the Monitor tab, click Summary in
the left pane, and note the Software Version field.
Note: Customers who use a WLC Module in an Integrated Services
Router (ISR) will need to issue the service-module
wlan-controller 1/0 session command prior to performing the next
step on the command line. Customers who use a Cisco Catalyst
3750G Switch with an integrated WLC Module will need to issue the
session <Stack-Member-Number> processor 1 session command prior
to performing the next step on the command line.
* From the command-line interface, type show sysinfo and note the
Product Version field, as shown in the following example:
(Cisco Controller) >show sysinfo
Manufacturer's Name.. Cisco Systems Inc.
Product Name......... Cisco Controller
Product Version...... 5.1.151.0
RTOS Version......... Linux-2.6.10_mvl401
Bootloader Version... 4.0.207.0
Build Type........... DATA + WPS
<output suppressed>
Use the show wism module <module number> controller 1 status command
on a Cisco Catalyst 6500 Series/7600 Series Switch if you are using a
WiSM. Note the software version as demonstrated in the following
example, which shows version 5.1.151.0.
Router#show wism module 3 controller 1 status
WiSM Controller 1 in Slot 3
Operational Status of the Controller
: Oper-Up
Service VLAN
: 192
Service Port
: 10
Service Port Mac Address
: 0011.92ff.8742
Service IP Address
: 192.168.10.1
Management IP Address
: 192.168.1.123
Software Version
: 5.1.151.0
Port Channel Number
: 288
Allowed vlan list
: 30,40
Native VLAN ID
: 40
WCP Keep Alive Missed
: 0
Products Confirmed Not Vulnerable
+--------------------------------
The Cisco Wireless Controller 5500 Series is not affected by these
vulnerabilities.
Details
=======
Cisco Wireless LAN Controllers (WLCs) are responsible for system-wide
wireless LAN functions, such as security policies, intrusion
prevention, RF management, quality of service (QoS), and mobility.
These devices communicate with controller-based access points over
any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the
Lightweight Access Point Protocol (LWAPP).
This security advisory describes multiple distinct vulnerabilities in
the WLC family of devices.
Note: The vulnerability can be exploited only via the
administrative web-based interface; Web Authentication features
are not affected.
This vulnerability is documented in Cisco Bug ID CSCsx03715 and
has been assigned Common Vulnerabilities and Exposures (CVE) ID
CVE-2009-1164.
* SSH connections denial of service vulnerability
Affected devices may be susceptible to a memory leak when they
handle SSH management connections.
Note: A three-way handshake is not required to exploit this
vulnerability.
This vulnerability is documented in Cisco Bug ID CSCsw40789 and
has been assigned CVE ID CVE-2009-1165.
* Crafted HTTP or HTTPS request denial of service vulnerability
An attacker with the ability to send a malicious HTTP request to
an affected WLC could cause the device to crash and reload.
Note: The vulnerability can be exploited only via the
administrative web-based interface; Web Authentication features
are not affected.
This vulnerability is documented in Cisco Bug ID CSCsy27708 and
has been assigned CVE ID CVE-2009-1166.
* Crafted HTTP or HTTPS request unauthorized configuration
modification vulnerability
An unauthorized configuration modification vulnerability exists
in all software versions prior to the first fixed release. A
remote, unauthenticated attacker who can submit HTTP or HTTPS
requests to the WLC directly could gain full control of the
affected device.
Note: The vulnerability can be exploited only by submitting such
a request to an IP address that is bound to an administrative
interface or VLAN.
The vulnerability is documented by Cisco Bug ID CSCsy44672 and has
been assigned CVE ID CVE-2009-1167.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsx03715 - Malformed HTTP or HTTPS authentication response denial of service vulnerability
+-----------------------------------------------------
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsw40789 - SSH connections denial of service vulnerability
+-----------------------------------------------------
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsy27708 - Crafted HTTP or HTTPS request denial of service vulnerability
+-----------------------------------------------------
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsy44672 - Crafted HTTP or HTTPS request unauthorized configuration modification vulnerability
+-----------------------------------------------------
CVSS Base Score - 10
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
=====
Successful exploitation of the denial of service (DoS)
vulnerabilities may cause the affected device to reload. Repeated
exploitation could result in a sustained DoS condition.
An unauthenticated, remote attacker may be able to use the
unauthorized configuration modification vulnerability to gain full
control over the Wireless LAN Controller if the attacker is able to
submit a crafted request directly to an administrative interface of
the affected device.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.comw/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
+------------------------------------------------------+
| Vulnerability/ | Affected | First | Recommended |
| Bug ID | Release | Fixed | Release |
| | | Version | |
|----------------+----------+------------+-------------|
| | 4.1 | Not | Not |
| | | Vulnerable | Vulnerable |
| |----------+------------+-------------|
| | 4.1M | Not | Not |
| | | Vulnerable | Vulnerable |
| |----------+------------+-------------|
| | 4.2 | 4.2.205.0 | 4.2.207.0 |
| |----------+------------+-------------|
| Malformed HTTP | 4.2M | Not | Not |
| or HTTPS | | Vulnerable | Vulnerable |
|authentication |----------+------------+-------------|
| response | | Migrate to | 5.2.193.0 |
| denial of | 5.0 | 5.2 or 6.0 | or |
| service | | | 6.0.182.0 |
|vulnerability |----------+------------+-------------|
| (CSCsx03715) | | Migrate to | 5.2.193.0 |
| | 5.1 | 5.2 or 6.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.2 | 5.2.178.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | 6.0 | Not | Not |
| | | Vulnerable | Vulnerable |
|----------------+----------+------------+-------------|
| | 4.1 | Migrate to | 4.2.205.0 |
| | | 4.2 | |
| |----------+------------+-------------|
| | | | 5.2.193.0, |
| | | Migrate to | 6.0.182.0 |
| | 4.1M | 5.2, 6.0, | or |
| | | or 4.2M | 4.2.176.51 |
| | | | Mesh |
| |----------+------------+-------------|
| | 4.2 | 4.2.205.0 | 4.2.207.0 |
| |----------+------------+-------------|
| SSH | 4.2M | Not | Not |
| connections | | Vulnerable | Vulnerable |
|denial of |----------+------------+-------------|
| service | | Migrate to | 5.2.193.0 |
| vulnerability | 5.0 | 5.2 or 6.0 | or |
| (CSCsw40789) | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.1 | 5.1.163.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.2 | 5.2.178.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | 6.0 | Not | Not |
| | | Vulnerable | Vulnerable |
|----------------+----------+------------+-------------|
| | 4.1 | Migrate to | 4.2.205.0 |
| | | 4.2 | |
| |----------+------------+-------------|
| | | | 5.2.193.0, |
| | | Migrate to | 6.0.182.0 |
| | 4.1 M | 5.2, 6.0, | or |
| | | or 4.2M | 4.2.176.51 |
| | | | Mesh |
| |----------+------------+-------------|
| | 4.2 | 4.2.205.0 | 4.2.207.0 |
| |----------+------------+-------------|
| Crafted HTTP | 4.2M | Not | Not |
| request may | | Vulnerable | Vulnerable |
|cause the WLC |----------+------------+-------------|
| to crash | | Migrate to | 5.2.193.0 |
| (CSCsy27708) | 5.0 | 5.2 or 6.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | Migrate to | 5.2.193.0 |
| | 5.1 | 5.2 or 6.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.2 | 5.2.191.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | 6.0 | Not | Not |
| | | Vulnerable | Vulnerable |
|----------------+----------+------------+-------------|
| | 4.1 | Migrate to | 4.2.205.0 |
| | | 4.2 | |
| |----------+------------+-------------|
| | | | 5.2.193.0, |
| | | Migrate to | 6.0.182.0 |
| | 4.1M | 5.2, 6.0, | or |
| | | or 4.2M | 4.2.176.51 |
| | | | Mesh |
| |----------+------------+-------------|
| Crafted HTTP | 4.2 | 4.2.205.0 | 4.2.207.0 |
|or HTTPS |----------+------------+-------------|
| request | 4.2M | Not | Not |
| unauthorized | | Vulnerable | Vulnerable |
|configuration |----------+------------+-------------|
| modification | 5.0 | Migrate to | 5.2.193.0, |
| vulnerability | | 5.2 or 6.0 | 6.0.182.0 |
|(CSCsy44672) |----------+------------+-------------|
| | | Migrate to | 5.2.193.0 |
| | 5.1 | 5.2 or 6.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.2 | 5.2.191.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | 6.0 | Not | Not |
| | | Vulnerable | Vulnerable |
+------------------------------------------------------+
Workarounds
===========
The SSH connections denial of service vulnerability identified by
Cisco Bug ID CSCsw40789 may be remediated by disabling SSH on the
affected device. This workaround requires subsequent management of
the device to be performed using the HTTP/HTTPS web management
interface or the serial console of the device.
Additional mitigations that can be deployed on Cisco devices in the
network are available in the Cisco Applied Mitigation Bulletin
companion document for this advisory, which is available at the
following link:
http://www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing, or
otherwise using such software upgrades, customers agree to be bound by
the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
================================
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory at the time of
release.
The DoS vulnerability documented by CSCsw40789 was discovered during
the resolution of customer support cases.
The unauthorized configuration modification vulnerability documented
by CSCsy44672 was found during internal testing.
The DoS vulnerability documented by CSCsx03715 was discovered by
Christoph Bott of SySS GmbH.
The DoS vulnerability documented by CSCsy27708 was discovered by IBM
Research.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20090727-wlc.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-July-27 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
\xa9 2008 - 2009 Cisco Systems, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iD8DBQFKbdU786n/Gc8U/uARAkG6AKCKI8yrbakylICPezA8Up2E1t372QCePJmj
RTTknUlr0VuKxVZLT0f8+gQ=
=x8Ly
-----END PGP SIGNATURE-----
VAR-201106-0004 | CVE-2009-5078 | GNU troff of contrib/pdfmark/pdfroff.sh Vulnerable to arbitrary file creation |
CVSS V2: 6.4 CVSS V3: 6.5 Severity: MEDIUM |
contrib/pdfmark/pdfroff.sh in GNU troff (aka groff) before 1.21 launches the Ghostscript program without the -dSAFER option, which allows remote attackers to create, overwrite, rename, or delete arbitrary files via a crafted document.
Successful exploits may allow attackers mount a symlink attack, which may allow the attacker to delete or corrupt sensitive files. Attackers can also rename arbitrary files and potentially cause a denial-of-service condition. Other attacks are also possible. Groff (GNU Troff) is the latest open source implementation of Troff, a document preparation system that generates print and screen documents for various devices from the same input source. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2015-08-13-2 OS X Yosemite v10.10.5 and Security Update
2015-006
OS X Yosemite v10.10.5 and Security Update 2015-006 is now available
and addresses the following:
apache
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in Apache 2.4.16, the most
serious of which may allow a remote attacker to cause a denial of
service.
Description: Multiple vulnerabilities existed in Apache versions
prior to 2.4.16. These were addressed by updating Apache to version
2.4.16.
CVE-ID
CVE-2014-3581
CVE-2014-3583
CVE-2014-8109
CVE-2015-0228
CVE-2015-0253
CVE-2015-3183
CVE-2015-3185
apache_mod_php
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in PHP 5.5.20, the most
serious of which may lead to arbitrary code execution.
Description: Multiple vulnerabilities existed in PHP versions prior
to 5.5.20. These were addressed by updating Apache to version 5.5.27.
CVE-ID
CVE-2015-2783
CVE-2015-2787
CVE-2015-3307
CVE-2015-3329
CVE-2015-3330
CVE-2015-4021
CVE-2015-4022
CVE-2015-4024
CVE-2015-4025
CVE-2015-4026
CVE-2015-4147
CVE-2015-4148
Apple ID OD Plug-in
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able change the password of a
local user
Description: In some circumstances, a state management issue existed
in password authentication. The issue was addressed through improved
state management.
CVE-ID
CVE-2015-3799 : an anonymous researcher working with HP's Zero Day
Initiative
AppleGraphicsControl
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in AppleGraphicsControl which could
have led to the disclosure of kernel memory layout. This issue was
addressed through improved bounds checking.
CVE-ID
CVE-2015-5768 : JieTao Yang of KeenTeam
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue existed in
IOBluetoothHCIController. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2015-3779 : Teddy Reed of Facebook Security
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to determine kernel
memory layout
Description: A memory management issue could have led to the
disclosure of kernel memory layout. This issue was addressed with
improved memory management.
CVE-ID
CVE-2015-3780 : Roberto Paleari and Aristide Fattori of Emaze
Networks
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious app may be able to access notifications from
other iCloud devices
Description: An issue existed where a malicious app could access a
Bluetooth-paired Mac or iOS device's Notification Center
notifications via the Apple Notification Center Service. The issue
affected devices using Handoff and logged into the same iCloud
account. This issue was resolved by revoking access to the Apple
Notification Center Service.
CVE-ID
CVE-2015-3786 : Xiaolong Bai (Tsinghua University), System Security
Lab (Indiana University), Tongxin Li (Peking University), XiaoFeng
Wang (Indiana University)
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: An attacker with privileged network position may be able to
perform denial of service attack using malformed Bluetooth packets
Description: An input validation issue existed in parsing of
Bluetooth ACL packets. This issue was addressed through improved
input validation.
CVE-ID
CVE-2015-3787 : Trend Micro
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: Multiple buffer overflow issues existed in blued's
handling of XPC messages. These issues were addressed through
improved bounds checking.
CVE-ID
CVE-2015-3777 : mitp0sh of [PDX]
bootp
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious Wi-Fi network may be able to determine networks
a device has previously accessed
Description: Upon connecting to a Wi-Fi network, iOS may have
broadcast MAC addresses of previously accessed networks via the DNAv4
protocol. This issue was addressed through disabling DNAv4 on
unencrypted Wi-Fi networks.
CVE-ID
CVE-2015-3778 : Piers O'Hanlon of Oxford Internet Institute,
University of Oxford (on the EPSRC Being There project)
CloudKit
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to access the iCloud
user record of a previously signed in user
Description: A state inconsistency existed in CloudKit when signing
out users. This issue was addressed through improved state handling.
CVE-ID
CVE-2015-3782 : Deepkanwal Plaha of University of Toronto
CoreMedia Playback
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: Memory corruption issues existed in CoreMedia Playback.
These were addressed through improved memory handling.
CVE-ID
CVE-2015-5777 : Apple
CVE-2015-5778 : Apple
CoreText
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5761 : John Villamil (@day6reak), Yahoo Pentest Team
CoreText
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5755 : John Villamil (@day6reak), Yahoo Pentest Team
curl
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities in cURL and libcurl prior to
7.38.0, one of which may allow remote attackers to bypass the Same
Origin Policy.
Description: Multiple vulnerabilities existed in cURL and libcurl
prior to 7.38.0. These issues were addressed by updating cURL to
version 7.43.0.
CVE-ID
CVE-2014-3613
CVE-2014-3620
CVE-2014-3707
CVE-2014-8150
CVE-2014-8151
CVE-2015-3143
CVE-2015-3144
CVE-2015-3145
CVE-2015-3148
CVE-2015-3153
Data Detectors Engine
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a sequence of unicode characters can lead to an
unexpected application termination or arbitrary code execution
Description: Memory corruption issues existed in processing of
Unicode characters. These issues were addressed through improved
memory handling.
CVE-ID
CVE-2015-5750 : M1x7e1 of Safeye Team (www.safeye.org)
Date & Time pref pane
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Applications that rely on system time may have unexpected
behavior
Description: An authorization issue existed when modifying the
system date and time preferences. This issue was addressed with
additional authorization checks.
CVE-ID
CVE-2015-3757 : Mark S C Smith
Dictionary Application
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: An attacker with a privileged network position may be able
to intercept users' Dictionary app queries
Description: An issue existed in the Dictionary app, which did not
properly secure user communications. This issue was addressed by
moving Dictionary queries to HTTPS.
CVE-ID
CVE-2015-3774 : Jeffrey Paul of EEQJ, Jan Bee of the Google Security
Team
DiskImages
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted DMG file may lead to an
unexpected application termination or arbitrary code execution with
system privileges
Description: A memory corruption issue existed in parsing of
malformed DMG images. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2015-3800 : Frank Graziano of the Yahoo Pentest Team
dyld
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A path validation issue existed in dyld. This was
addressed through improved environment sanitization.
CVE-ID
CVE-2015-3760 : beist of grayhash, Stefan Esser
FontParser
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-3804 : Apple
CVE-2015-5775 : Apple
FontParser
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5756 : John Villamil (@day6reak), Yahoo Pentest Team
groff
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple issues in pdfroff
Description: Multiple issues existed in pdfroff, the most serious of
which may allow arbitrary filesystem modification. These issues were
addressed by removing pdfroff.
CVE-ID
CVE-2009-5044
CVE-2009-5078
ImageIO
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
TIFF images. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2015-5758 : Apple
ImageIO
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Visiting a maliciously crafted website may result in the
disclosure of process memory
Description: An uninitialized memory access issue existed in
ImageIO's handling of PNG and TIFF images. Visiting a malicious
website may result in sending data from process memory to the
website. This issue is addressed through improved memory
initialization and additional validation of PNG and TIFF images.
CVE-ID
CVE-2015-5781 : Michal Zalewski
CVE-2015-5782 : Michal Zalewski
Install Framework Legacy
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with root privileges
Description: An issue existed in how Install.framework's 'runner'
binary dropped privileges. This issue was addressed through improved
privilege management.
CVE-ID
CVE-2015-5784 : Ian Beer of Google Project Zero
Install Framework Legacy
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A race condition existed in
Install.framework's 'runner' binary that resulted in
privileges being incorrectly dropped. This issue was addressed
through improved object locking.
CVE-ID
CVE-2015-5754 : Ian Beer of Google Project Zero
IOFireWireFamily
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: Memory corruption issues existed in IOFireWireFamily.
These issues were addressed through additional type input validation.
CVE-ID
CVE-2015-3769 : Ilja van Sprundel
CVE-2015-3771 : Ilja van Sprundel
CVE-2015-3772 : Ilja van Sprundel
IOGraphics
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in IOGraphics. This
issue was addressed through additional type input validation.
CVE-ID
CVE-2015-3770 : Ilja van Sprundel
CVE-2015-5783 : Ilja van Sprundel
IOHIDFamily
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A buffer overflow issue existed in IOHIDFamily. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5774 : TaiG Jailbreak Team
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in the mach_port_space_info interface,
which could have led to the disclosure of kernel memory layout. This
was addressed by disabling the mach_port_space_info interface.
CVE-ID
CVE-2015-3766 : Cererdlong of Alibaba Mobile Security Team,
@PanguTeam
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: An integer overflow existed in the handling of IOKit
functions. This issue was addressed through improved validation of
IOKit API arguments.
CVE-ID
CVE-2015-3768 : Ilja van Sprundel
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to cause a system denial of service
Description: A resource exhaustion issue existed in the fasttrap
driver. This was addressed through improved memory handling.
CVE-ID
CVE-2015-5747 : Maxime VILLARD of m00nbsd
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to cause a system denial of service
Description: A validation issue existed in the mounting of HFS
volumes. This was addressed by adding additional checks.
CVE-ID
CVE-2015-5748 : Maxime VILLARD of m00nbsd
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute unsigned code
Description: An issue existed that allowed unsigned code to be
appended to signed code in a specially crafted executable file. This
issue was addressed through improved code signature validation.
CVE-ID
CVE-2015-3806 : TaiG Jailbreak Team
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A specially crafted executable file could allow unsigned,
malicious code to execute
Description: An issue existed in the way multi-architecture
executable files were evaluated that could have allowed unsigned code
to be executed. This issue was addressed through improved validation
of executable files.
CVE-ID
CVE-2015-3803 : TaiG Jailbreak Team
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute unsigned code
Description: A validation issue existed in the handling of Mach-O
files. This was addressed by adding additional checks.
CVE-ID
CVE-2015-3802 : TaiG Jailbreak Team
CVE-2015-3805 : TaiG Jailbreak Team
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted plist may lead to an
unexpected application termination or arbitrary code execution with
system privileges
Description: A memory corruption existed in processing of malformed
plists. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3776 : Teddy Reed of Facebook Security, Patrick Stein
(@jollyjinx) of Jinx Germany
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A path validation issue existed. This was addressed
through improved environment sanitization.
CVE-ID
CVE-2015-3761 : Apple
Libc
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted regular expression may lead
to an unexpected application termination or arbitrary code execution
Description: Memory corruption issues existed in the TRE library.
These were addressed through improved memory handling.
CVE-ID
CVE-2015-3796 : Ian Beer of Google Project Zero
CVE-2015-3797 : Ian Beer of Google Project Zero
CVE-2015-3798 : Ian Beer of Google Project Zero
Libinfo
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: A remote attacker may be able to cause unexpected
application termination or arbitrary code execution
Description: Memory corruption issues existed in handling AF_INET6
sockets. These were addressed by improved memory handling.
CVE-ID
CVE-2015-5776 : Apple
libpthread
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in handling syscalls.
This issue was addressed through improved lock state checking.
CVE-ID
CVE-2015-5757 : Lufeng Li of Qihoo 360
libxml2
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in libxml2 versions prior
to 2.9.2, the most serious of which may allow a remote attacker to
cause a denial of service
Description: Multiple vulnerabilities existed in libxml2 versions
prior to 2.9.2. These were addressed by updating libxml2 to version
2.9.2.
CVE-ID
CVE-2012-6685 : Felix Groebert of Google
CVE-2014-0191 : Felix Groebert of Google
libxml2
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted XML document may lead to
disclosure of user information
Description: A memory access issue existed in libxml2. This was
addressed by improved memory handling
CVE-ID
CVE-2014-3660 : Felix Groebert of Google
libxml2
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted XML document may lead to
disclosure of user information
Description: A memory corruption issue existed in parsing of XML
files. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3807 : Apple
libxpc
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in handling of
malformed XPC messages. This issue was improved through improved
bounds checking.
CVE-ID
CVE-2015-3795 : Mathew Rowley
mail_cmds
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary shell commands
Description: A validation issue existed in the mailx parsing of
email addresses. This was addressed by improved sanitization.
CVE-ID
CVE-2014-7844
Notification Center OSX
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to access all
notifications previously displayed to users
Description: An issue existed in Notification Center, which did not
properly delete user notifications. This issue was addressed by
correctly deleting notifications dismissed by users.
CVE-ID
CVE-2015-3764 : Jonathan Zdziarski
ntfs
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue existed in NTFS. This issue
was addressed through improved memory handling.
CVE-ID
CVE-2015-5763 : Roberto Paleari and Aristide Fattori of Emaze
Networks
OpenSSH
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Remote attackers may be able to circumvent a time delay for
failed login attempts and conduct brute-force attacks
Description: An issue existed when processing keyboard-interactive
devices. This issue was addressed through improved authentication
request validation.
CVE-ID
CVE-2015-5600
OpenSSL
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in OpenSSL versions prior
to 0.9.8zg, the most serious of which may allow a remote attacker to
cause a denial of service.
Description: Multiple vulnerabilities existed in OpenSSL versions
prior to 0.9.8zg. These were addressed by updating OpenSSL to version
0.9.8zg.
CVE-ID
CVE-2015-1788
CVE-2015-1789
CVE-2015-1790
CVE-2015-1791
CVE-2015-1792
perl
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted regular expression may lead to
disclosure of unexpected application termination or arbitrary code
execution
Description: An integer underflow issue existed in the way Perl
parsed regular expressions. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2013-7422
PostgreSQL
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: An attacker may be able to cause unexpected application
termination or gain access to data without proper authentication
Description: Multiple issues existed in PostgreSQL 9.2.4. These
issues were addressed by updating PostgreSQL to 9.2.13.
CVE-ID
CVE-2014-0067
CVE-2014-8161
CVE-2015-0241
CVE-2015-0242
CVE-2015-0243
CVE-2015-0244
python
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in Python 2.7.6, the most
serious of which may lead to arbitrary code execution
Description: Multiple vulnerabilities existed in Python versions
prior to 2.7.6. These were addressed by updating Python to version
2.7.10.
CVE-ID
CVE-2013-7040
CVE-2013-7338
CVE-2014-1912
CVE-2014-7185
CVE-2014-9365
QL Office
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted Office document may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in parsing of Office
documents. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5773 : Apple
QL Office
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted XML file may lead to
disclosure of user information
Description: An external entity reference issue existed in XML file
parsing. This issue was addressed through improved parsing.
CVE-ID
CVE-2015-3784 : Bruno Morisson of INTEGRITY S.A.
Quartz Composer Framework
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted QuickTime file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in parsing of
QuickTime files. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2015-5771 : Apple
Quick Look
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Searching for a previously viewed website may launch the web
browser and render that website
Description: An issue existed where QuickLook had the capability to
execute JavaScript. The issue was addressed by disallowing execution
of JavaScript.
CVE-ID
CVE-2015-3781 : Andrew Pouliot of Facebook, Anto Loyola of Qubole
QuickTime 7
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in QuickTime.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-3772
CVE-2015-3779
CVE-2015-5753 : Apple
CVE-2015-5779 : Apple
QuickTime 7
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in QuickTime.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-3765 : Joe Burnett of Audio Poison
CVE-2015-3788 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-3789 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-3790 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-3791 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-3792 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-5751 : WalkerFuz
SceneKit
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Viewing a maliciously crafted Collada file may lead to
arbitrary code execution
Description: A heap buffer overflow existed in SceneKit's handling
of Collada files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5772 : Apple
SceneKit
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: A remote attacker may be able to cause unexpected
application termination or arbitrary code execution
Description: A memory corruption issue existed in SceneKit. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3783 : Haris Andrianakis of Google Security Team
Security
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A standard user may be able to gain access to admin
privileges without proper authentication
Description: An issue existed in handling of user authentication.
This issue was addressed through improved authentication checks.
CVE-ID
CVE-2015-3775 : [Eldon Ahrold]
SMBClient
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A remote attacker may be able to cause unexpected
application termination or arbitrary code execution
Description: A memory corruption issue existed in the SMB client.
This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3773 : Ilja van Sprundel
Speech UI
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted unicode string with speech
alerts enabled may lead to an unexpected application termination or
arbitrary code execution
Description: A memory corruption issue existed in handling of
Unicode strings. This issue was addressed by improved memory
handling.
CVE-ID
CVE-2015-3794 : Adam Greenbaum of Refinitive
sudo
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in sudo versions prior to
1.7.10p9, the most serious of which may allow an attacker access to
arbitrary files
Description: Multiple vulnerabilities existed in sudo versions prior
to 1.7.10p9. These were addressed by updating sudo to version
1.7.10p9.
CVE-ID
CVE-2013-1775
CVE-2013-1776
CVE-2013-2776
CVE-2013-2777
CVE-2014-0106
CVE-2014-9680
tcpdump
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in tcpdump 4.7.3, the most
serious of which may allow a remote attacker to cause a denial of
service.
Description: Multiple vulnerabilities existed in tcpdump versions
prior to 4.7.3. These were addressed by updating tcpdump to version
4.7.3.
CVE-ID
CVE-2014-8767
CVE-2014-8769
CVE-2014-9140
Text Formats
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted text file may lead to
disclosure of user information
Description: An XML external entity reference issue existed with
TextEdit parsing. This issue was addressed through improved parsing.
CVE-ID
CVE-2015-3762 : Xiaoyong Wu of the Evernote Security Team
udf
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted DMG file may lead to an
unexpected application termination or arbitrary code execution with
system privileges
Description: A memory corruption issue existed in parsing of
malformed DMG images. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2015-3767 : beist of grayhash
OS X Yosemite v10.10.5 includes the security content of Safari 8.0.8:
https://support.apple.com/en-us/HT205033
OS X Yosemite 10.10.5 and Security Update 2015-006 may be obtained
from the Mac App Store or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJVzM3+AAoJEBcWfLTuOo7tx/YP/RTsUUx0UTk7rXj6AEcHmiR4
Y2xTUOXqRmxhieSbsGK9laKL5++lIzkGh5RC7oYag0+OgWtZz+EU/EtdoEJmGNJ6
+PgoEnizYdKhO1kos1KCHOwG6UFCqoeEm6Icm33nVUqWp7uAmhVRMRxtMJEScLSR
2LpsK0grIhFXtJGqu053TSKSCa1UTab8XWteZTT84uFGMSKbAFONj5CPIrR6+uev
QpVTwrnskPDBOXJwGhjypvIBTbt2aa1wjCukOAWFHwf7Pma/QUdhKRkUK4vAb9/k
fu2t2fBOvSMguJHRO+340NsQR9LvmdruBeAyNUH64srF1jtbAg0QnvZsPyO5aIyR
A8WrzHl3oIc0II0y7VpI+3o0J3Nn03EcBPtIKeoeyznnjNziDm72HPI2d2+5ZSRz
xjAd4Nmw+dgGq+UMkusIXgtRK4HcEpwzfImf3zqnKHakSncnFPhGKyNEgn8bK9a7
AeAvSqMXXsJg8weHUF2NLnAn/42k2wIE8d5BOLaIy13xz6MJn7VUI21pK0zCaGBF
sfkRFZP0eEVh8ZzU/nWp9E5KDpbsd72biJwvjWH4OrmkfzUWxStQiVwPTxtZD9LW
c5ZWe+vqZJV9eYRH2hAOMPaYkOQ5Z4DySNVVOFAG0eq9til8+V0k3L7ipIVd2XUB
msu6gVP8uZhFYNb8byVJ
=+0e/
-----END PGP SIGNATURE-----
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201310-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Low
Title: Groff: Multiple Vulnerabilities
Date: October 25, 2013
Bugs: #386335
ID: 201310-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Groff, allowing
context-dependent attackers to conduct symlink attacks.
Background
==========
GNU Troff (Groff) is a text formatter used for man pages. Please review
the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Groff users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/groff-1.22.2"
References
==========
[ 1 ] CVE-2009-5044
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5044
[ 2 ] CVE-2009-5078
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5078
[ 3 ] CVE-2009-5079
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5079
[ 4 ] CVE-2009-5080
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5080
[ 5 ] CVE-2009-5081
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5081
[ 6 ] CVE-2009-5082
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5082
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201310-14.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2013 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
VAR-201106-0002 | CVE-2009-5044 | GNU troff of contrib/pdfmark/pdfroff.sh Vulnerable to overwriting arbitrary files |
CVSS V2: 3.3 CVSS V3: - Severity: LOW |
contrib/pdfmark/pdfroff.sh in GNU troff (aka groff) before 1.21 allows local users to overwrite arbitrary files via a symlink attack on a pdf#####.tmp temporary file.
Successful exploits may allow attackers mount a symlink attack, which may allow the attacker to delete or corrupt sensitive files. Attackers can also rename arbitrary files and potentially cause a denial-of-service condition. Other attacks are also possible. Groff (GNU Troff) is the latest open source implementation of Troff, a document preparation system that generates print and screen documents for various devices from the same input source. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2015-08-13-2 OS X Yosemite v10.10.5 and Security Update
2015-006
OS X Yosemite v10.10.5 and Security Update 2015-006 is now available
and addresses the following:
apache
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in Apache 2.4.16, the most
serious of which may allow a remote attacker to cause a denial of
service.
Description: Multiple vulnerabilities existed in Apache versions
prior to 2.4.16. These were addressed by updating Apache to version
2.4.16.
CVE-ID
CVE-2014-3581
CVE-2014-3583
CVE-2014-8109
CVE-2015-0228
CVE-2015-0253
CVE-2015-3183
CVE-2015-3185
apache_mod_php
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in PHP 5.5.20, the most
serious of which may lead to arbitrary code execution.
Description: Multiple vulnerabilities existed in PHP versions prior
to 5.5.20. These were addressed by updating Apache to version 5.5.27.
CVE-ID
CVE-2015-2783
CVE-2015-2787
CVE-2015-3307
CVE-2015-3329
CVE-2015-3330
CVE-2015-4021
CVE-2015-4022
CVE-2015-4024
CVE-2015-4025
CVE-2015-4026
CVE-2015-4147
CVE-2015-4148
Apple ID OD Plug-in
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able change the password of a
local user
Description: In some circumstances, a state management issue existed
in password authentication. The issue was addressed through improved
state management.
CVE-ID
CVE-2015-3799 : an anonymous researcher working with HP's Zero Day
Initiative
AppleGraphicsControl
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in AppleGraphicsControl which could
have led to the disclosure of kernel memory layout. This issue was
addressed through improved bounds checking.
CVE-ID
CVE-2015-5768 : JieTao Yang of KeenTeam
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue existed in
IOBluetoothHCIController. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2015-3779 : Teddy Reed of Facebook Security
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to determine kernel
memory layout
Description: A memory management issue could have led to the
disclosure of kernel memory layout. This issue was addressed with
improved memory management.
CVE-ID
CVE-2015-3780 : Roberto Paleari and Aristide Fattori of Emaze
Networks
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious app may be able to access notifications from
other iCloud devices
Description: An issue existed where a malicious app could access a
Bluetooth-paired Mac or iOS device's Notification Center
notifications via the Apple Notification Center Service. The issue
affected devices using Handoff and logged into the same iCloud
account. This issue was resolved by revoking access to the Apple
Notification Center Service.
CVE-ID
CVE-2015-3786 : Xiaolong Bai (Tsinghua University), System Security
Lab (Indiana University), Tongxin Li (Peking University), XiaoFeng
Wang (Indiana University)
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: An attacker with privileged network position may be able to
perform denial of service attack using malformed Bluetooth packets
Description: An input validation issue existed in parsing of
Bluetooth ACL packets. This issue was addressed through improved
input validation.
CVE-ID
CVE-2015-3787 : Trend Micro
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: Multiple buffer overflow issues existed in blued's
handling of XPC messages. These issues were addressed through
improved bounds checking.
CVE-ID
CVE-2015-3777 : mitp0sh of [PDX]
bootp
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious Wi-Fi network may be able to determine networks
a device has previously accessed
Description: Upon connecting to a Wi-Fi network, iOS may have
broadcast MAC addresses of previously accessed networks via the DNAv4
protocol. This issue was addressed through disabling DNAv4 on
unencrypted Wi-Fi networks.
CVE-ID
CVE-2015-3778 : Piers O'Hanlon of Oxford Internet Institute,
University of Oxford (on the EPSRC Being There project)
CloudKit
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to access the iCloud
user record of a previously signed in user
Description: A state inconsistency existed in CloudKit when signing
out users. This issue was addressed through improved state handling.
CVE-ID
CVE-2015-3782 : Deepkanwal Plaha of University of Toronto
CoreMedia Playback
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: Memory corruption issues existed in CoreMedia Playback.
These were addressed through improved memory handling.
CVE-ID
CVE-2015-5777 : Apple
CVE-2015-5778 : Apple
CoreText
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5761 : John Villamil (@day6reak), Yahoo Pentest Team
CoreText
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5755 : John Villamil (@day6reak), Yahoo Pentest Team
curl
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities in cURL and libcurl prior to
7.38.0, one of which may allow remote attackers to bypass the Same
Origin Policy.
Description: Multiple vulnerabilities existed in cURL and libcurl
prior to 7.38.0. These issues were addressed by updating cURL to
version 7.43.0.
CVE-ID
CVE-2014-3613
CVE-2014-3620
CVE-2014-3707
CVE-2014-8150
CVE-2014-8151
CVE-2015-3143
CVE-2015-3144
CVE-2015-3145
CVE-2015-3148
CVE-2015-3153
Data Detectors Engine
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a sequence of unicode characters can lead to an
unexpected application termination or arbitrary code execution
Description: Memory corruption issues existed in processing of
Unicode characters. These issues were addressed through improved
memory handling.
CVE-ID
CVE-2015-5750 : M1x7e1 of Safeye Team (www.safeye.org)
Date & Time pref pane
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Applications that rely on system time may have unexpected
behavior
Description: An authorization issue existed when modifying the
system date and time preferences. This issue was addressed with
additional authorization checks.
CVE-ID
CVE-2015-3757 : Mark S C Smith
Dictionary Application
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: An attacker with a privileged network position may be able
to intercept users' Dictionary app queries
Description: An issue existed in the Dictionary app, which did not
properly secure user communications. This issue was addressed by
moving Dictionary queries to HTTPS.
CVE-ID
CVE-2015-3774 : Jeffrey Paul of EEQJ, Jan Bee of the Google Security
Team
DiskImages
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted DMG file may lead to an
unexpected application termination or arbitrary code execution with
system privileges
Description: A memory corruption issue existed in parsing of
malformed DMG images. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2015-3800 : Frank Graziano of the Yahoo Pentest Team
dyld
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A path validation issue existed in dyld. This was
addressed through improved environment sanitization.
CVE-ID
CVE-2015-3760 : beist of grayhash, Stefan Esser
FontParser
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-3804 : Apple
CVE-2015-5775 : Apple
FontParser
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5756 : John Villamil (@day6reak), Yahoo Pentest Team
groff
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple issues in pdfroff
Description: Multiple issues existed in pdfroff, the most serious of
which may allow arbitrary filesystem modification. These issues were
addressed by removing pdfroff.
CVE-ID
CVE-2009-5044
CVE-2009-5078
ImageIO
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
TIFF images. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2015-5758 : Apple
ImageIO
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Visiting a maliciously crafted website may result in the
disclosure of process memory
Description: An uninitialized memory access issue existed in
ImageIO's handling of PNG and TIFF images. Visiting a malicious
website may result in sending data from process memory to the
website. This issue is addressed through improved memory
initialization and additional validation of PNG and TIFF images.
CVE-ID
CVE-2015-5781 : Michal Zalewski
CVE-2015-5782 : Michal Zalewski
Install Framework Legacy
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with root privileges
Description: An issue existed in how Install.framework's 'runner'
binary dropped privileges. This issue was addressed through improved
privilege management.
CVE-ID
CVE-2015-5784 : Ian Beer of Google Project Zero
Install Framework Legacy
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A race condition existed in
Install.framework's 'runner' binary that resulted in
privileges being incorrectly dropped. This issue was addressed
through improved object locking.
CVE-ID
CVE-2015-5754 : Ian Beer of Google Project Zero
IOFireWireFamily
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: Memory corruption issues existed in IOFireWireFamily.
These issues were addressed through additional type input validation.
CVE-ID
CVE-2015-3769 : Ilja van Sprundel
CVE-2015-3771 : Ilja van Sprundel
CVE-2015-3772 : Ilja van Sprundel
IOGraphics
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in IOGraphics. This
issue was addressed through additional type input validation.
CVE-ID
CVE-2015-3770 : Ilja van Sprundel
CVE-2015-5783 : Ilja van Sprundel
IOHIDFamily
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A buffer overflow issue existed in IOHIDFamily. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5774 : TaiG Jailbreak Team
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in the mach_port_space_info interface,
which could have led to the disclosure of kernel memory layout. This
was addressed by disabling the mach_port_space_info interface.
CVE-ID
CVE-2015-3766 : Cererdlong of Alibaba Mobile Security Team,
@PanguTeam
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: An integer overflow existed in the handling of IOKit
functions. This issue was addressed through improved validation of
IOKit API arguments.
CVE-ID
CVE-2015-3768 : Ilja van Sprundel
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to cause a system denial of service
Description: A resource exhaustion issue existed in the fasttrap
driver. This was addressed through improved memory handling.
CVE-ID
CVE-2015-5747 : Maxime VILLARD of m00nbsd
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to cause a system denial of service
Description: A validation issue existed in the mounting of HFS
volumes. This was addressed by adding additional checks.
CVE-ID
CVE-2015-5748 : Maxime VILLARD of m00nbsd
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute unsigned code
Description: An issue existed that allowed unsigned code to be
appended to signed code in a specially crafted executable file. This
issue was addressed through improved code signature validation.
CVE-ID
CVE-2015-3806 : TaiG Jailbreak Team
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A specially crafted executable file could allow unsigned,
malicious code to execute
Description: An issue existed in the way multi-architecture
executable files were evaluated that could have allowed unsigned code
to be executed. This issue was addressed through improved validation
of executable files.
CVE-ID
CVE-2015-3803 : TaiG Jailbreak Team
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute unsigned code
Description: A validation issue existed in the handling of Mach-O
files. This was addressed by adding additional checks.
CVE-ID
CVE-2015-3802 : TaiG Jailbreak Team
CVE-2015-3805 : TaiG Jailbreak Team
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted plist may lead to an
unexpected application termination or arbitrary code execution with
system privileges
Description: A memory corruption existed in processing of malformed
plists. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3776 : Teddy Reed of Facebook Security, Patrick Stein
(@jollyjinx) of Jinx Germany
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A path validation issue existed. This was addressed
through improved environment sanitization.
CVE-ID
CVE-2015-3761 : Apple
Libc
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted regular expression may lead
to an unexpected application termination or arbitrary code execution
Description: Memory corruption issues existed in the TRE library.
These were addressed through improved memory handling.
CVE-ID
CVE-2015-3796 : Ian Beer of Google Project Zero
CVE-2015-3797 : Ian Beer of Google Project Zero
CVE-2015-3798 : Ian Beer of Google Project Zero
Libinfo
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: A remote attacker may be able to cause unexpected
application termination or arbitrary code execution
Description: Memory corruption issues existed in handling AF_INET6
sockets. These were addressed by improved memory handling.
CVE-ID
CVE-2015-5776 : Apple
libpthread
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in handling syscalls.
This issue was addressed through improved lock state checking.
CVE-ID
CVE-2015-5757 : Lufeng Li of Qihoo 360
libxml2
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in libxml2 versions prior
to 2.9.2, the most serious of which may allow a remote attacker to
cause a denial of service
Description: Multiple vulnerabilities existed in libxml2 versions
prior to 2.9.2. These were addressed by updating libxml2 to version
2.9.2.
CVE-ID
CVE-2012-6685 : Felix Groebert of Google
CVE-2014-0191 : Felix Groebert of Google
libxml2
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted XML document may lead to
disclosure of user information
Description: A memory access issue existed in libxml2. This was
addressed by improved memory handling
CVE-ID
CVE-2014-3660 : Felix Groebert of Google
libxml2
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted XML document may lead to
disclosure of user information
Description: A memory corruption issue existed in parsing of XML
files. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3807 : Apple
libxpc
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in handling of
malformed XPC messages. This issue was improved through improved
bounds checking.
CVE-ID
CVE-2015-3795 : Mathew Rowley
mail_cmds
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary shell commands
Description: A validation issue existed in the mailx parsing of
email addresses. This was addressed by improved sanitization.
CVE-ID
CVE-2014-7844
Notification Center OSX
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to access all
notifications previously displayed to users
Description: An issue existed in Notification Center, which did not
properly delete user notifications. This issue was addressed by
correctly deleting notifications dismissed by users.
CVE-ID
CVE-2015-3764 : Jonathan Zdziarski
ntfs
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue existed in NTFS. This issue
was addressed through improved memory handling.
CVE-ID
CVE-2015-5763 : Roberto Paleari and Aristide Fattori of Emaze
Networks
OpenSSH
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Remote attackers may be able to circumvent a time delay for
failed login attempts and conduct brute-force attacks
Description: An issue existed when processing keyboard-interactive
devices. This issue was addressed through improved authentication
request validation.
CVE-ID
CVE-2015-5600
OpenSSL
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in OpenSSL versions prior
to 0.9.8zg, the most serious of which may allow a remote attacker to
cause a denial of service.
Description: Multiple vulnerabilities existed in OpenSSL versions
prior to 0.9.8zg. These were addressed by updating OpenSSL to version
0.9.8zg.
CVE-ID
CVE-2015-1788
CVE-2015-1789
CVE-2015-1790
CVE-2015-1791
CVE-2015-1792
perl
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted regular expression may lead to
disclosure of unexpected application termination or arbitrary code
execution
Description: An integer underflow issue existed in the way Perl
parsed regular expressions. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2013-7422
PostgreSQL
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: An attacker may be able to cause unexpected application
termination or gain access to data without proper authentication
Description: Multiple issues existed in PostgreSQL 9.2.4. These
issues were addressed by updating PostgreSQL to 9.2.13.
CVE-ID
CVE-2014-0067
CVE-2014-8161
CVE-2015-0241
CVE-2015-0242
CVE-2015-0243
CVE-2015-0244
python
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in Python 2.7.6, the most
serious of which may lead to arbitrary code execution
Description: Multiple vulnerabilities existed in Python versions
prior to 2.7.6. These were addressed by updating Python to version
2.7.10.
CVE-ID
CVE-2013-7040
CVE-2013-7338
CVE-2014-1912
CVE-2014-7185
CVE-2014-9365
QL Office
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted Office document may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in parsing of Office
documents. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5773 : Apple
QL Office
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted XML file may lead to
disclosure of user information
Description: An external entity reference issue existed in XML file
parsing. This issue was addressed through improved parsing.
CVE-ID
CVE-2015-3784 : Bruno Morisson of INTEGRITY S.A.
Quartz Composer Framework
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted QuickTime file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in parsing of
QuickTime files. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2015-5771 : Apple
Quick Look
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Searching for a previously viewed website may launch the web
browser and render that website
Description: An issue existed where QuickLook had the capability to
execute JavaScript. The issue was addressed by disallowing execution
of JavaScript.
CVE-ID
CVE-2015-3781 : Andrew Pouliot of Facebook, Anto Loyola of Qubole
QuickTime 7
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in QuickTime.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-3772
CVE-2015-3779
CVE-2015-5753 : Apple
CVE-2015-5779 : Apple
QuickTime 7
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in QuickTime.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-3765 : Joe Burnett of Audio Poison
CVE-2015-3788 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-3789 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-3790 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-3791 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-3792 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-5751 : WalkerFuz
SceneKit
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Viewing a maliciously crafted Collada file may lead to
arbitrary code execution
Description: A heap buffer overflow existed in SceneKit's handling
of Collada files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5772 : Apple
SceneKit
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: A remote attacker may be able to cause unexpected
application termination or arbitrary code execution
Description: A memory corruption issue existed in SceneKit. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3783 : Haris Andrianakis of Google Security Team
Security
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A standard user may be able to gain access to admin
privileges without proper authentication
Description: An issue existed in handling of user authentication.
This issue was addressed through improved authentication checks.
CVE-ID
CVE-2015-3775 : [Eldon Ahrold]
SMBClient
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A remote attacker may be able to cause unexpected
application termination or arbitrary code execution
Description: A memory corruption issue existed in the SMB client.
This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3773 : Ilja van Sprundel
Speech UI
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted unicode string with speech
alerts enabled may lead to an unexpected application termination or
arbitrary code execution
Description: A memory corruption issue existed in handling of
Unicode strings. This issue was addressed by improved memory
handling.
CVE-ID
CVE-2015-3794 : Adam Greenbaum of Refinitive
sudo
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in sudo versions prior to
1.7.10p9, the most serious of which may allow an attacker access to
arbitrary files
Description: Multiple vulnerabilities existed in sudo versions prior
to 1.7.10p9. These were addressed by updating sudo to version
1.7.10p9.
CVE-ID
CVE-2013-1775
CVE-2013-1776
CVE-2013-2776
CVE-2013-2777
CVE-2014-0106
CVE-2014-9680
tcpdump
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in tcpdump 4.7.3, the most
serious of which may allow a remote attacker to cause a denial of
service.
Description: Multiple vulnerabilities existed in tcpdump versions
prior to 4.7.3. These were addressed by updating tcpdump to version
4.7.3.
CVE-ID
CVE-2014-8767
CVE-2014-8769
CVE-2014-9140
Text Formats
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted text file may lead to
disclosure of user information
Description: An XML external entity reference issue existed with
TextEdit parsing. This issue was addressed through improved parsing.
CVE-ID
CVE-2015-3762 : Xiaoyong Wu of the Evernote Security Team
udf
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted DMG file may lead to an
unexpected application termination or arbitrary code execution with
system privileges
Description: A memory corruption issue existed in parsing of
malformed DMG images. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2015-3767 : beist of grayhash
OS X Yosemite v10.10.5 includes the security content of Safari 8.0.8:
https://support.apple.com/en-us/HT205033
OS X Yosemite 10.10.5 and Security Update 2015-006 may be obtained
from the Mac App Store or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJVzM3+AAoJEBcWfLTuOo7tx/YP/RTsUUx0UTk7rXj6AEcHmiR4
Y2xTUOXqRmxhieSbsGK9laKL5++lIzkGh5RC7oYag0+OgWtZz+EU/EtdoEJmGNJ6
+PgoEnizYdKhO1kos1KCHOwG6UFCqoeEm6Icm33nVUqWp7uAmhVRMRxtMJEScLSR
2LpsK0grIhFXtJGqu053TSKSCa1UTab8XWteZTT84uFGMSKbAFONj5CPIrR6+uev
QpVTwrnskPDBOXJwGhjypvIBTbt2aa1wjCukOAWFHwf7Pma/QUdhKRkUK4vAb9/k
fu2t2fBOvSMguJHRO+340NsQR9LvmdruBeAyNUH64srF1jtbAg0QnvZsPyO5aIyR
A8WrzHl3oIc0II0y7VpI+3o0J3Nn03EcBPtIKeoeyznnjNziDm72HPI2d2+5ZSRz
xjAd4Nmw+dgGq+UMkusIXgtRK4HcEpwzfImf3zqnKHakSncnFPhGKyNEgn8bK9a7
AeAvSqMXXsJg8weHUF2NLnAn/42k2wIE8d5BOLaIy13xz6MJn7VUI21pK0zCaGBF
sfkRFZP0eEVh8ZzU/nWp9E5KDpbsd72biJwvjWH4OrmkfzUWxStQiVwPTxtZD9LW
c5ZWe+vqZJV9eYRH2hAOMPaYkOQ5Z4DySNVVOFAG0eq9til8+V0k3L7ipIVd2XUB
msu6gVP8uZhFYNb8byVJ
=+0e/
-----END PGP SIGNATURE-----
. This fixes a vulnerability,
which can be exploited by malicious, local users to perform certain
actions with escalated privileges.
For more information:
SA44999
SOLUTION:
Apply updated packages via the zypper package manager. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. ----------------------------------------------------------------------
Join Secunia @ FIRST Conference, 12-17 June, Hilton Vienna, Austria
See to the presentation "The Dynamics and Threats of End-Point Software Portfolios" by Secunia's Research Analyst Director, Stefan Frei.
Read more:
http://conference.first.org/
----------------------------------------------------------------------
TITLE:
GNU Troff "pdfroff" Script Insecure Temporary File Creation
SECUNIA ADVISORY ID:
SA44999
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/44999/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=44999
RELEASE DATE:
2011-06-18
DISCUSS ADVISORY:
http://secunia.com/advisories/44999/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/44999/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=44999
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in GNU Troff, which can be
exploited by malicious, local users to perform certain actions with
escalated privileges.
The vulnerability is caused due to the "pdfroff" script creating
temporary files insecurely.
The vulnerability is reported in version 1.20. Other versions may
also be affected.
SOLUTION:
Restrict access to trusted users only.
PROVIDED AND/OR DISCOVERED BY:
Reported in a Debian bug report by Brian M. Carlson.
ORIGINAL ADVISORY:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538330
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201310-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Low
Title: Groff: Multiple Vulnerabilities
Date: October 25, 2013
Bugs: #386335
ID: 201310-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Groff, allowing
context-dependent attackers to conduct symlink attacks.
Background
==========
GNU Troff (Groff) is a text formatter used for man pages. Please review
the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Groff users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/groff-1.22.2"
References
==========
[ 1 ] CVE-2009-5044
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5044
[ 2 ] CVE-2009-5078
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5078
[ 3 ] CVE-2009-5079
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5079
[ 4 ] CVE-2009-5080
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5080
[ 5 ] CVE-2009-5081
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5081
[ 6 ] CVE-2009-5082
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5082
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201310-14.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2013 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
VAR-201204-0111 | CVE-2012-0777 | Adobe Flash vulnerability affects Flash Player and other Adobe products |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
The JavaScript API in Adobe Reader and Acrobat 9.x before 9.5.1 and 10.x before 10.1.3 on Mac OS X and Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. Adobe Flash contains a vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Adobe Flash Player, Reader, Acrobat, and other products that include Flash support are affected.
Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely cause denial-of-service conditions. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: acroread security update
Advisory ID: RHSA-2012:0469-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0469.html
Issue date: 2012-04-10
CVE Names: CVE-2012-0774 CVE-2012-0775 CVE-2012-0777
=====================================================================
1. Summary:
Updated acroread packages that fix multiple security issues are now
available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
Adobe Reader allows users to view and print documents in Portable Document
Format (PDF).
This update fixes multiple security flaws in Adobe Reader. These flaws are
detailed on the Adobe security page APSB12-08, listed in the References
section. A specially-crafted PDF file could cause Adobe Reader to crash or,
potentially, execute arbitrary code as the user running Adobe Reader when
opened. (CVE-2012-0774, CVE-2012-0775, CVE-2012-0777)
All Adobe Reader users should install these updated packages. They contain
Adobe Reader version 9.5.1, which is not vulnerable to these issues. All
running instances of Adobe Reader must be restarted for the update to take
effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258
5. Bugs fixed (http://bugzilla.redhat.com/):
810397 - CVE-2012-0774 CVE-2012-0775 CVE-2012-0777 acroread: multiple unspecified flaws (APSB12-08)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
acroread-9.5.1-1.el5.i386.rpm
acroread-plugin-9.5.1-1.el5.i386.rpm
x86_64:
acroread-9.5.1-1.el5.i386.rpm
acroread-plugin-9.5.1-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
acroread-9.5.1-1.el5.i386.rpm
acroread-plugin-9.5.1-1.el5.i386.rpm
x86_64:
acroread-9.5.1-1.el5.i386.rpm
acroread-plugin-9.5.1-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
acroread-9.5.1-1.el6_2.i686.rpm
acroread-plugin-9.5.1-1.el6_2.i686.rpm
x86_64:
acroread-9.5.1-1.el6_2.i686.rpm
acroread-plugin-9.5.1-1.el6_2.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
acroread-9.5.1-1.el6_2.i686.rpm
acroread-plugin-9.5.1-1.el6_2.i686.rpm
x86_64:
acroread-9.5.1-1.el6_2.i686.rpm
acroread-plugin-9.5.1-1.el6_2.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
acroread-9.5.1-1.el6_2.i686.rpm
acroread-plugin-9.5.1-1.el6_2.i686.rpm
x86_64:
acroread-9.5.1-1.el6_2.i686.rpm
acroread-plugin-9.5.1-1.el6_2.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2012-0774.html
https://www.redhat.com/security/data/cve/CVE-2012-0775.html
https://www.redhat.com/security/data/cve/CVE-2012-0777.html
https://access.redhat.com/security/updates/classification/#critical
http://www.adobe.com/support/security/bulletins/apsb12-08.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2012 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFPhKRJXlSAg2UNWIIRAsVrAJ9UzVzzjYFWUh47R5dgHQiRssfFOgCfWmLi
Icw8el8KnX3f3bgyqMCsWO0=
=NK8r
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. Flash player version 10.0.22.87
and earlier 10.x versions as well as Flash player version 9.0.159.0
and earlier 9.x versions are affected.
An attacker could exploit this vulnerability by convincing a user
to visit a website that hosts a specially crafted SWF file. The
Adobe Flash browser plugin is available for multiple web browsers
and operating systems, any of which could be affected. An attacker
could also create a PDF document that has an embedded SWF file to
exploit the vulnerability.
This vulnerability is being actively exploited.
II.
III. Solution
These vulnerabilities can be mitigated by disabling the Flash
plugin or by using the NoScript extension for Mozilla Firefox or
SeaMonkey to whitelist websites that can access the Flash plugin.
For more information about securely configuring web browsers,
please see the Securing Your Web Browser document. US-CERT
Vulnerability Note VU#259425 has additional details, as well as
information about mitigating the PDF document attack vector.
Thanks to Department of Defense Cyber Crime Center/DCISE for
information used in this document.
IV. References
* Vulnerability Note VU#259425 -
<http://www.kb.cert.org/vuls/id/259425>
* Security advisory for Adobe Reader, Acrobat and Flash Player -
<http://www.adobe.com/support/security/advisories/apsa09-03.html>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/>
* NoScript - <https://addons.mozilla.org/addon/722>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA09-204A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA09-204A Feedback VU#259425" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201206-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Adobe Reader: Multiple vulnerabilities
Date: June 22, 2012
Bugs: #405949, #411499
ID: 201206-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities in Adobe Reader might allow remote attackers
to execute arbitrary code or conduct various other attacks.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-text/acroread < 9.5.1 >= 9.5.1
Description
===========
Multiple vulnerabilities have been found in Adobe Reader, including an
integer overflow in TrueType Font handling (CVE-2012-0774) and multiple
unspecified errors which could cause memory corruption.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Reader users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-text/acroread-9.5.1"
References
==========
[ 1 ] CVE-2011-4370
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4370
[ 2 ] CVE-2011-4371
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4371
[ 3 ] CVE-2011-4372
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4372
[ 4 ] CVE-2011-4373
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4373
[ 5 ] CVE-2012-0774
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0774
[ 6 ] CVE-2012-0775
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0775
[ 7 ] CVE-2012-0776
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0776
[ 8 ] CVE-2012-0777
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0777
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201206-14.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
VAR-200907-0583 | No CVE | SAP NetWeaver Password Information Disclosure Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
SAP NetWeaver is prone to an information-disclosure vulnerability because it fails to properly secure communication channels between clients and servers.
Successful exploits will allow attackers to obtain sensitive information that may aid in further attacks.
VAR-200907-0094 | CVE-2009-2047 | Cisco Unified CCX Server CRS Directory traversal vulnerability in the internal management interface |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
Directory traversal vulnerability in the Administration interface in Cisco Customer Response Solutions (CRS) before 7.0(1) SR2 in Cisco Unified Contact Center Express (aka CCX) server allows remote authenticated users to read, modify, or delete arbitrary files via unspecified vectors. Cisco Unified Contact Center Express is prone to a directory-traversal vulnerability.
An attacker can exploit this issue to view, modify, or delete any file on the server through the CRS Administration interface. Successful exploits may lead to other attacks.
This issue is tracked by Cisco BugID CSCsw76644. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
Cisco Unified Contact Center Express Two Vulnerabilities
SECUNIA ADVISORY ID:
SA35861
VERIFY ADVISORY:
http://secunia.com/advisories/35861/
DESCRIPTION:
Two vulnerabilities have been reported in Cisco Unified Contact
Center Express, which can be exploited by malicious users to conduct
script insertion attacks, manipulate certain data, disclose
potentially sensitive information, and potentially compromise a
vulnerable system.
2) Certain input to the Cisco Unified CCX database is not properly
sanitised before being used. This can be exploited to insert
arbitrary HTML and script code, which will be executed in a user's
browser session in context of an affected site when the malicious
data is viewed.
CRS 7x:
Update to CRS version 7.0(1) SR2.
CRS 5.x and 6.x:
Apply hotfix crs5.0.2sr2es09 or crs6.0.1sr1es05.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20090715-uccx.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. Exploitation of these vulnerabilities could
result in a denial of service condition, information disclosure, or a
privilege escalation attack.
Cisco has released free software updates that address these two
vulnerabilities in the latest version of Cisco Unified CCX software.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090715-uccx.shtml.
Vulnerable Products
+------------------
All versions of Cisco Unified CCX server running the following software
may be affected by these vulnerabilities, to include:
* Cisco Customer Response Solution (CRS) versions 3.x, 4.x, 5.x,
6.x, and 7.x
* Cisco Unified IP Interactive Voice Response (Cisco Unified IP
IVR) versions 3.x, 4.x, 5.x, 6.x, and 7.x
* Cisco Unified CCX 4.x, 5.x, 6.x, and 7.x
* Cisco Unified IP Contact Center Express versions 3.x, 5.x, 6.x,
and 7.x
* Cisco Customer Response Applications versions 3.x
* Cisco IP Queue Manager (IP QM) versions 3.x
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities. This vulnerability
is documented in Cisco Bug ID CSCsw76644 and has been assigned Common
Vulnerability and Exposures (CVE) ID CVE-2009-2047.
The script injection vulnerability may allow authenticated users to
enter JavaScript into the Cisco Unified CCX database. The stored script
could be executed in the browser of the next authenticated user. This
vulnerability is documented in Cisco Bug ID CSCsw76649 and has been
assigned CVE ID CVE-2009-2048.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding CVSS
at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss.
* Incomplete input validation allows modification of OS
files/directories (CSCsw76644)
CVSS Base Score - 9.0
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.7
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* script injection vulnerability in admin interface pages (CSCsw76649)
CVSS Base Score - 5.5
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - None
Integrity Impact - Partial
Availability Impact - Partial
CVSS Temporal Score - 4.5
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the directory traversal vulnerability may
result in read and write access to files on the underlying operating
system.
Successful exploitation of the script injection vulnerability may result
in the execution of JavaScript of authenticated users and prevent server
pages from displaying properly.
Software Versions and Fixes
===========================
The fixes for these vulnerabilities are included in CRS version
7.0(1)SR2 and are available as a hotfix for customers running versions
5.x and 6.x. The hotfixes are crs5.0.2sr2es09 and crs6.0.1sr1es05.
Information about how to obtain the hotfixes can be found in the release
notes enclosures of the bugs at: CSCsw76644 and CSCsw76649.
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Workarounds
===========
There are no workarounds for these vulnerabilities.
The script injection attacks that are described in this advisory are
a specific classification of stored cross-site scripting attacks. A
description and mitigation technique can be found in the applied
mitigation bulletin available at the following link:
http://www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a008073f7b3.html
These vulnerabilities can be detected and mitigated with IDS signatures
3216-0 and 19001-0.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for software
upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco service
contract, and customers who purchase through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale
should acquire upgrades by contacting the Cisco Technical Assistance
Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be requested
through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were reported to Cisco by National Australia
Bank's Security Assurance team.
Cisco would like to thank the National Australia Bank's Security
Assurance team for the discovery and reporting of these vulnerabilities.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20090715-uccx.shtml
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
Revision History
================
+-----------------------------------------------------------+
| Revision 1.0 | 2009-July-15 | Initial public release |
+-----------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt. All rights reserved.
+--------------------------------------------------------------------
Updated: Jul 15, 2009 Document ID: 110307
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkpeCwIACgkQ86n/Gc8U/uCRVACfQ16BguNxTclUmslEdX/l/W8Y
6DcAoJ3WjD6cV2PJ5LPVei8F9mMDyXLj
=wNQ1
-----END PGP SIGNATURE-----
VAR-200907-0095 | CVE-2009-2048 | Cisco Unified CCX Server CRS Internal management interface cross-site scripting vulnerability |
CVSS V2: 3.5 CVSS V3: - Severity: LOW |
Cross-site scripting (XSS) vulnerability in the Administration interface in Cisco Customer Response Solutions (CRS) before 7.0(1) SR2 in Cisco Unified Contact Center Express (aka CCX) server allows remote authenticated users to inject arbitrary web script or HTML into the CCX database via unspecified vectors.
An attacker can exploit this issue to execute arbitrary script code in the context of the user running the application, which may aid in further attacks.
This issue is documented by Cisco Bug ID CSCsw76649. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
2) Certain input to the Cisco Unified CCX database is not properly
sanitised before being used.
CRS 7x:
Update to CRS version 7.0(1) SR2.
CRS 5.x and 6.x:
Apply hotfix crs5.0.2sr2es09 or crs6.0.1sr1es05.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20090715-uccx.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. Exploitation of these vulnerabilities could
result in a denial of service condition, information disclosure, or a
privilege escalation attack.
Cisco has released free software updates that address these two
vulnerabilities in the latest version of Cisco Unified CCX software.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090715-uccx.shtml.
Vulnerable Products
+------------------
All versions of Cisco Unified CCX server running the following software
may be affected by these vulnerabilities, to include:
* Cisco Customer Response Solution (CRS) versions 3.x, 4.x, 5.x,
6.x, and 7.x
* Cisco Unified IP Interactive Voice Response (Cisco Unified IP
IVR) versions 3.x, 4.x, 5.x, 6.x, and 7.x
* Cisco Unified CCX 4.x, 5.x, 6.x, and 7.x
* Cisco Unified IP Contact Center Express versions 3.x, 5.x, 6.x,
and 7.x
* Cisco Customer Response Applications versions 3.x
* Cisco IP Queue Manager (IP QM) versions 3.x
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities. The stored script
could be executed in the browser of the next authenticated user.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding CVSS
at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss.
* Incomplete input validation allows modification of OS
files/directories (CSCsw76644)
CVSS Base Score - 9.0
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.7
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* script injection vulnerability in admin interface pages (CSCsw76649)
CVSS Base Score - 5.5
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - None
Integrity Impact - Partial
Availability Impact - Partial
CVSS Temporal Score - 4.5
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the directory traversal vulnerability may
result in read and write access to files on the underlying operating
system.
Successful exploitation of the script injection vulnerability may result
in the execution of JavaScript of authenticated users and prevent server
pages from displaying properly.
Software Versions and Fixes
===========================
The fixes for these vulnerabilities are included in CRS version
7.0(1)SR2 and are available as a hotfix for customers running versions
5.x and 6.x. The hotfixes are crs5.0.2sr2es09 and crs6.0.1sr1es05.
The latest version of Cisco Unified Contact Center Express is
available at the following link:
http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=7.0%281%29_SR2&mdfid=270569179&sftType=Cisco+Customer+Response+Solution+Software+Releases&optPlat=&nodecount=11&edesignator=null&modelName=Cisco+Unified+Contact+Center+Express&treeMdfId=2788752.
Information about how to obtain the hotfixes can be found in the release
notes enclosures of the bugs at: CSCsw76644 and CSCsw76649.
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Workarounds
===========
There are no workarounds for these vulnerabilities.
The script injection attacks that are described in this advisory are
a specific classification of stored cross-site scripting attacks. A
description and mitigation technique can be found in the applied
mitigation bulletin available at the following link:
http://www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a008073f7b3.html
These vulnerabilities can be detected and mitigated with IDS signatures
3216-0 and 19001-0.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for software
upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco service
contract, and customers who purchase through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale
should acquire upgrades by contacting the Cisco Technical Assistance
Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be requested
through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were reported to Cisco by National Australia
Bank's Security Assurance team.
Cisco would like to thank the National Australia Bank's Security
Assurance team for the discovery and reporting of these vulnerabilities.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20090715-uccx.shtml
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
Revision History
================
+-----------------------------------------------------------+
| Revision 1.0 | 2009-July-15 | Initial public release |
+-----------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2008-2009 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
Updated: Jul 15, 2009 Document ID: 110307
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkpeCwIACgkQ86n/Gc8U/uCRVACfQ16BguNxTclUmslEdX/l/W8Y
6DcAoJ3WjD6cV2PJ5LPVei8F9mMDyXLj
=wNQ1
-----END PGP SIGNATURE-----
VAR-200907-0064 | CVE-2009-1422 | HP ProCurve Threat Management Services zl Module CRL Security Bypass Vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in HP ProCurve Threat Management Services zl Module (J9155A) ST.1.0.090213 and earlier allows remote attackers to gain privileges via unknown vectors, aka PR_41209.
Successful exploits may allow attackers to bypass certain security restrictions, which may aid in launching further attacks. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01803910
Version: 1
HPSBGN02446 SSRT090111 rev.1 - HP ProCurve Threat Management Services zl Module (J9155A), Remote Unauthorized Access, Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. These vulnerabilities could be exploited remotely to gain unauthorized access or to create a Denial of Service (DoS).
References: CVE-2009-1422 (PR_41209), CVE-2009-1423 (PR_39898), CVE-2009-1424 (PR_39412), CVE-2009-1425 (PR_18770)
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
PRODUCT SPECIFIC INFORMATION
None
HISTORY
Version:1 (rev.1) - 13 July 2009 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
-verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (HP-UX)
iEYEARECAAYFAkpbRhEACgkQ4B86/C0qfVl3xgCg7jEzheufkiLM8p1GIyuHszFs
/8IAoL0opXD/2eUOpTzzyT7cZcfmkjhQ
=pOEf
-----END PGP SIGNATURE-----
VAR-200907-0065 | CVE-2009-1423 | HP ProCurve Threat Management Services zl Module VPN Remote Denial of Service Vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in HP ProCurve Threat Management Services zl Module (J9155A) ST.1.0.090213 and earlier allows remote attackers to cause a denial of service via unknown vectors, aka PR_39898, a different vulnerability than CVE-2009-1424 and CVE-2009-1425. This vulnerability CVE-2009-1424 and CVE-2009-1425 Is a different vulnerability.Service disruption by a third party (DoS) There is a possibility of being put into a state.
Attackers can exploit this issue to crash the affected application, denying service to legitimate users. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01803910
Version: 1
HPSBGN02446 SSRT090111 rev.1 - HP ProCurve Threat Management Services zl Module (J9155A), Remote Unauthorized Access, Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. These vulnerabilities could be exploited remotely to gain unauthorized access or to create a Denial of Service (DoS).
References: CVE-2009-1422 (PR_41209), CVE-2009-1423 (PR_39898), CVE-2009-1424 (PR_39412), CVE-2009-1425 (PR_18770)
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
PRODUCT SPECIFIC INFORMATION
None
HISTORY
Version:1 (rev.1) - 13 July 2009 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
-verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (HP-UX)
iEYEARECAAYFAkpbRhEACgkQ4B86/C0qfVl3xgCg7jEzheufkiLM8p1GIyuHszFs
/8IAoL0opXD/2eUOpTzzyT7cZcfmkjhQ
=pOEf
-----END PGP SIGNATURE-----