VARIoT IoT vulnerabilities database

Buffer overflow in ImageIO in Apple Mac OS X 10.5 before 10.5.8, and Safari before 4.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an image with crafted EXIF metadata. Apple's ImageIO component is prone to a buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data. Successful exploits will allow an attacker to run arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. This issue affects Mac OS X 10.5 through 10.5.7, Mac OS X Server 10.5 through 10.5.7, and Apple Safari prior to 4.0.3. NOTE: This vulnerability was previously documented in BID 35954 (Apple Mac OS X 2009-003 Multiple Security Vulnerabilities) but has been given its own record to better document the issue. I. II. Impact The impact of these vulnerabilities vary. Potential consequences include arbitrary code execution, sensitive information disclosure, denial of service, or privilege escalation. III. These and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA09-218A Feedback VU#426517" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2009 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History August 06, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSnsainIHljM+H4irAQLe2wgAg9ZJq3PGtU+CYHa6+n9Gli9l/NeIXQBb JhKvrXwFYp1uCCs5bVlZ/80Wuq6BJgkv1kojnV6zhqZA7VkPQEhjGofvcUs9MsO8 jXQ6JPdZRd6jWmB4pFHPAD5NOpBV2fJN+JQQuep9xwlap/hITfZfj24+nVFciwXo PdsptiEvpPcfsdan5ScQB+36MC4fRixUAgV+oWHDTgZJEaO1J2/5QiMK7+jWanXH 3jD6FIVdbJQcUmMDGle7RvURSuiX4jFq3D+lweDCtLwX576qx9m6QRbvnxaX8bfU HFcStLJRmi2kFEMiqga83lIyhSB1g1t+rWy5MBH+xml0MSYO7V7z6w== =A6S1 -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. 1) An error in bzip2 can be exploited to terminate an application using the library via a specially crafted archive. For more information: SA29410 2) An error in CFNetwork can be exploited by a malicious website to control the URL displayed in a certificate warning when Safari follows a redirect from a trusted website. 4) An error when handling unsafe content types can be exploited to execute a malicious JavaScript payload when a specially crafted file is manually opened. 5) An error when processing four-finger Multi-Touch gestures can be exploited by a person with physical access to a locked system to manage applications or use Expose. NOTE: This vulnerability only affects system having a Multi-Touch trackpad. 6) An error when processing Canon RAW images can be exploited to cause a stack-based buffer overflow and potentially execute arbitrary code. 7) An error in ImageIO when processing OpenEXR images can be exploited to cause a heap-based buffer overflow and potentially execute arbitrary code. 8) Multiple errors in ImageIO when processing OpenEXR images can be exploited to corrupt memory and potentially execute arbitrary code. 10) An error in ImageIO when processing PNG images can be exploited to dereference an uninitialised pointer and potentially execute arbitrary code. 11) An error in the "fcntl()" kernel implementation can be exploited to corrupt kernel memory and execute arbitrary code with system privileges via e.g. a specially crafted TIOCGWINSZ "fnctl()" call. 12) An error in launchd when servicing via inetd can be exploited to cause a service hang by opening an overly large number of connections. 13) A format string error in Login Window when handling application names can be exploited to potentially execute arbitrary code. 14) The MobileMe preference pane fails to properly delete all credentials when signing out. This can be exploited to access previously signed in systems from the same local user account. 15) An error in the kernel when processing AppleTalk response packets can be exploited to cause a buffer overflow and potentially execute arbitrary code with system privileges. 16) A synchronization error when sharing file descriptors over local sockets can be exploited to cause an unexpected system shutdown. 17) A boundary error in the PCRE library used by XQuery can be exploited to cause a buffer overflow and potentially execute arbitrary code. For more information: SA28923 SOLUTION: Update to Mac OS X v10.5.8 or apply Security Update 2009-003. of Johns Hopkins University, HiNRG The vendor also credits: 2) Kevin Day of Your.Org and Jason Mueller of Indiana University 4) Brian Mastenbrook, and Clint Ruoho of Laconic Security 6) Chris Ries of Carnegie Mellon University Computing Services 7) Lurene Grenier of Sourcefire VRT, and Chris Ries of Carnegie Mellon University Computing Services 10) Tavis Ormandy of the Google Security Team 13) Alfredo Pesoli of 0xcafebabe.it 15) Ilja van Sprundel from IOActive 16) Bennet Yee of Google Inc. CHANGELOG: 2009-08-06: Added link to "Original Advisory". ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT3757 Chris Evans: http://scary.beasts.org/security/CESA-2009-011.html OTHER REFERENCES: SA28923: http://secunia.com/advisories/28923/ SA29410: http://secunia.com/advisories/29410/ SA36030: http://secunia.com/advisories/36030/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The screen saver in Dock in Apple Mac OS X 10.5 before 10.5.8 does not prevent four-finger Multi-Touch gestures, which allows physically proximate attackers to bypass locking and "manage applications or use Expose" via unspecified vectors. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2009-003. The update addresses new vulnerabilities that affect the CFNetwork, ColorSync, CoreTypes, Dock, Image RAW, ImageIO, launchd, Login Window, MobileMe, Kernel, and XQuery components of Mac OS X. The advisory also contains security updates for seven previously reported issues. I. II. Impact The impact of these vulnerabilities vary. Potential consequences include arbitrary code execution, sensitive information disclosure, denial of service, or privilege escalation. III. These and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA09-218A Feedback VU#426517" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2009 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History August 06, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSnsainIHljM+H4irAQLe2wgAg9ZJq3PGtU+CYHa6+n9Gli9l/NeIXQBb JhKvrXwFYp1uCCs5bVlZ/80Wuq6BJgkv1kojnV6zhqZA7VkPQEhjGofvcUs9MsO8 jXQ6JPdZRd6jWmB4pFHPAD5NOpBV2fJN+JQQuep9xwlap/hITfZfj24+nVFciwXo PdsptiEvpPcfsdan5ScQB+36MC4fRixUAgV+oWHDTgZJEaO1J2/5QiMK7+jWanXH 3jD6FIVdbJQcUmMDGle7RvURSuiX4jFq3D+lweDCtLwX576qx9m6QRbvnxaX8bfU HFcStLJRmi2kFEMiqga83lIyhSB1g1t+rWy5MBH+xml0MSYO7V7z6w== =A6S1 -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. 1) An error in bzip2 can be exploited to terminate an application using the library via a specially crafted archive. For more information: SA29410 2) An error in CFNetwork can be exploited by a malicious website to control the URL displayed in a certificate warning when Safari follows a redirect from a trusted website. 3) An error when processing ColorSync profiles embedded in a specially crafted image can be exploited to cause a heap-based buffer overflow and potentially execute arbitrary code. 4) An error when handling unsafe content types can be exploited to execute a malicious JavaScript payload when a specially crafted file is manually opened. NOTE: This vulnerability only affects system having a Multi-Touch trackpad. 6) An error when processing Canon RAW images can be exploited to cause a stack-based buffer overflow and potentially execute arbitrary code. 7) An error in ImageIO when processing OpenEXR images can be exploited to cause a heap-based buffer overflow and potentially execute arbitrary code. 8) Multiple errors in ImageIO when processing OpenEXR images can be exploited to corrupt memory and potentially execute arbitrary code. For more information: SA36030 9) A boundary error in ImageIO when processing EXIF metadata can be exploited to cause a buffer overflow and potentially execute arbitrary code via a specially crafted image. 10) An error in ImageIO when processing PNG images can be exploited to dereference an uninitialised pointer and potentially execute arbitrary code. 11) An error in the "fcntl()" kernel implementation can be exploited to corrupt kernel memory and execute arbitrary code with system privileges via e.g. a specially crafted TIOCGWINSZ "fnctl()" call. 12) An error in launchd when servicing via inetd can be exploited to cause a service hang by opening an overly large number of connections. 13) A format string error in Login Window when handling application names can be exploited to potentially execute arbitrary code. 14) The MobileMe preference pane fails to properly delete all credentials when signing out. This can be exploited to access previously signed in systems from the same local user account. 15) An error in the kernel when processing AppleTalk response packets can be exploited to cause a buffer overflow and potentially execute arbitrary code with system privileges. 16) A synchronization error when sharing file descriptors over local sockets can be exploited to cause an unexpected system shutdown. 17) A boundary error in the PCRE library used by XQuery can be exploited to cause a buffer overflow and potentially execute arbitrary code. of Johns Hopkins University, HiNRG The vendor also credits: 2) Kevin Day of Your.Org and Jason Mueller of Indiana University 4) Brian Mastenbrook, and Clint Ruoho of Laconic Security 6) Chris Ries of Carnegie Mellon University Computing Services 7) Lurene Grenier of Sourcefire VRT, and Chris Ries of Carnegie Mellon University Computing Services 10) Tavis Ormandy of the Google Security Team 13) Alfredo Pesoli of 0xcafebabe.it 15) Ilja van Sprundel from IOActive 16) Bennet Yee of Google Inc. CHANGELOG: 2009-08-06: Added link to "Original Advisory". ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT3757 Chris Evans: http://scary.beasts.org/security/CESA-2009-011.html OTHER REFERENCES: SA28923: http://secunia.com/advisories/28923/ SA29410: http://secunia.com/advisories/29410/ SA36030: http://secunia.com/advisories/36030/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Apple GarageBand before 5.1 reconfigures Safari to accept all cookies regardless of domain name, which makes it easier for remote web servers to track users. Apple GarageBand is prone to an information-disclosure vulnerability. Exploiting the issue may allow an attacker to obtain sensitive information that could aid in tracking a user's web activities. This issue affects versions prior to GarageBand 5.1 for Mac OS X 10.5.7. Apple GarageBand is a set of music production software from Apple (Apple). ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Apple GarageBand Web Activity Tracking Disclosure SECUNIA ADVISORY ID: SA36114 VERIFY ADVISORY: http://secunia.com/advisories/36114/ DESCRIPTION: A security issue has been reported in GarageBand, which can be exploited by malicious people to gain knowledge of sensitive information. The problem is caused due to Safari's preferences being changed to always accept cookies when opening GarageBand. This could allow third parties and advertisers to track a user's web activity. SOLUTION: Update to version 5.1. http://support.apple.com/downloads/GarageBand_5_1 NOTE: Users of previous versions should also check that their Safari preferences are set as desired. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://support.apple.com/kb/HT3732 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Apple Safari, possibly before 4.0.3, on Mac OS X does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. SSL A vulnerability that impersonates a server exists. The problem is CVE-2009-2408 The problem is related to.By attackers, through a crafted certificate SSL There is a possibility of impersonating a server. Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks or impersonate trusted servers, which will aid in further attacks. UPDATE (October 5, 2009): The vendor states that Safari on Mac OS X is not affected by this issue. This vulnerability is related to CVE-2009-2408

Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. NOTE: this was originally reported for Firefox before 3.5. plural Mozilla product for, X.509 certificate of Common Name (CN) within the domain name in the field. The NSS library is used by a number of applications, including Mozilla Firefox, Thunderbird, and SeaMonkey. Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks or impersonate trusted servers, which will aid in further attacks. NOTE (August 6, 2009): This BID had included a similar issue in Fetchmail, but that issue is now documented in BID 35951 (Fetchmail NULL Character CA SSL Certificate Validation Security Bypass Vulnerability). Mozilla Network Security Services (NSS) is a function library (network security service library) of the Mozilla Foundation in the United States. The product provides cross-platform support for SSL, S/MIME and other Internet security standards. There is a mismatch between the NSS library's handling of the domain name in the SSL certificate between the SSL client and the CA that issued the server certificate. If a malicious user requests a certificate from a hostname with an invalid null character, most CAs will issue a certificate as long as the requester has the domain specified after the null character, but most SSL clients (browsers) will ignore this part of the name, Using a null character before the portion of validation allows an attacker to use a fake certificate in a man-in-the-middle attack to establish a false trust relationship. A vulnerability was found in xmltok_impl.c (expat) that with specially crafted XML could be exploited and lead to a denial of service attack. Related to CVE-2009-2625 (CVE-2009-3720). This update provides the latest version of Thunderbird which are not vulnerable to these issues. Update: Packages for 2008.0 are being provided due to extended support for Corporate products. An input sanitization flaw was found in the KSSL (KDE SSL Wrapper) API. An attacker could supply a specially-crafted SSL certificate (for example, via a web page) to an application using KSSL, such as the Konqueror web browser, causing misleading information to be presented to the user, possibly tricking them into accepting the certificate as valid (CVE-2011-3365). The updated packages have been patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2702 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3365 _______________________________________________________________________ Updated Packages: Mandriva Linux 2010.1: 8c6545c176b2716248c33e52135a3e2d 2010.1/i586/kdelibs4-core-4.4.5-0.4mdv2010.2.i586.rpm e54c7a21386ff85f46471fda6135ff6c 2010.1/i586/kdelibs4-devel-4.4.5-0.4mdv2010.2.i586.rpm 243c4d3db4a9e95a393f97e74818488e 2010.1/i586/libkde3support4-4.4.5-0.4mdv2010.2.i586.rpm 2b62c63d46a66adf26667731ddca4a06 2010.1/i586/libkdecore5-4.4.5-0.4mdv2010.2.i586.rpm 025038d3783371e8f46d11eaf204e65f 2010.1/i586/libkdefakes5-4.4.5-0.4mdv2010.2.i586.rpm 9a3bfa3d242e1d45194c4f55f812c67d 2010.1/i586/libkdesu5-4.4.5-0.4mdv2010.2.i586.rpm e9c69b97be0d6c7adcf7233c1d590dc6 2010.1/i586/libkdeui5-4.4.5-0.4mdv2010.2.i586.rpm 1ecfc8e228818bf267979da7428ba24a 2010.1/i586/libkdewebkit5-4.4.5-0.4mdv2010.2.i586.rpm 2be64f84a3a0160d353eaf4a66c88b1c 2010.1/i586/libkdnssd4-4.4.5-0.4mdv2010.2.i586.rpm 44fc6a0928497b64217bc06637ecc219 2010.1/i586/libkfile4-4.4.5-0.4mdv2010.2.i586.rpm e148b42fa8180b02aa3c7c54089cd16e 2010.1/i586/libkhtml5-4.4.5-0.4mdv2010.2.i586.rpm c17229d3aff113fee855eb647b2ee891 2010.1/i586/libkimproxy4-4.4.5-0.4mdv2010.2.i586.rpm 19876055e3b367010fd3a156a86a36ad 2010.1/i586/libkio5-4.4.5-0.4mdv2010.2.i586.rpm 5090009d080971d3ab92f788f18f1e26 2010.1/i586/libkjs4-4.4.5-0.4mdv2010.2.i586.rpm 8c2065a0cb35e2cc182b6bd0db267d62 2010.1/i586/libkjsapi4-4.4.5-0.4mdv2010.2.i586.rpm ed3966642b6a5d54ecffb6fc9a8b6290 2010.1/i586/libkjsembed4-4.4.5-0.4mdv2010.2.i586.rpm 008fe65285eaf4ba2d9f7c0655230c52 2010.1/i586/libkmediaplayer4-4.4.5-0.4mdv2010.2.i586.rpm 001fbc71b4da46f199b505c58e0c6228 2010.1/i586/libknewstuff2_4-4.4.5-0.4mdv2010.2.i586.rpm 672553fad8848265e1ba408f43bf7781 2010.1/i586/libknewstuff34-4.4.5-0.4mdv2010.2.i586.rpm 13cf045179be91975700fa3310a0fc70 2010.1/i586/libknotifyconfig4-4.4.5-0.4mdv2010.2.i586.rpm 3752242079665a17a3a35ac4c05484bd 2010.1/i586/libkntlm4-4.4.5-0.4mdv2010.2.i586.rpm af471317415306fdfbb5ff9d3c49ceea 2010.1/i586/libkparts4-4.4.5-0.4mdv2010.2.i586.rpm 8d3c2e7c7ba723e56bc090786d1bf96c 2010.1/i586/libkpty4-4.4.5-0.4mdv2010.2.i586.rpm b5648f3780cdc55c57a0d03d3fb7cc97 2010.1/i586/libkrosscore4-4.4.5-0.4mdv2010.2.i586.rpm ea771f370b730efa9c4019c8ceac1c22 2010.1/i586/libkrossui4-4.4.5-0.4mdv2010.2.i586.rpm 44dc92b4ff070db13c9dfb4954dcfa75 2010.1/i586/libktexteditor4-4.4.5-0.4mdv2010.2.i586.rpm 926b45cc828f8f53d63a6030d278e5bd 2010.1/i586/libkunitconversion4-4.4.5-0.4mdv2010.2.i586.rpm 4fd1c96ffa938806a5d055a4b61c3845 2010.1/i586/libkunittest4-4.4.5-0.4mdv2010.2.i586.rpm 99a712d56d383e91b17ac560a109d9ce 2010.1/i586/libkutils4-4.4.5-0.4mdv2010.2.i586.rpm 5db891d08fcfbe866da4a2cfc2c101ed 2010.1/i586/libnepomuk4-4.4.5-0.4mdv2010.2.i586.rpm 853dc3a02d9783bc7d4ed5586271f82a 2010.1/i586/libnepomukquery4-4.4.5-0.4mdv2010.2.i586.rpm 0b4d63fd1d8edd42a74ae1832694ef84 2010.1/i586/libplasma3-4.4.5-0.4mdv2010.2.i586.rpm fb356f0eb954f2871f0bd91ef4981f74 2010.1/i586/libsolid4-4.4.5-0.4mdv2010.2.i586.rpm ee166bc5ab6785306f330e4e13b59938 2010.1/i586/libthreadweaver4-4.4.5-0.4mdv2010.2.i586.rpm a3bd1963ad774911ef4d1902ce33aec9 2010.1/SRPMS/kdelibs4-4.4.5-0.4mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: e4f1f7f8407938fae5eee9be6daf6463 2010.1/x86_64/kdelibs4-core-4.4.5-0.4mdv2010.2.x86_64.rpm afc1815bfb3e5c1b17a5e774a86d8262 2010.1/x86_64/kdelibs4-devel-4.4.5-0.4mdv2010.2.x86_64.rpm acabd29c100952c3a8268f6e48ae729c 2010.1/x86_64/lib64kde3support4-4.4.5-0.4mdv2010.2.x86_64.rpm 4496e00fc526e1b331d5f7553ad759ab 2010.1/x86_64/lib64kdecore5-4.4.5-0.4mdv2010.2.x86_64.rpm 9f6dfb1b7af9299fb96941926e7d69e9 2010.1/x86_64/lib64kdefakes5-4.4.5-0.4mdv2010.2.x86_64.rpm 2e682ce762d8a60cc4322370567b5f6c 2010.1/x86_64/lib64kdesu5-4.4.5-0.4mdv2010.2.x86_64.rpm acd07b647db525427550f6763b936a7a 2010.1/x86_64/lib64kdeui5-4.4.5-0.4mdv2010.2.x86_64.rpm 4fb64c5e05fb52b0b2c5eb1a92fdb3d1 2010.1/x86_64/lib64kdewebkit5-4.4.5-0.4mdv2010.2.x86_64.rpm 4176fd87a0b92f2ee7d088f3d4a774d0 2010.1/x86_64/lib64kdnssd4-4.4.5-0.4mdv2010.2.x86_64.rpm eed83cf3b32bd23a0b16fce8d2834e9d 2010.1/x86_64/lib64kfile4-4.4.5-0.4mdv2010.2.x86_64.rpm d66febf0bb7e273fb687c144a36ac138 2010.1/x86_64/lib64khtml5-4.4.5-0.4mdv2010.2.x86_64.rpm 174ac58c7dc86ee4458526b5a2480662 2010.1/x86_64/lib64kimproxy4-4.4.5-0.4mdv2010.2.x86_64.rpm b7c162555f547ae0d9edbf71bfe04f0d 2010.1/x86_64/lib64kio5-4.4.5-0.4mdv2010.2.x86_64.rpm 5d89a4e23e342dee305e2107bfdc8c0e 2010.1/x86_64/lib64kjs4-4.4.5-0.4mdv2010.2.x86_64.rpm d2df6f4275de4ff6407188ada2785094 2010.1/x86_64/lib64kjsapi4-4.4.5-0.4mdv2010.2.x86_64.rpm 50ed7da9bcd068acb4819139eebb9026 2010.1/x86_64/lib64kjsembed4-4.4.5-0.4mdv2010.2.x86_64.rpm ad3c77de9a052f9b2612b15fb82be03f 2010.1/x86_64/lib64kmediaplayer4-4.4.5-0.4mdv2010.2.x86_64.rpm b9a8fbcdc54c359415075cf449ef6e4f 2010.1/x86_64/lib64knewstuff2_4-4.4.5-0.4mdv2010.2.x86_64.rpm 6d6c9151d9a634ca423770e919179b50 2010.1/x86_64/lib64knewstuff34-4.4.5-0.4mdv2010.2.x86_64.rpm fe7c248a30318f755bd0fe1b11f98fe4 2010.1/x86_64/lib64knotifyconfig4-4.4.5-0.4mdv2010.2.x86_64.rpm 888e7081a5be8ac0e1cbd7b47fd13ae7 2010.1/x86_64/lib64kntlm4-4.4.5-0.4mdv2010.2.x86_64.rpm 5c5e89cc9cd02ebf9267b7ee5faf1278 2010.1/x86_64/lib64kparts4-4.4.5-0.4mdv2010.2.x86_64.rpm 6c6bb95f61e8c26cc50902024303b3fe 2010.1/x86_64/lib64kpty4-4.4.5-0.4mdv2010.2.x86_64.rpm 22d1c3f2d8345743f1d834ecccd069d4 2010.1/x86_64/lib64krosscore4-4.4.5-0.4mdv2010.2.x86_64.rpm 502fb43a0a37496f2c11616d07fbbcbe 2010.1/x86_64/lib64krossui4-4.4.5-0.4mdv2010.2.x86_64.rpm d4fbf824ea3c54a902dc1e18e13756d0 2010.1/x86_64/lib64ktexteditor4-4.4.5-0.4mdv2010.2.x86_64.rpm 927ed8af9b7e7c575c9e7984f4e80a89 2010.1/x86_64/lib64kunitconversion4-4.4.5-0.4mdv2010.2.x86_64.rpm 12cd248453e3a3791de5f87f988eb430 2010.1/x86_64/lib64kunittest4-4.4.5-0.4mdv2010.2.x86_64.rpm 2f9420a8dadfb08821bd911a3adb7b3f 2010.1/x86_64/lib64kutils4-4.4.5-0.4mdv2010.2.x86_64.rpm b9c9f1d4e0c8a51fd5d081b05b362def 2010.1/x86_64/lib64nepomuk4-4.4.5-0.4mdv2010.2.x86_64.rpm e80871c0e9b5b0c72a3ea2b2f86e64d1 2010.1/x86_64/lib64nepomukquery4-4.4.5-0.4mdv2010.2.x86_64.rpm 29b23d3b31f4db91dc73f6a37ea02db1 2010.1/x86_64/lib64plasma3-4.4.5-0.4mdv2010.2.x86_64.rpm c2ba7f9a9f2202330a1c7bf46004f41d 2010.1/x86_64/lib64solid4-4.4.5-0.4mdv2010.2.x86_64.rpm 8a0ec353667253b3e3899c6980052999 2010.1/x86_64/lib64threadweaver4-4.4.5-0.4mdv2010.2.x86_64.rpm a3bd1963ad774911ef4d1902ce33aec9 2010.1/SRPMS/kdelibs4-4.4.5-0.4mdv2010.2.src.rpm Mandriva Linux 2011: 44421dc86e6c96eb9f4a1b835c40006d 2011/i586/kdelibs4-core-4.6.5-9.1-mdv2011.0.i586.rpm 31ef78219ce113dc91ba2d45ca166276 2011/i586/kdelibs4-devel-4.6.5-9.1-mdv2011.0.i586.rpm c72c7b24079aab97ce0923f5dd0bdf24 2011/i586/libkatepartinterfaces4-4.6.5-9.1-mdv2011.0.i586.rpm 882b577dc3c6a9b9f1c7872046cbffb4 2011/i586/libkcmutils4-4.6.5-9.1-mdv2011.0.i586.rpm b1cdc2769a17e075b43a2d1e49eb4efb 2011/i586/libkde3support4-4.6.5-9.1-mdv2011.0.i586.rpm 2aa0a579e90ea8b0015bcbccdeb4077e 2011/i586/libkdecore5-4.6.5-9.1-mdv2011.0.i586.rpm 105f203a2470d8d3aaf4381ba47f4a20 2011/i586/libkdefakes5-4.6.5-9.1-mdv2011.0.i586.rpm 3ad287cab02d774df12b8f5cedd2b7cb 2011/i586/libkdesu5-4.6.5-9.1-mdv2011.0.i586.rpm 4d4dcdf956ca0194bc2da5d901e14910 2011/i586/libkdeui5-4.6.5-9.1-mdv2011.0.i586.rpm c5d8b2ced514be22ff42c8a610dea367 2011/i586/libkdewebkit5-4.6.5-9.1-mdv2011.0.i586.rpm 89d3df52d5659ba172b5021aaa0800ba 2011/i586/libkdnssd4-4.6.5-9.1-mdv2011.0.i586.rpm 6f6e7b50cc22c4d0efec46ad85c52145 2011/i586/libkemoticons4-4.6.5-9.1-mdv2011.0.i586.rpm f9e7fb1a985fee36db209259643e3d43 2011/i586/libkfile4-4.6.5-9.1-mdv2011.0.i586.rpm ce0c07b3ab9ffb23074e3dcfd311251f 2011/i586/libkhtml5-4.6.5-9.1-mdv2011.0.i586.rpm 3e4bcd7edf1e6ddb2d2a75a563e83362 2011/i586/libkidletime4-4.6.5-9.1-mdv2011.0.i586.rpm bc4ad21bf5df0428897249edc07ee139 2011/i586/libkimproxy4-4.6.5-9.1-mdv2011.0.i586.rpm 86d9aa7a95e0b3c8c3736bced5030529 2011/i586/libkio5-4.6.5-9.1-mdv2011.0.i586.rpm 42894f5fef6b3955f4cc7cdc39a9b8b6 2011/i586/libkjs4-4.6.5-9.1-mdv2011.0.i586.rpm 5293f2f284c1df6466a84cfd33426b21 2011/i586/libkjsapi4-4.6.5-9.1-mdv2011.0.i586.rpm 600ac620222614c9240c56e35061dd5f 2011/i586/libkjsembed4-4.6.5-9.1-mdv2011.0.i586.rpm e6b032340b8f8b45f5e3dea24d4b795e 2011/i586/libkmediaplayer4-4.6.5-9.1-mdv2011.0.i586.rpm a9e4510933f71ee9354d41dc7f5c21f9 2011/i586/libknewstuff2_4-4.6.5-9.1-mdv2011.0.i586.rpm 4fffe4a09ab06dbb13e19ef552c765d3 2011/i586/libknewstuff3_4-4.6.5-9.1-mdv2011.0.i586.rpm 6176f21ff0870d298cad30f19cbc5985 2011/i586/libknotifyconfig4-4.6.5-9.1-mdv2011.0.i586.rpm aaca814c82291a16831052da452b072a 2011/i586/libkntlm4-4.6.5-9.1-mdv2011.0.i586.rpm 38441eea27e26fded337b55d1c7187b8 2011/i586/libkparts4-4.6.5-9.1-mdv2011.0.i586.rpm e1d9a6f2b3cf3546fffca8b3092b96d7 2011/i586/libkprintutils4-4.6.5-9.1-mdv2011.0.i586.rpm 78764e6b917983c8e337c69ac99d17f4 2011/i586/libkpty4-4.6.5-9.1-mdv2011.0.i586.rpm 8b727fc309bbb81de1d8ace536351303 2011/i586/libkrosscore4-4.6.5-9.1-mdv2011.0.i586.rpm 051aa118fdbcc20755754c2a4a45fdba 2011/i586/libkrossui4-4.6.5-9.1-mdv2011.0.i586.rpm c135b1698036881db6ab90cb448c265b 2011/i586/libktexteditor4-4.6.5-9.1-mdv2011.0.i586.rpm f7526412295bd86a3fdf26ad6bc8e962 2011/i586/libkunitconversion4-4.6.5-9.1-mdv2011.0.i586.rpm 603c837536ad6ca871ffe589c747c0f5 2011/i586/libkunittest4-4.6.5-9.1-mdv2011.0.i586.rpm e4c09f0fcb6f28bf768d337c62686eac 2011/i586/libkutils4-4.6.5-9.1-mdv2011.0.i586.rpm ac93402de1c9e45b65944aaeb8e425bf 2011/i586/libnepomuk4-4.6.5-9.1-mdv2011.0.i586.rpm ea8ba57a4f5e91529a074b3b5ddafb63 2011/i586/libnepomukquery4-4.6.5-9.1-mdv2011.0.i586.rpm a1ca1f682adaea8192cdf17082179790 2011/i586/libnepomukutils4-4.6.5-9.1-mdv2011.0.i586.rpm beb7c3df35c4208608541faba3e3cff1 2011/i586/libplasma3-4.6.5-9.1-mdv2011.0.i586.rpm 76cf8c65bc34fd9981ebd776fae7dd6b 2011/i586/libsolid4-4.6.5-9.1-mdv2011.0.i586.rpm 4dbe0bea09b0efcb77e4f97af52ee554 2011/i586/libthreadweaver4-4.6.5-9.1-mdv2011.0.i586.rpm 9cda5c5ab321d1d77cad4b273a8227a3 2011/SRPMS/kdelibs4-4.6.5-9.1.src.rpm Mandriva Linux 2011/X86_64: a416f173f6fee7f10e01e940622b03c7 2011/x86_64/kdelibs4-core-4.6.5-9.1-mdv2011.0.x86_64.rpm fdc8c171954de23a0161faec669953a3 2011/x86_64/kdelibs4-devel-4.6.5-9.1-mdv2011.0.x86_64.rpm 389d42165fcb6c8853bda9f8fe352438 2011/x86_64/lib64katepartinterfaces4-4.6.5-9.1-mdv2011.0.x86_64.rpm 553e0d225fdc7335afd7571bc404b808 2011/x86_64/lib64kcmutils4-4.6.5-9.1-mdv2011.0.x86_64.rpm 1b073a351c1e5d2c350a908e361afde7 2011/x86_64/lib64kde3support4-4.6.5-9.1-mdv2011.0.x86_64.rpm 8a10b775f1dc843404e518eb1dd15263 2011/x86_64/lib64kdecore5-4.6.5-9.1-mdv2011.0.x86_64.rpm 98b3c619dab6bcf91ebaea35dc59f24e 2011/x86_64/lib64kdefakes5-4.6.5-9.1-mdv2011.0.x86_64.rpm 3035d04055ef41dc710a9a5cfa15f48f 2011/x86_64/lib64kdesu5-4.6.5-9.1-mdv2011.0.x86_64.rpm 4bb1aade6cbc696aa298a0053a2778aa 2011/x86_64/lib64kdeui5-4.6.5-9.1-mdv2011.0.x86_64.rpm 05593647a56638371c4b06f8eec04199 2011/x86_64/lib64kdewebkit5-4.6.5-9.1-mdv2011.0.x86_64.rpm 9a61f92a25556635fdf01bd629079c05 2011/x86_64/lib64kdnssd4-4.6.5-9.1-mdv2011.0.x86_64.rpm ebb20032192f17c4d8d46d7a117d6186 2011/x86_64/lib64kemoticons4-4.6.5-9.1-mdv2011.0.x86_64.rpm 7c16488a8271d8e0440f886a1e7a3e59 2011/x86_64/lib64kfile4-4.6.5-9.1-mdv2011.0.x86_64.rpm f2b43f9f213e29c69f9bcf1fe30a0f91 2011/x86_64/lib64khtml5-4.6.5-9.1-mdv2011.0.x86_64.rpm e01dd3d898e30c921275e9e3fd7fe8a0 2011/x86_64/lib64kidletime4-4.6.5-9.1-mdv2011.0.x86_64.rpm bf2a67810c9530f7d06584fe92a086cd 2011/x86_64/lib64kimproxy4-4.6.5-9.1-mdv2011.0.x86_64.rpm 3dc38dd2200e7765178b756d18355c5e 2011/x86_64/lib64kio5-4.6.5-9.1-mdv2011.0.x86_64.rpm 479d0258813eb4ce2112efa290ac992f 2011/x86_64/lib64kjs4-4.6.5-9.1-mdv2011.0.x86_64.rpm 5821bd4cb36e6ae484fed3f3b178f64c 2011/x86_64/lib64kjsapi4-4.6.5-9.1-mdv2011.0.x86_64.rpm 97d0a7073257b5d38ebd89608b230cb2 2011/x86_64/lib64kjsembed4-4.6.5-9.1-mdv2011.0.x86_64.rpm b8201d7c86d380f53a747569c86cc125 2011/x86_64/lib64kmediaplayer4-4.6.5-9.1-mdv2011.0.x86_64.rpm a7470e5a2f9f1c2802a70386d94734d9 2011/x86_64/lib64knewstuff2_4-4.6.5-9.1-mdv2011.0.x86_64.rpm d10cff1d4ae24594f65017681b351aa4 2011/x86_64/lib64knewstuff3_4-4.6.5-9.1-mdv2011.0.x86_64.rpm 40625fb25f84a66747bfdb5e8c33397f 2011/x86_64/lib64knotifyconfig4-4.6.5-9.1-mdv2011.0.x86_64.rpm 7a58f4dad0d080ad1bb4f9d0b7b55721 2011/x86_64/lib64kntlm4-4.6.5-9.1-mdv2011.0.x86_64.rpm 216f06e8c9bc940a7c1bc96c0be60c85 2011/x86_64/lib64kparts4-4.6.5-9.1-mdv2011.0.x86_64.rpm d2bf6a48431bfa87b20274b6a916ed07 2011/x86_64/lib64kprintutils4-4.6.5-9.1-mdv2011.0.x86_64.rpm 17e748ccf383dcd76bf54370bae5b60b 2011/x86_64/lib64kpty4-4.6.5-9.1-mdv2011.0.x86_64.rpm 2980ae5e1eb2df517b9ac30f815e2b86 2011/x86_64/lib64krosscore4-4.6.5-9.1-mdv2011.0.x86_64.rpm a3daeac9197c566f3112a0efc2a20440 2011/x86_64/lib64krossui4-4.6.5-9.1-mdv2011.0.x86_64.rpm 0eb6aa884c8725aa2cc7cc5947f10fce 2011/x86_64/lib64ktexteditor4-4.6.5-9.1-mdv2011.0.x86_64.rpm e58f316e4fe7ec5412c6f24b263f61d8 2011/x86_64/lib64kunitconversion4-4.6.5-9.1-mdv2011.0.x86_64.rpm a07e9a42d9d34450fcdaa4a81fee7e1b 2011/x86_64/lib64kunittest4-4.6.5-9.1-mdv2011.0.x86_64.rpm 34610271f7de5ba3c6226d857831162f 2011/x86_64/lib64kutils4-4.6.5-9.1-mdv2011.0.x86_64.rpm ddf3eb523f5b29dd49b937b63d3efce7 2011/x86_64/lib64nepomuk4-4.6.5-9.1-mdv2011.0.x86_64.rpm eacd8f03c285571b4724f93b4f80525c 2011/x86_64/lib64nepomukquery4-4.6.5-9.1-mdv2011.0.x86_64.rpm 9fc98f8e2958ad971b73a887ecc25d75 2011/x86_64/lib64nepomukutils4-4.6.5-9.1-mdv2011.0.x86_64.rpm b66922bbe21ba37ab38a362eb279b399 2011/x86_64/lib64plasma3-4.6.5-9.1-mdv2011.0.x86_64.rpm 412dee5f9cbf514d0cc8e7b6c4bb7036 2011/x86_64/lib64solid4-4.6.5-9.1-mdv2011.0.x86_64.rpm ed8eb7bd7d026d75615bda14538fe6af 2011/x86_64/lib64threadweaver4-4.6.5-9.1-mdv2011.0.x86_64.rpm 9cda5c5ab321d1d77cad4b273a8227a3 2011/SRPMS/kdelibs4-4.6.5-9.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFOr+brmqjQ0CJFipgRApQNAKDVWJ591FTnmPG9EY+uaQ0yn+SKfwCg2PkW N0/0RYLF0JoU7ErOvYOPwxA= =+mKq -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-2025-1 security@debian.org http://www.debian.org/security/ Steffen Joeris March 31, 2010 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : icedove Vulnerability : several vulnerabilities Problem type : remote Debian-specific: no CVE IDs : CVE-2009-2408 CVE-2009-2404 CVE-2009-2463 CVE-2009-3072 CVE-2009-3075 CVE-2010-0163 Several remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird mail client. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-2408 Dan Kaminsky and Moxie Marlinspike discovered that icedove does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate (MFSA 2009-42). CVE-2009-2404 Moxie Marlinspike reported a heap overflow vulnerability in the code that handles regular expressions in certificate names (MFSA 2009-43). CVE-2009-2463 monarch2020 discovered an integer overflow n a base64 decoding function (MFSA 2010-07). CVE-2009-3072 Josh Soref discovered a crash in the BinHex decoder (MFSA 2010-07). CVE-2009-3075 Carsten Book reported a crash in the JavaScript engine (MFSA 2010-07). CVE-2010-0163 Ludovic Hirlimann reported a crash indexing some messages with attachments, which could lead to the execution of arbitrary code (MFSA 2010-07). For the stable distribution (lenny), these problems have been fixed in version 2.0.0.24-0lenny1. Due to a problem with the archive system it is not possible to release all architectures. The missing architectures will be installed into the archive once they become available. For the testing distribution squeeze and the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your icedove packages. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Debian GNU/Linux 5.0 alias lenny - -------------------------------- Debian (stable) - --------------- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/i/icedove/icedove_2.0.0.24.orig.tar.gz Size/MD5 checksum: 35856543 3bf6e40cddf593ddc1a66b9e721f12b9 http://security.debian.org/pool/updates/main/i/icedove/icedove_2.0.0.24-0lenny1.dsc Size/MD5 checksum: 1668 111c1a93c1ce498715e231272123f841 http://security.debian.org/pool/updates/main/i/icedove/icedove_2.0.0.24-0lenny1.diff.gz Size/MD5 checksum: 103260 4661b0c8c170d58f844337699cb8ca1a alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_2.0.0.24-0lenny1_alpha.deb Size/MD5 checksum: 3723382 12c7fe63b0a5c59680ca36200a6f7d20 http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_2.0.0.24-0lenny1_alpha.deb Size/MD5 checksum: 61132 c0f96569d4ea0f01cff3950572b3dda9 http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_2.0.0.24-0lenny1_alpha.deb Size/MD5 checksum: 57375560 95a614e1cb620fad510eb51ae5cb37c5 http://security.debian.org/pool/updates/main/i/icedove/icedove_2.0.0.24-0lenny1_alpha.deb Size/MD5 checksum: 13468190 03a629abf18130605927f5817b097bac amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_2.0.0.24-0lenny1_amd64.deb Size/MD5 checksum: 57584134 7d909c9f1b67d4758e290dc2c1dc01f2 http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_2.0.0.24-0lenny1_amd64.deb Size/MD5 checksum: 3937168 de9dda16f94e696de897bec6c8d45f90 http://security.debian.org/pool/updates/main/i/icedove/icedove_2.0.0.24-0lenny1_amd64.deb Size/MD5 checksum: 12384488 8d1632f7511c711a1d2ea940f7e451a2 http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_2.0.0.24-0lenny1_amd64.deb Size/MD5 checksum: 59114 fae947071c0de6ebce316decbce61f9a arm architecture (ARM) http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_2.0.0.24-0lenny1_arm.deb Size/MD5 checksum: 3929902 5ab6f673b34770278270fb7862986b0b http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_2.0.0.24-0lenny1_arm.deb Size/MD5 checksum: 53746 c9c53e8a42d85fe5f4fa8e2a85e55629 http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_2.0.0.24-0lenny1_arm.deb Size/MD5 checksum: 56491578 8eb38c6f99c501556506ac6790833941 http://security.debian.org/pool/updates/main/i/icedove/icedove_2.0.0.24-0lenny1_arm.deb Size/MD5 checksum: 10943350 d7c0badfe9210ce5341eb17ab7e71ca2 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_2.0.0.24-0lenny1_hppa.deb Size/MD5 checksum: 3944678 2a9dc50b61420b4fdf8f3a4d378bb484 http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_2.0.0.24-0lenny1_hppa.deb Size/MD5 checksum: 60554 7dcd739363cff3cc4bda659b82856536 http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_2.0.0.24-0lenny1_hppa.deb Size/MD5 checksum: 58523174 6780e8f9de0f2ed0c3bd533d03853d85 http://security.debian.org/pool/updates/main/i/icedove/icedove_2.0.0.24-0lenny1_hppa.deb Size/MD5 checksum: 13952170 88674f31191b07cd76ea5d366c545f1d i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/i/icedove/icedove_2.0.0.24-0lenny1_i386.deb Size/MD5 checksum: 10951904 52ce1587c6eb95b7f8b63ccedf224d88 http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_2.0.0.24-0lenny1_i386.deb Size/MD5 checksum: 54838 101de9e837bea9391461074481bf770f http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_2.0.0.24-0lenny1_i386.deb Size/MD5 checksum: 3924810 6ecf3693cce2ae97fd0bbdafc1ff06f6 http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_2.0.0.24-0lenny1_i386.deb Size/MD5 checksum: 56543048 73d1684cf69bed0441393abb46610433 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_2.0.0.24-0lenny1_ia64.deb Size/MD5 checksum: 3756914 615afd30bf893d2d32bbacedf1f7ff8e http://security.debian.org/pool/updates/main/i/icedove/icedove_2.0.0.24-0lenny1_ia64.deb Size/MD5 checksum: 16545566 0444c7198e94ab59e103e60bf86a2aa2 http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_2.0.0.24-0lenny1_ia64.deb Size/MD5 checksum: 66302 f8800140b3797d4a4267a5dac0043995 http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_2.0.0.24-0lenny1_ia64.deb Size/MD5 checksum: 57199564 5df5808f91ecdf6ac49f0e922b1a0234 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/i/icedove/icedove_2.0.0.24-0lenny1_powerpc.deb Size/MD5 checksum: 12112586 4b40106b68670c726624348c0cb8bd1f http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_2.0.0.24-0lenny1_powerpc.deb Size/MD5 checksum: 59511730 226cdd43af9dffb4132002044120769c http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_2.0.0.24-0lenny1_powerpc.deb Size/MD5 checksum: 56670 72e58731ac68f2c599704a3e7ca45d4c http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_2.0.0.24-0lenny1_powerpc.deb Size/MD5 checksum: 3942470 e8454d41a095226a2d252f10da795d96 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkuzCYEACgkQ62zWxYk/rQfEoQCfZP1v8IKG5mZvqvpREtfgpHLH mSkAn3Irm0DPIBkS/Zqz2dMfEVSq96IU =gE9m -----END PGP SIGNATURE----- . CVE-2009-2408 Dan Kaminsky discovered that NULL characters in certificate names could lead to man-in-the-middle attacks by tricking the user into accepting a rogue certificate. CVE-2009-2409 Certificates with MD2 hash signatures are no longer accepted since they're no longer considered cryptograhically secure. The old stable distribution (etch) doesn't contain nss. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Network Security Services Multiple Vulnerabilities SECUNIA ADVISORY ID: SA36093 VERIFY ADVISORY: http://secunia.com/advisories/36093/ DESCRIPTION: Some vulnerabilities have been reported in Network Security Services, which can potentially be exploited by malicious people to bypass certain security restrictions or to compromise a vulnerable system. 1) An error in the regular expression parser when matching common names in certificates can be exploited to cause a heap-based buffer overflow, e.g. via a specially crafted certificate signed by a trusted CA or when a user accepts a specially crafted certificate. 2) An error exists in the parsing of certain certificate fields, which can be exploited to e.g. get a client to accept a specially crafted certificate by mistake. SOLUTION: Update to version 3.12.3 or later. PROVIDED AND/OR DISCOVERED BY: Red Hat credits: 1) Moxie Marlinspike 2) Dan Kaminsky ORIGINAL ADVISORY: https://bugzilla.redhat.com/show_bug.cgi?id=512912 https://bugzilla.redhat.com/show_bug.cgi?id=510251 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco IOS 12.0(32)S12 through 12.0(32)S13 and 12.0(33)S3 through 12.0(33)S4, 12.0(32)SY8 through 12.0(32)SY9, 12.2(33)SXI1, 12.2XNC before 12.2(33)XNC2, 12.2XND before 12.2(33)XND1, and 12.4(24)T1; and IOS XE 2.3 through 2.3.1t and 2.4 through 2.4.0; when RFC4893 BGP routing is enabled, allows remote attackers to cause a denial of service (memory corruption and device reload) by using an RFC4271 peer to send an update with a long series of AS numbers, aka Bug ID CSCsy86021. Cisco IOS is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause an affected device to reload, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCsy86021. May trigger memory corruption and crash showing %%Software-forced reload error. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. 1) An unspecified error exists in the processing of BGP update messages. constructed from more than 1000 autonomous systems. SOLUTION: Update to a fixed version (please see the vendor advisory for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Cisco IOS Software Border Gateway Protocol 4-Byte Autonomous System Number Vulnerabilities Advisory ID: cisco-sa-20090729-bgp http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtml Revision: 1.0 ========= For Public Release 2009 July 29 1600 UTC (GMT) Summary ======= Recent versions of Cisco IOS Software support RFC4893 ("BGP Support for Four-octet AS Number Space") and contain two remote denial of service (DoS) vulnerabilities when handling specific Border Gateway Protocol (BGP) updates. These vulnerabilities affect only devices running Cisco IOS Software with support for four-octet AS number space (here after referred to as 4-byte AS number) and BGP routing configured. The first vulnerability could cause an affected device to reload when processing a BGP update that contains autonomous system (AS) path segments made up of more than one thousand autonomous systems. Cisco has released free software updates to address these vulnerabilities. No workarounds are available for the first vulnerability. A workaround is available for the second vulnerability. This advisory is posted at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtml Affected Products ================= Vulnerable Products +------------------ These vulnerabilities affect only devices running Cisco IOS and Cisco IOS XE Software (here after both referred to as simply Cisco IOS) with support for RFC4893 and that have been configured for BGP routing. The software table in the section "Software Versions and Fixes" of this advisory indicates all affected Cisco IOS Software versions that have support for RFC4893 and are affected by this vulnerability. A Cisco IOS software version that has support for RFC4893 will allow configuration of AS numbers using 4 Bytes. The following example identifies a Cisco device that has 4 byte AS number support: Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#router bgp ? <1-65535> Autonomous system number <1.0-XX.YY> 4 Octets Autonomous system number Or: Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#router bgp ? <1-4294967295> Autonomous system number <1.0-XX.YY> Autonomous system number The following example identifies a Cisco device that has 2 byte AS number support: Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#router bgp ? <1-65535> Autonomous system number A router that is running the BGP process will contain a line in the configuration that defines the autonomous system number (AS number), which can be seen by issuing the command line interface (CLI) command "show running-config". The canonical textual representation of four byte AS Numbers is standardized by the IETF through RFC5396 (Textual Representation of Autonomous System (AS) Numbers). Two major ways for textual representation have been defined as ASDOT and ASPLAIN. Cisco IOS routers support both textual representations of AS numbers. For further information about textual representation of four byte AS numbers in Cisco IOS Software consult the document "Explaining 4-Byte Autonomous System (AS) ASPLAIN and ASDOT Notation for Cisco IOS" at the following link: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6554/ps6599/white_paper_c11_516829.html Cisco IOS Software with support for RFC4893 is affected by both vulnerabilities if BGP routing is configured using either ASPLAIN or ASDOT notation. The following example identifies a Cisco device that is configured for BGP using ASPLAIN notation: router bgp 65536 The following example identifies a Cisco device that is configured for BGP using ASDOT notation: router bgp 1.0 To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS Software." The image name displays in parentheses, followed by "Version" and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output. The following example identifies a Cisco product that is running Cisco IOS Software Release 12.3(26) with an installed image name of C2500-IS-L: Router#show version Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by cisco Systems, Inc. Compiled Mon 17-Mar-08 14:39 by dchih !--- output truncated The following example identifies a Cisco product that is running Cisco IOS Software Release 12.4(20)T with an installed image name of C1841-ADVENTERPRISEK9-M: Router#show version Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 10-Jul-08 20:25 by prod_rel_team !--- output truncated Additional information about Cisco IOS Software release naming conventions is available in "White Paper: Cisco IOS Reference Guide" at the following link: http://www.cisco.com/warp/public/620/1.html Products Confirmed Not Vulnerable +-------------------------------- The following Cisco products are confirmed not vulnerable: * Cisco IOS Software not explicitly mentioned in this Advisory * Cisco IOS XR Software * Cisco IOS NX-OS No other Cisco products are currently known to be affected by this vulnerability. Details ======= RFC4271 has defined an AS number as a two-octet entity in BGP. RFC4893 has defined an AS number as a four-octet entity in BGP. The first vulnerability could cause an affected device to reload when processing a BGP update that contains AS path segments made up of more than one thousand autonomous systems. If an affected 4-byte AS number BGP speaker receives a BGP update from a 2-byte AS number BGP speaker that contains AS path segments made up of more than one thousand autonomous systems, the device may crash with memory corruption, and the error "%%Software-forced reload" will be displayed. The following three conditions are required for successful exploitation of this vulnerability: * Affected Cisco IOS Software device is a 4-byte AS number BGP speaker * BGP peering neighbor is a 2-byte AS number BGP speaker * BGP peering neighbor is capable of sending a BGP update with a series of greater than one thousand AS numbers Note: Note: Cisco IOS, Cisco IOS XE, Cisco NX-OS and Cisco IOS XR Software, as a 2 byte AS number BGP speaker send BGP updates with a maximum of 255 AS numbers. The following three conditions are required for successful exploitation of this vulnerability: * Affected Cisco IOS Software device is a 4-byte AS number BGP speaker * BGP peering neighbor is a 2-byte AS number BGP speaker * BGP peering neighbor is capable of sending a non-RFC compliant crafted BGP update message This vulnerability is documented in Cisco Bug ID CSCta33973 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2009-2049. Further information regarding Cisco support for 4-byte AS number is available in "Cisco IOS BGP 4-Byte ASN Support" at the following link: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6554/ps6599/data_sheet_C78-521821.html Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsy86021: Cisco IOS Software BGP Long AS-path Vulnerability CVSS Base Score - 7.1 Access Vector Network Access Complexity Medium Authentication None Confidentiality Impact None Availability Impact Complete CVSS Temporal Score - 6.7 Exploitability Functional Remediation Level Official-Fix Report Confidence Confirmed CSCta33973: Cisco IOS Software Crafted BGP Update Message Vulnerability CVSS Base Score - 5.4 Access Vector Network Access Complexity High Authentication None Confidentiality Impact None Availability Impact Complete CVSS Temporal Score - 4.5 Exploitability Functional Remediation Level Official-Fix Report Confidence Confirmed Impact ====== Successful exploitation of the vulnerabilities described in this document may result in a reload of the device. The issue could result in repeated exploitation to cause an extended DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the Cisco IOS software table (below) names a Cisco IOS release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table. +-------------------------------------------------------------------+ | Major | Availability of Repaired Releases | | Release | | |----------+--------------------------------------------------------| | Affected | |Recommended | |12.0-Based| First Fixed Release | Release | | Releases | | | |----------+-------------------------------------------+------------| |12.0 |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0DA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0DB |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0DC |Not Vulnerable | | |----------+-------------------------------------------+------------| | |Releases up to and including 12.0(32)S11 | | | |are not vulnerable; first fixed in | | |12.0S |12.0(32)S14; | | | | | | | |Releases up to and including 12.0(33)S2 are| | | |not vulnerable; first fixed in 12.0(33)S5 | | |----------+-------------------------------------------+------------| |12.0SC |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0SL |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0SP |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0ST |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0SX |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0SY |Releases up to and including 12.0(32)SY7 |12.0(32)SY10| | |are not vulnerable; first fixed in | | | |12.0(32)SY9a. | | |----------+-------------------------------------------+------------| |12.0SZ |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0T |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0W |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0WC |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0WT |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0WX |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XB |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XC |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XD |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XE |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XF |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XG |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XH |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XI |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XJ |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XK |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XL |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XM |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XN |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XQ |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XR |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XS |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XT |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XV |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XW |Not Vulnerable | | |----------+-------------------------------------------+------------| | Affected | |Recommended | |12.1-Based| First Fixed Release | Release | | Releases | | | |-------------------------------------------------------------------| | There are no affected 12.1 based releases | |-------------------------------------------------------------------| | Affected | |Recommended | |12.2-Based| First Fixed Release | Release | | Releases | | | |----------+-------------------------------------------+------------| |12.2 |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2B |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2BC |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2BW |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2BX |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2BY |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2BZ |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2CX |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2CY |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2CZ |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2DA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2DD |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2DX |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2EW |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2EWA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2EX |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2EY |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2EZ |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2FX |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2FY |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2FZ |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2IRA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2IRB |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2IRC |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2IXA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2IXB |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2IXC |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2IXD |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2IXE |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2IXF |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2IXG |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2IXH |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2JA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2JK |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2MB |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2MC |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2S |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SB |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SBC |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SCA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SCB |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SE |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SEA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SEB |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SEC |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SED |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SEE |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SEF |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SEG |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SG |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SGA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SL |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SM |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SO |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SQ |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SRA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SRB |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SRC |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SRD |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2STE |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SU |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SV |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SVA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SVC |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SVD |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SVE |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SW |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SX |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SXA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SXB |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SXD |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SXE |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SXF |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SXH |Not Vulnerable | | |----------+-------------------------------------------+------------| | |Releases up to and including 12.2(33)SXI | | |12.2SXI |are not vulnerable; CSCsy86021 first fixed | | | |in 12.2(33)SXI2; CSCta33973 first fixed in | | | |12.2(33)SXI3 | | |----------+-------------------------------------------+------------| |12.2SY |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SZ |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2T |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2TPC |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XB |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XC |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XD |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XE |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XF |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XG |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XH |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XI |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XJ |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XK |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XL |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XM |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XN |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XNA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XNB |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XNC |12.2(33)XNC2 | | |----------+-------------------------------------------+------------| |12.2XND |12.2(33)XND1; available 25th August 2009 | | |----------+-------------------------------------------+------------| |12.2XO |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XQ |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XR |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XS |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XT |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XU |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XV |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XW |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YB |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YC |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YD |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YE |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YF |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YG |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YH |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YJ |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YK |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YL |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YM |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YN |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YO |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YP |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YQ |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YR |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YS |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YT |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YU |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YV |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YW |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YX |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YY |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YZ |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2ZA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2ZB |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2ZC |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2ZD |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2ZE |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2ZF |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2ZG |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2ZH |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2ZJ |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2ZL |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2ZM |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2ZP |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2ZU |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2ZX |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2ZY |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2ZYA |Not Vulnerable | | |----------+-------------------------------------------+------------| | Affected | |Recommended | |12.3-Based| First Fixed Release | Release | | Releases | | | |-------------------------------------------------------------------| | There are no affected 12.3 based releases | |-------------------------------------------------------------------| | Affected | |Recommended | |12.4-Based| First Fixed Release | Release | | Releases | | | |----------+-------------------------------------------+------------| |12.4 |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4JA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4JDA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4JDC |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4JDD |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4JK |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4JL |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4JMA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4JMB |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4JX |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4MD |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4MDA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4MR |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4SW |Not Vulnerable | | |----------+-------------------------------------------+------------| | |Releases up to 12.4(24)T are not | | |12.4T |vulnerable; first fixed in 12.4(24)T2 | | | |available on 23-Oct-2009 | | |----------+-------------------------------------------+------------| |12.4XA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XB |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XC |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XD |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XE |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XF |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XG |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XJ |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XK |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XL |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XM |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XN |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XP |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XQ |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XR |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XT |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XV |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XW |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XY |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XZ |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4YA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4YB |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4YD |Not Vulnerable | | +-------------------------------------------------------------------+ Cisco IOS XE Release Table +------------------------- +-------------------------------------------------------------------+ | Major | Availability of Repaired Releases | | Release | | |----------+--------------------------------------------------------| | Affected | | | 2.1 | There are no affected 2.1 based releases | | Releases | | |----------+--------------------------------------------------------| | Affected | | | 2.2 | There are no affected 2.2 based releases | | Releases | | |----------+--------------------------------------------------------| | Affected | Releases up to and including 2.3.1t are vulnerable; | | 2.3 | First fixed in 2.3.2 | | Releases | | |----------+--------------------------------------------------------+ | Affected | Releases up to and including 2.4.0 are vulnerable; | | 2.4 | First fixed in 2.4.1, available 25th August 2009 | | Releases | | +----------+--------------------------------------------------------+ Workarounds =========== For the first vulnerability, there are no workarounds on the affected device. Neighbors could be configured to discard routes that have more than one thousand AS numbers in the AS-path segments. This configuration will help prevent the further propagation of BGP updates with the AS path segments made up of greater than one thousand AS numbers. Note: Configuring "bgp maxas-limit [value]" on the affected device does not mitigate this vulnerability. For the second vulnerability, configuring "bgp maxas-limit [value]" on the affected device does mitigate this vulnerability. Cisco is recommends using a conservative value of 100 to mitigate this vulnerability. Consult the document "Protecting Border Gateway Protocol for the Enterprise" at the following link for additional best practices on protecting BGP infrastructures: http://www.cisco.com/web/about/security/intelligence/protecting_bgp.html Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of malicious exploitation of either of these vulnerabilities, although we are aware of some customers who have seen the first vulnerability triggered within their infrastructures. Further investigation of those incidents seems to indicate that the vulnerability has been accidentally triggered. These vulnerabilities were discovered via internal product testing. Status of this Notice: FINAL ============================ This information is Cisco Highly Confidential - Do not redistribute. THIS IS A DRAFT VERSION OF A SECURITY NOTICE THAT CONTAINS UNRELEASED INFORMATION ABOUT CISCO PRODUCTS. DISTRIBUTION WITHIN CISCO IS LIMITED TO PERSONNEL WITH A NEED TO KNOW. THIS DRAFT MAY CONTAIN ERRORS OR OMIT IMPORTANT INFORMATION. THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +-------------------------------------------------------------------+ | Revision 1.0 | 2009-July-29 1600 | Initial public release | +-------------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFKcGNc86n/Gc8U/uARAks6AKCCWLTakna/WbNzMuIbeGPJGJHnbQCfbYEi I6XwyRZTnktw7RSnT6Y/N1E= =KmUm -----END PGP SIGNATURE-----

Cisco IOS 12.0(32)S12 through 12.0(32)S13 and 12.0(33)S3 through 12.0(33)S4, 12.0(32)SY8 through 12.0(32)SY9, 12.2(33)SXI1 through 12.2(33)SXI2, 12.2XNC before 12.2(33)XNC2, 12.2XND before 12.2(33)XND1, and 12.4(24)T1; and IOS XE 2.3 through 2.3.1t and 2.4 through 2.4.0; when RFC4893 BGP routing is enabled, allows remote attackers to cause a denial of service (device reload) by using an RFC4271 peer to send a malformed update, aka Bug ID CSCta33973. Cisco IOS is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause an affected device to reload, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCta33973. May trigger memory corruption and crash with \\%\\%Software-forced reload error. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. 1) An unspecified error exists in the processing of BGP update messages. constructed from more than 1000 autonomous systems. SOLUTION: Update to a fixed version (please see the vendor advisory for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Cisco IOS Software Border Gateway Protocol 4-Byte Autonomous System Number Vulnerabilities Advisory ID: cisco-sa-20090729-bgp http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtml Revision: 1.0 ========= For Public Release 2009 July 29 1600 UTC (GMT) Summary ======= Recent versions of Cisco IOS Software support RFC4893 ("BGP Support for Four-octet AS Number Space") and contain two remote denial of service (DoS) vulnerabilities when handling specific Border Gateway Protocol (BGP) updates. These vulnerabilities affect only devices running Cisco IOS Software with support for four-octet AS number space (here after referred to as 4-byte AS number) and BGP routing configured. The first vulnerability could cause an affected device to reload when processing a BGP update that contains autonomous system (AS) path segments made up of more than one thousand autonomous systems. Cisco has released free software updates to address these vulnerabilities. No workarounds are available for the first vulnerability. A workaround is available for the second vulnerability. This advisory is posted at the following link: http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtml Affected Products ================= Vulnerable Products +------------------ These vulnerabilities affect only devices running Cisco IOS and Cisco IOS XE Software (here after both referred to as simply Cisco IOS) with support for RFC4893 and that have been configured for BGP routing. The software table in the section "Software Versions and Fixes" of this advisory indicates all affected Cisco IOS Software versions that have support for RFC4893 and are affected by this vulnerability. A Cisco IOS software version that has support for RFC4893 will allow configuration of AS numbers using 4 Bytes. The following example identifies a Cisco device that has 4 byte AS number support: Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#router bgp ? <1-65535> Autonomous system number <1.0-XX.YY> 4 Octets Autonomous system number Or: Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#router bgp ? <1-4294967295> Autonomous system number <1.0-XX.YY> Autonomous system number The following example identifies a Cisco device that has 2 byte AS number support: Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#router bgp ? <1-65535> Autonomous system number A router that is running the BGP process will contain a line in the configuration that defines the autonomous system number (AS number), which can be seen by issuing the command line interface (CLI) command "show running-config". The canonical textual representation of four byte AS Numbers is standardized by the IETF through RFC5396 (Textual Representation of Autonomous System (AS) Numbers). Two major ways for textual representation have been defined as ASDOT and ASPLAIN. Cisco IOS routers support both textual representations of AS numbers. For further information about textual representation of four byte AS numbers in Cisco IOS Software consult the document "Explaining 4-Byte Autonomous System (AS) ASPLAIN and ASDOT Notation for Cisco IOS" at the following link: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6554/ps6599/white_paper_c11_516829.html Cisco IOS Software with support for RFC4893 is affected by both vulnerabilities if BGP routing is configured using either ASPLAIN or ASDOT notation. The following example identifies a Cisco device that is configured for BGP using ASPLAIN notation: router bgp 65536 The following example identifies a Cisco device that is configured for BGP using ASDOT notation: router bgp 1.0 To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in to the device and issue the show version command to display the system banner. The system banner confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork Operating System Software" or "Cisco IOS Software." The image name displays in parentheses, followed by "Version" and the Cisco IOS Software release name. Other Cisco devices do not have the show version command or may provide different output. The following example identifies a Cisco product that is running Cisco IOS Software Release 12.3(26) with an installed image name of C2500-IS-L: Router#show version Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by cisco Systems, Inc. Compiled Mon 17-Mar-08 14:39 by dchih !--- output truncated The following example identifies a Cisco product that is running Cisco IOS Software Release 12.4(20)T with an installed image name of C1841-ADVENTERPRISEK9-M: Router#show version Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 10-Jul-08 20:25 by prod_rel_team !--- output truncated Additional information about Cisco IOS Software release naming conventions is available in "White Paper: Cisco IOS Reference Guide" at the following link: http://www.cisco.com/warp/public/620/1.html Products Confirmed Not Vulnerable +-------------------------------- The following Cisco products are confirmed not vulnerable: * Cisco IOS Software not explicitly mentioned in this Advisory * Cisco IOS XR Software * Cisco IOS NX-OS No other Cisco products are currently known to be affected by this vulnerability. Details ======= RFC4271 has defined an AS number as a two-octet entity in BGP. RFC4893 has defined an AS number as a four-octet entity in BGP. The first vulnerability could cause an affected device to reload when processing a BGP update that contains AS path segments made up of more than one thousand autonomous systems. If an affected 4-byte AS number BGP speaker receives a BGP update from a 2-byte AS number BGP speaker that contains AS path segments made up of more than one thousand autonomous systems, the device may crash with memory corruption, and the error "%%Software-forced reload" will be displayed. The following three conditions are required for successful exploitation of this vulnerability: * Affected Cisco IOS Software device is a 4-byte AS number BGP speaker * BGP peering neighbor is a 2-byte AS number BGP speaker * BGP peering neighbor is capable of sending a BGP update with a series of greater than one thousand AS numbers Note: Note: Cisco IOS, Cisco IOS XE, Cisco NX-OS and Cisco IOS XR Software, as a 2 byte AS number BGP speaker send BGP updates with a maximum of 255 AS numbers. The following three conditions are required for successful exploitation of this vulnerability: * Affected Cisco IOS Software device is a 4-byte AS number BGP speaker * BGP peering neighbor is a 2-byte AS number BGP speaker * BGP peering neighbor is capable of sending a non-RFC compliant crafted BGP update message This vulnerability is documented in Cisco Bug ID CSCta33973 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2009-2049. Further information regarding Cisco support for 4-byte AS number is available in "Cisco IOS BGP 4-Byte ASN Support" at the following link: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6554/ps6599/data_sheet_C78-521821.html Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsy86021: Cisco IOS Software BGP Long AS-path Vulnerability CVSS Base Score - 7.1 Access Vector Network Access Complexity Medium Authentication None Confidentiality Impact None Availability Impact Complete CVSS Temporal Score - 6.7 Exploitability Functional Remediation Level Official-Fix Report Confidence Confirmed CSCta33973: Cisco IOS Software Crafted BGP Update Message Vulnerability CVSS Base Score - 5.4 Access Vector Network Access Complexity High Authentication None Confidentiality Impact None Availability Impact Complete CVSS Temporal Score - 4.5 Exploitability Functional Remediation Level Official-Fix Report Confidence Confirmed Impact ====== Successful exploitation of the vulnerabilities described in this document may result in a reload of the device. The issue could result in repeated exploitation to cause an extended DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the Cisco IOS software table (below) names a Cisco IOS release train. If a given release train is vulnerable, then the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table. +-------------------------------------------------------------------+ | Major | Availability of Repaired Releases | | Release | | |----------+--------------------------------------------------------| | Affected | |Recommended | |12.0-Based| First Fixed Release | Release | | Releases | | | |----------+-------------------------------------------+------------| |12.0 |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0DA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0DB |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0DC |Not Vulnerable | | |----------+-------------------------------------------+------------| | |Releases up to and including 12.0(32)S11 | | | |are not vulnerable; first fixed in | | |12.0S |12.0(32)S14; | | | | | | | |Releases up to and including 12.0(33)S2 are| | | |not vulnerable; first fixed in 12.0(33)S5 | | |----------+-------------------------------------------+------------| |12.0SC |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0SL |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0SP |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0ST |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0SX |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0SY |Releases up to and including 12.0(32)SY7 |12.0(32)SY10| | |are not vulnerable; first fixed in | | | |12.0(32)SY9a. | | |----------+-------------------------------------------+------------| |12.0SZ |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0T |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0W |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0WC |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0WT |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0WX |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XB |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XC |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XD |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XE |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XF |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XG |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XH |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XI |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XJ |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XK |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XL |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XM |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XN |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XQ |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XR |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XS |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XT |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XV |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.0XW |Not Vulnerable | | |----------+-------------------------------------------+------------| | Affected | |Recommended | |12.1-Based| First Fixed Release | Release | | Releases | | | |-------------------------------------------------------------------| | There are no affected 12.1 based releases | |-------------------------------------------------------------------| | Affected | |Recommended | |12.2-Based| First Fixed Release | Release | | Releases | | | |----------+-------------------------------------------+------------| |12.2 |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2B |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2BC |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2BW |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2BX |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2BY |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2BZ |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2CX |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2CY |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2CZ |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2DA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2DD |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2DX |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2EW |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2EWA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2EX |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2EY |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2EZ |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2FX |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2FY |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2FZ |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2IRA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2IRB |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2IRC |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2IXA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2IXB |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2IXC |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2IXD |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2IXE |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2IXF |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2IXG |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2IXH |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2JA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2JK |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2MB |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2MC |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2S |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SB |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SBC |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SCA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SCB |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SE |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SEA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SEB |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SEC |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SED |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SEE |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SEF |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SEG |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SG |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SGA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SL |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SM |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SO |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SQ |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SRA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SRB |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SRC |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SRD |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2STE |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SU |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SV |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SVA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SVC |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SVD |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SVE |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SW |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SX |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SXA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SXB |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SXD |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SXE |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SXF |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SXH |Not Vulnerable | | |----------+-------------------------------------------+------------| | |Releases up to and including 12.2(33)SXI | | |12.2SXI |are not vulnerable; CSCsy86021 first fixed | | | |in 12.2(33)SXI2; CSCta33973 first fixed in | | | |12.2(33)SXI3 | | |----------+-------------------------------------------+------------| |12.2SY |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2SZ |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2T |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2TPC |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XB |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XC |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XD |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XE |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XF |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XG |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XH |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XI |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XJ |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XK |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XL |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XM |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XN |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XNA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XNB |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XNC |12.2(33)XNC2 | | |----------+-------------------------------------------+------------| |12.2XND |12.2(33)XND1; available 25th August 2009 | | |----------+-------------------------------------------+------------| |12.2XO |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XQ |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XR |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XS |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XT |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XU |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XV |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2XW |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YB |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YC |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YD |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YE |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YF |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YG |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YH |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YJ |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YK |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YL |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YM |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YN |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YO |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YP |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YQ |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YR |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YS |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YT |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YU |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YV |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YW |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YX |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YY |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2YZ |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2ZA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2ZB |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2ZC |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2ZD |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2ZE |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2ZF |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2ZG |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2ZH |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2ZJ |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2ZL |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2ZM |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2ZP |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2ZU |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2ZX |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2ZY |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.2ZYA |Not Vulnerable | | |----------+-------------------------------------------+------------| | Affected | |Recommended | |12.3-Based| First Fixed Release | Release | | Releases | | | |-------------------------------------------------------------------| | There are no affected 12.3 based releases | |-------------------------------------------------------------------| | Affected | |Recommended | |12.4-Based| First Fixed Release | Release | | Releases | | | |----------+-------------------------------------------+------------| |12.4 |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4JA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4JDA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4JDC |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4JDD |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4JK |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4JL |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4JMA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4JMB |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4JX |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4MD |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4MDA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4MR |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4SW |Not Vulnerable | | |----------+-------------------------------------------+------------| | |Releases up to 12.4(24)T are not | | |12.4T |vulnerable; first fixed in 12.4(24)T2 | | | |available on 23-Oct-2009 | | |----------+-------------------------------------------+------------| |12.4XA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XB |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XC |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XD |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XE |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XF |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XG |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XJ |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XK |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XL |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XM |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XN |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XP |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XQ |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XR |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XT |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XV |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XW |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XY |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4XZ |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4YA |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4YB |Not Vulnerable | | |----------+-------------------------------------------+------------| |12.4YD |Not Vulnerable | | +-------------------------------------------------------------------+ Cisco IOS XE Release Table +------------------------- +-------------------------------------------------------------------+ | Major | Availability of Repaired Releases | | Release | | |----------+--------------------------------------------------------| | Affected | | | 2.1 | There are no affected 2.1 based releases | | Releases | | |----------+--------------------------------------------------------| | Affected | | | 2.2 | There are no affected 2.2 based releases | | Releases | | |----------+--------------------------------------------------------| | Affected | Releases up to and including 2.3.1t are vulnerable; | | 2.3 | First fixed in 2.3.2 | | Releases | | |----------+--------------------------------------------------------+ | Affected | Releases up to and including 2.4.0 are vulnerable; | | 2.4 | First fixed in 2.4.1, available 25th August 2009 | | Releases | | +----------+--------------------------------------------------------+ Workarounds =========== For the first vulnerability, there are no workarounds on the affected device. Neighbors could be configured to discard routes that have more than one thousand AS numbers in the AS-path segments. This configuration will help prevent the further propagation of BGP updates with the AS path segments made up of greater than one thousand AS numbers. Note: Configuring "bgp maxas-limit [value]" on the affected device does not mitigate this vulnerability. For the second vulnerability, configuring "bgp maxas-limit [value]" on the affected device does mitigate this vulnerability. Cisco is recommends using a conservative value of 100 to mitigate this vulnerability. Consult the document "Protecting Border Gateway Protocol for the Enterprise" at the following link for additional best practices on protecting BGP infrastructures: http://www.cisco.com/web/about/security/intelligence/protecting_bgp.html Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of malicious exploitation of either of these vulnerabilities, although we are aware of some customers who have seen the first vulnerability triggered within their infrastructures. Further investigation of those incidents seems to indicate that the vulnerability has been accidentally triggered. These vulnerabilities were discovered via internal product testing. Status of this Notice: FINAL ============================ This information is Cisco Highly Confidential - Do not redistribute. THIS IS A DRAFT VERSION OF A SECURITY NOTICE THAT CONTAINS UNRELEASED INFORMATION ABOUT CISCO PRODUCTS. DISTRIBUTION WITHIN CISCO IS LIMITED TO PERSONNEL WITH A NEED TO KNOW. THIS DRAFT MAY CONTAIN ERRORS OR OMIT IMPORTANT INFORMATION. THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +-------------------------------------------------------------------+ | Revision 1.0 | 2009-July-29 1600 | Initial public release | +-------------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFKcGNc86n/Gc8U/uARAks6AKCCWLTakna/WbNzMuIbeGPJGJHnbQCfbYEi I6XwyRZTnktw7RSnT6Y/N1E= =KmUm -----END PGP SIGNATURE-----

Memory leak on the Cisco Wireless LAN Controller (WLC) platform 4.x before 4.2.205.0, 5.1 before 5.1.163.0, and 5.0 and 5.2 before 5.2.178.0, as used in Cisco 1500 Series, 2000 Series, 2100 Series, 4100 Series, 4200 Series, and 4400 Series Wireless Services Modules (WiSM), WLC Modules for Integrated Services Routers, and Catalyst 3750G Integrated Wireless LAN Controllers, allows remote attackers to cause a denial of service (memory consumption and device reload) via SSH management connections, aka Bug ID CSCsw40789. plural Cisco Used in products Cisco Wireless LAN Controller Contains a memory leak vulnerability. The problem is Bug ID : CSCsw40789 It is a problem.By a third party SSH Service disruption via management connection (DoS) There is a possibility of being put into a state. An attacker can exploit this issue to trigger an affected device to crash and reload, denying service to legitimate users. This issue is being tracked by Cisco BugID CSCsw40789. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers Advisory ID: cisco-sa-20090727-wlc http://www.cisco.com/warp/public/707/cisco-sa-20090727-wlc.shtml Revision 1.0 For Public Release 2009 July 27 1600 UTC (GMT) - --------------------------------------------------------------------- Summary Multiple vulnerabilities exist in the Cisco Wireless LAN Controller (WLC) platforms. This security advisory outlines the details of the following vulnerabilities: * Malformed HTTP or HTTPS authentication response denial of service vulnerability * SSH connections denial of service vulnerability * Crafted HTTP or HTTPS request denial of service vulnerability * Crafted HTTP or HTTPS request unauthorized configuration modification vulnerability Cisco has released free software updates that address these vulnerabilities. * The SSH connections denial of service vulnerability affects software versions 4.1 and later. * The crafted HTTP or HTTPS request denial of service vulnerability affects software versions 4.1 and later. * The crafted HTTP or HTTPS request unauthorized configuration modification vulnerability affects software versions 4.1 and later. Determination of Software Versions +--------------------------------- To determine the WLC version that is running in a given environment, use one of the following methods: * In the web interface, choose the Monitor tab, click Summary in the left pane, and note the Software Version field. Note: Customers who use a WLC Module in an Integrated Services Router (ISR) will need to issue the service-module wlan-controller 1/0 session command prior to performing the next step on the command line. Customers who use a Cisco Catalyst 3750G Switch with an integrated WLC Module will need to issue the session <Stack-Member-Number> processor 1 session command prior to performing the next step on the command line. * From the command-line interface, type show sysinfo and note the Product Version field, as shown in the following example: (Cisco Controller) >show sysinfo Manufacturer's Name.. Cisco Systems Inc. Product Name......... Cisco Controller Product Version...... 5.1.151.0 RTOS Version......... Linux-2.6.10_mvl401 Bootloader Version... 4.0.207.0 Build Type........... DATA + WPS <output suppressed> Use the show wism module <module number> controller 1 status command on a Cisco Catalyst 6500 Series/7600 Series Switch if you are using a WiSM. Note the software version as demonstrated in the following example, which shows version 5.1.151.0. Router#show wism module 3 controller 1 status WiSM Controller 1 in Slot 3 Operational Status of the Controller : Oper-Up Service VLAN : 192 Service Port : 10 Service Port Mac Address : 0011.92ff.8742 Service IP Address : 192.168.10.1 Management IP Address : 192.168.1.123 Software Version : 5.1.151.0 Port Channel Number : 288 Allowed vlan list : 30,40 Native VLAN ID : 40 WCP Keep Alive Missed : 0 Products Confirmed Not Vulnerable +-------------------------------- The Cisco Wireless Controller 5500 Series is not affected by these vulnerabilities. Details ======= Cisco Wireless LAN Controllers (WLCs) are responsible for system-wide wireless LAN functions, such as security policies, intrusion prevention, RF management, quality of service (QoS), and mobility. These devices communicate with controller-based access points over any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the Lightweight Access Point Protocol (LWAPP). This security advisory describes multiple distinct vulnerabilities in the WLC family of devices. * Malformed HTTP or HTTPS authentication response denial of service vulnerability An attacker with access to the administrative web interface via HTTP or HTTPS may cause the device to reload by providing a malformed response to an authentication request. Note: The vulnerability can be exploited only via the administrative web-based interface; Web Authentication features are not affected. This vulnerability is documented in Cisco Bug ID CSCsx03715 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2009-1164. * SSH connections denial of service vulnerability Affected devices may be susceptible to a memory leak when they handle SSH management connections. Note: A three-way handshake is not required to exploit this vulnerability. This vulnerability is documented in Cisco Bug ID CSCsw40789 and has been assigned CVE ID CVE-2009-1165. Note: The vulnerability can be exploited only via the administrative web-based interface; Web Authentication features are not affected. This vulnerability is documented in Cisco Bug ID CSCsy27708 and has been assigned CVE ID CVE-2009-1166. * Crafted HTTP or HTTPS request unauthorized configuration modification vulnerability An unauthorized configuration modification vulnerability exists in all software versions prior to the first fixed release. A remote, unauthenticated attacker who can submit HTTP or HTTPS requests to the WLC directly could gain full control of the affected device. Note: The vulnerability can be exploited only by submitting such a request to an IP address that is bound to an administrative interface or VLAN. The vulnerability is documented by Cisco Bug ID CSCsy44672 and has been assigned CVE ID CVE-2009-1167. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsx03715 - Malformed HTTP or HTTPS authentication response denial of service vulnerability +----------------------------------------------------- CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsw40789 - SSH connections denial of service vulnerability +----------------------------------------------------- CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsy27708 - Crafted HTTP or HTTPS request denial of service vulnerability +----------------------------------------------------- CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsy44672 - Crafted HTTP or HTTPS request unauthorized configuration modification vulnerability +----------------------------------------------------- CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ===== Successful exploitation of the denial of service (DoS) vulnerabilities may cause the affected device to reload. Repeated exploitation could result in a sustained DoS condition. An unauthenticated, remote attacker may be able to use the unauthorized configuration modification vulnerability to gain full control over the Wireless LAN Controller if the attacker is able to submit a crafted request directly to an administrative interface of the affected device. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.comw/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +------------------------------------------------------+ | Vulnerability/ | Affected | First | Recommended | | Bug ID | Release | Fixed | Release | | | | Version | | |----------------+----------+------------+-------------| | | 4.1 | Not | Not | | | | Vulnerable | Vulnerable | | |----------+------------+-------------| | | 4.1M | Not | Not | | | | Vulnerable | Vulnerable | | |----------+------------+-------------| | | 4.2 | 4.2.205.0 | 4.2.207.0 | | |----------+------------+-------------| | Malformed HTTP | 4.2M | Not | Not | | or HTTPS | | Vulnerable | Vulnerable | |authentication |----------+------------+-------------| | response | | Migrate to | 5.2.193.0 | | denial of | 5.0 | 5.2 or 6.0 | or | | service | | | 6.0.182.0 | |vulnerability |----------+------------+-------------| | (CSCsx03715) | | Migrate to | 5.2.193.0 | | | 5.1 | 5.2 or 6.0 | or | | | | | 6.0.182.0 | | |----------+------------+-------------| | | | | 5.2.193.0 | | | 5.2 | 5.2.178.0 | or | | | | | 6.0.182.0 | | |----------+------------+-------------| | | 6.0 | Not | Not | | | | Vulnerable | Vulnerable | |----------------+----------+------------+-------------| | | 4.1 | Migrate to | 4.2.205.0 | | | | 4.2 | | | |----------+------------+-------------| | | | | 5.2.193.0, | | | | Migrate to | 6.0.182.0 | | | 4.1M | 5.2, 6.0, | or | | | | or 4.2M | 4.2.176.51 | | | | | Mesh | | |----------+------------+-------------| | | 4.2 | 4.2.205.0 | 4.2.207.0 | | |----------+------------+-------------| | SSH | 4.2M | Not | Not | | connections | | Vulnerable | Vulnerable | |denial of |----------+------------+-------------| | service | | Migrate to | 5.2.193.0 | | vulnerability | 5.0 | 5.2 or 6.0 | or | | (CSCsw40789) | | | 6.0.182.0 | | |----------+------------+-------------| | | | | 5.2.193.0 | | | 5.1 | 5.1.163.0 | or | | | | | 6.0.182.0 | | |----------+------------+-------------| | | | | 5.2.193.0 | | | 5.2 | 5.2.178.0 | or | | | | | 6.0.182.0 | | |----------+------------+-------------| | | 6.0 | Not | Not | | | | Vulnerable | Vulnerable | |----------------+----------+------------+-------------| | | 4.1 | Migrate to | 4.2.205.0 | | | | 4.2 | | | |----------+------------+-------------| | | | | 5.2.193.0, | | | | Migrate to | 6.0.182.0 | | | 4.1 M | 5.2, 6.0, | or | | | | or 4.2M | 4.2.176.51 | | | | | Mesh | | |----------+------------+-------------| | | 4.2 | 4.2.205.0 | 4.2.207.0 | | |----------+------------+-------------| | Crafted HTTP | 4.2M | Not | Not | | request may | | Vulnerable | Vulnerable | |cause the WLC |----------+------------+-------------| | to crash | | Migrate to | 5.2.193.0 | | (CSCsy27708) | 5.0 | 5.2 or 6.0 | or | | | | | 6.0.182.0 | | |----------+------------+-------------| | | | Migrate to | 5.2.193.0 | | | 5.1 | 5.2 or 6.0 | or | | | | | 6.0.182.0 | | |----------+------------+-------------| | | | | 5.2.193.0 | | | 5.2 | 5.2.191.0 | or | | | | | 6.0.182.0 | | |----------+------------+-------------| | | 6.0 | Not | Not | | | | Vulnerable | Vulnerable | |----------------+----------+------------+-------------| | | 4.1 | Migrate to | 4.2.205.0 | | | | 4.2 | | | |----------+------------+-------------| | | | | 5.2.193.0, | | | | Migrate to | 6.0.182.0 | | | 4.1M | 5.2, 6.0, | or | | | | or 4.2M | 4.2.176.51 | | | | | Mesh | | |----------+------------+-------------| | Crafted HTTP | 4.2 | 4.2.205.0 | 4.2.207.0 | |or HTTPS |----------+------------+-------------| | request | 4.2M | Not | Not | | unauthorized | | Vulnerable | Vulnerable | |configuration |----------+------------+-------------| | modification | 5.0 | Migrate to | 5.2.193.0, | | vulnerability | | 5.2 or 6.0 | 6.0.182.0 | |(CSCsy44672) |----------+------------+-------------| | | | Migrate to | 5.2.193.0 | | | 5.1 | 5.2 or 6.0 | or | | | | | 6.0.182.0 | | |----------+------------+-------------| | | | | 5.2.193.0 | | | 5.2 | 5.2.191.0 | or | | | | | 6.0.182.0 | | |----------+------------+-------------| | | 6.0 | Not | Not | | | | Vulnerable | Vulnerable | +------------------------------------------------------+ Workarounds =========== The SSH connections denial of service vulnerability identified by Cisco Bug ID CSCsw40789 may be remediated by disabling SSH on the affected device. This workaround requires subsequent management of the device to be performed using the HTTP/HTTPS web management interface or the serial console of the device. Additional mitigations that can be deployed on Cisco devices in the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts ================================ Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory at the time of release. The DoS vulnerability documented by CSCsw40789 was discovered during the resolution of customer support cases. The unauthorized configuration modification vulnerability documented by CSCsy44672 was found during internal testing. The DoS vulnerability documented by CSCsx03715 was discovered by Christoph Bott of SySS GmbH. The DoS vulnerability documented by CSCsy27708 was discovered by IBM Research. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20090727-wlc.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2009-July-27 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFKbdU786n/Gc8U/uARAkG6AKCKI8yrbakylICPezA8Up2E1t372QCePJmj RTTknUlr0VuKxVZLT0f8+gQ= =x8Ly -----END PGP SIGNATURE-----

Unspecified vulnerability on the Cisco Wireless LAN Controller (WLC) platform 4.x before 4.2.205.0 and 5.x before 5.2.191.0, as used in Cisco 1500 Series, 2000 Series, 2100 Series, 4100 Series, 4200 Series, and 4400 Series Wireless Services Modules (WiSM), WLC Modules for Integrated Services Routers, and Catalyst 3750G Integrated Wireless LAN Controllers, allows remote attackers to modify the configuration via a crafted (1) HTTP or (2) HTTPS request, aka Bug ID CSCsy44672. plural Cisco Used in products Cisco Wireless LAN Controller (WLC) Contains a vulnerability that can be changed. The problem is Bug ID : CSCsy44672 It is a problem.Skillfully crafted by a third party HTTP Or HTTPS Settings may be changed via request. Successful exploits may allow attackers to modify configuration settings, which may compromise the affected device or aid in further attacks. This issue is being tracked by Cisco Bug ID CSCsy44672. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers Advisory ID: cisco-sa-20090727-wlc http://www.cisco.com/warp/public/707/cisco-sa-20090727-wlc.shtml Revision 1.0 For Public Release 2009 July 27 1600 UTC (GMT) - --------------------------------------------------------------------- Summary Multiple vulnerabilities exist in the Cisco Wireless LAN Controller (WLC) platforms. This security advisory outlines the details of the following vulnerabilities: * Malformed HTTP or HTTPS authentication response denial of service vulnerability * SSH connections denial of service vulnerability * Crafted HTTP or HTTPS request denial of service vulnerability * Crafted HTTP or HTTPS request unauthorized configuration modification vulnerability Cisco has released free software updates that address these vulnerabilities. * The SSH connections denial of service vulnerability affects software versions 4.1 and later. Determination of Software Versions +--------------------------------- To determine the WLC version that is running in a given environment, use one of the following methods: * In the web interface, choose the Monitor tab, click Summary in the left pane, and note the Software Version field. Note: Customers who use a WLC Module in an Integrated Services Router (ISR) will need to issue the service-module wlan-controller 1/0 session command prior to performing the next step on the command line. Customers who use a Cisco Catalyst 3750G Switch with an integrated WLC Module will need to issue the session <Stack-Member-Number> processor 1 session command prior to performing the next step on the command line. * From the command-line interface, type show sysinfo and note the Product Version field, as shown in the following example: (Cisco Controller) >show sysinfo Manufacturer's Name.. Cisco Systems Inc. Product Name......... 5.1.151.0 RTOS Version......... Linux-2.6.10_mvl401 Bootloader Version... 4.0.207.0 Build Type........... DATA + WPS <output suppressed> Use the show wism module <module number> controller 1 status command on a Cisco Catalyst 6500 Series/7600 Series Switch if you are using a WiSM. Note the software version as demonstrated in the following example, which shows version 5.1.151.0. Router#show wism module 3 controller 1 status WiSM Controller 1 in Slot 3 Operational Status of the Controller : Oper-Up Service VLAN : 192 Service Port : 10 Service Port Mac Address : 0011.92ff.8742 Service IP Address : 192.168.10.1 Management IP Address : 192.168.1.123 Software Version : 5.1.151.0 Port Channel Number : 288 Allowed vlan list : 30,40 Native VLAN ID : 40 WCP Keep Alive Missed : 0 Products Confirmed Not Vulnerable +-------------------------------- The Cisco Wireless Controller 5500 Series is not affected by these vulnerabilities. Details ======= Cisco Wireless LAN Controllers (WLCs) are responsible for system-wide wireless LAN functions, such as security policies, intrusion prevention, RF management, quality of service (QoS), and mobility. These devices communicate with controller-based access points over any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the Lightweight Access Point Protocol (LWAPP). This security advisory describes multiple distinct vulnerabilities in the WLC family of devices. * Malformed HTTP or HTTPS authentication response denial of service vulnerability An attacker with access to the administrative web interface via HTTP or HTTPS may cause the device to reload by providing a malformed response to an authentication request. Note: The vulnerability can be exploited only via the administrative web-based interface; Web Authentication features are not affected. * SSH connections denial of service vulnerability Affected devices may be susceptible to a memory leak when they handle SSH management connections. An attacker could use this behavior to cause an affected device to crash and reload. Note: A three-way handshake is not required to exploit this vulnerability. Note: The vulnerability can be exploited only via the administrative web-based interface; Web Authentication features are not affected. * Crafted HTTP or HTTPS request unauthorized configuration modification vulnerability An unauthorized configuration modification vulnerability exists in all software versions prior to the first fixed release. A remote, unauthenticated attacker who can submit HTTP or HTTPS requests to the WLC directly could gain full control of the affected device. Note: The vulnerability can be exploited only by submitting such a request to an IP address that is bound to an administrative interface or VLAN. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsx03715 - Malformed HTTP or HTTPS authentication response denial of service vulnerability +----------------------------------------------------- CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsw40789 - SSH connections denial of service vulnerability +----------------------------------------------------- CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsy27708 - Crafted HTTP or HTTPS request denial of service vulnerability +----------------------------------------------------- CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsy44672 - Crafted HTTP or HTTPS request unauthorized configuration modification vulnerability +----------------------------------------------------- CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ===== Successful exploitation of the denial of service (DoS) vulnerabilities may cause the affected device to reload. Repeated exploitation could result in a sustained DoS condition. An unauthenticated, remote attacker may be able to use the unauthorized configuration modification vulnerability to gain full control over the Wireless LAN Controller if the attacker is able to submit a crafted request directly to an administrative interface of the affected device. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.comw/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +------------------------------------------------------+ | Vulnerability/ | Affected | First | Recommended | | Bug ID | Release | Fixed | Release | | | | Version | | |----------------+----------+------------+-------------| | | 4.1 | Not | Not | | | | Vulnerable | Vulnerable | | |----------+------------+-------------| | | 4.1M | Not | Not | | | | Vulnerable | Vulnerable | | |----------+------------+-------------| | | 4.2 | 4.2.205.0 | 4.2.207.0 | | |----------+------------+-------------| | Malformed HTTP | 4.2M | Not | Not | | or HTTPS | | Vulnerable | Vulnerable | |authentication |----------+------------+-------------| | response | | Migrate to | 5.2.193.0 | | denial of | 5.0 | 5.2 or 6.0 | or | | service | | | 6.0.182.0 | |vulnerability |----------+------------+-------------| | (CSCsx03715) | | Migrate to | 5.2.193.0 | | | 5.1 | 5.2 or 6.0 | or | | | | | 6.0.182.0 | | |----------+------------+-------------| | | | | 5.2.193.0 | | | 5.2 | 5.2.178.0 | or | | | | | 6.0.182.0 | | |----------+------------+-------------| | | 6.0 | Not | Not | | | | Vulnerable | Vulnerable | |----------------+----------+------------+-------------| | | 4.1 | Migrate to | 4.2.205.0 | | | | 4.2 | | | |----------+------------+-------------| | | | | 5.2.193.0, | | | | Migrate to | 6.0.182.0 | | | 4.1M | 5.2, 6.0, | or | | | | or 4.2M | 4.2.176.51 | | | | | Mesh | | |----------+------------+-------------| | | 4.2 | 4.2.205.0 | 4.2.207.0 | | |----------+------------+-------------| | SSH | 4.2M | Not | Not | | connections | | Vulnerable | Vulnerable | |denial of |----------+------------+-------------| | service | | Migrate to | 5.2.193.0 | | vulnerability | 5.0 | 5.2 or 6.0 | or | | (CSCsw40789) | | | 6.0.182.0 | | |----------+------------+-------------| | | | | 5.2.193.0 | | | 5.1 | 5.1.163.0 | or | | | | | 6.0.182.0 | | |----------+------------+-------------| | | | | 5.2.193.0 | | | 5.2 | 5.2.178.0 | or | | | | | 6.0.182.0 | | |----------+------------+-------------| | | 6.0 | Not | Not | | | | Vulnerable | Vulnerable | |----------------+----------+------------+-------------| | | 4.1 | Migrate to | 4.2.205.0 | | | | 4.2 | | | |----------+------------+-------------| | | | | 5.2.193.0, | | | | Migrate to | 6.0.182.0 | | | 4.1 M | 5.2, 6.0, | or | | | | or 4.2M | 4.2.176.51 | | | | | Mesh | | |----------+------------+-------------| | | 4.2 | 4.2.205.0 | 4.2.207.0 | | |----------+------------+-------------| | Crafted HTTP | 4.2M | Not | Not | | request may | | Vulnerable | Vulnerable | |cause the WLC |----------+------------+-------------| | to crash | | Migrate to | 5.2.193.0 | | (CSCsy27708) | 5.0 | 5.2 or 6.0 | or | | | | | 6.0.182.0 | | |----------+------------+-------------| | | | Migrate to | 5.2.193.0 | | | 5.1 | 5.2 or 6.0 | or | | | | | 6.0.182.0 | | |----------+------------+-------------| | | | | 5.2.193.0 | | | 5.2 | 5.2.191.0 | or | | | | | 6.0.182.0 | | |----------+------------+-------------| | | 6.0 | Not | Not | | | | Vulnerable | Vulnerable | |----------------+----------+------------+-------------| | | 4.1 | Migrate to | 4.2.205.0 | | | | 4.2 | | | |----------+------------+-------------| | | | | 5.2.193.0, | | | | Migrate to | 6.0.182.0 | | | 4.1M | 5.2, 6.0, | or | | | | or 4.2M | 4.2.176.51 | | | | | Mesh | | |----------+------------+-------------| | Crafted HTTP | 4.2 | 4.2.205.0 | 4.2.207.0 | |or HTTPS |----------+------------+-------------| | request | 4.2M | Not | Not | | unauthorized | | Vulnerable | Vulnerable | |configuration |----------+------------+-------------| | modification | 5.0 | Migrate to | 5.2.193.0, | | vulnerability | | 5.2 or 6.0 | 6.0.182.0 | |(CSCsy44672) |----------+------------+-------------| | | | Migrate to | 5.2.193.0 | | | 5.1 | 5.2 or 6.0 | or | | | | | 6.0.182.0 | | |----------+------------+-------------| | | | | 5.2.193.0 | | | 5.2 | 5.2.191.0 | or | | | | | 6.0.182.0 | | |----------+------------+-------------| | | 6.0 | Not | Not | | | | Vulnerable | Vulnerable | +------------------------------------------------------+ Workarounds =========== The SSH connections denial of service vulnerability identified by Cisco Bug ID CSCsw40789 may be remediated by disabling SSH on the affected device. This workaround requires subsequent management of the device to be performed using the HTTP/HTTPS web management interface or the serial console of the device. Additional mitigations that can be deployed on Cisco devices in the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts ================================ Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory at the time of release. The DoS vulnerability documented by CSCsw40789 was discovered during the resolution of customer support cases. The unauthorized configuration modification vulnerability documented by CSCsy44672 was found during internal testing. The DoS vulnerability documented by CSCsx03715 was discovered by Christoph Bott of SySS GmbH. The DoS vulnerability documented by CSCsy27708 was discovered by IBM Research. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20090727-wlc.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2009-July-27 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt \xa9 2008 - 2009 Cisco Systems, Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFKbdU786n/Gc8U/uARAkG6AKCKI8yrbakylICPezA8Up2E1t372QCePJmj RTTknUlr0VuKxVZLT0f8+gQ= =x8Ly -----END PGP SIGNATURE-----

The administrative web interface on the Cisco Wireless LAN Controller (WLC) platform 4.x before 4.2.205.0 and 5.x before 5.2.191.0, as used in Cisco 1500 Series, 2000 Series, 2100 Series, 4100 Series, 4200 Series, and 4400 Series Wireless Services Modules (WiSM), WLC Modules for Integrated Services Routers, and Catalyst 3750G Integrated Wireless LAN Controllers, allows remote attackers to cause a denial of service (device reload) via a crafted (1) HTTP or (2) HTTPS request, aka Bug ID CSCsy27708. plural Cisco Used in products Cisco Wireless LAN Controller (WLC) For managing Web Interface has a service disruption (DoS) There is a vulnerability that becomes a condition. The problem is Bug ID : CSCsy27708 It is a problem.Skillfully crafted by a third party HTTP Or HTTPS Service disruption via request (DoS) There is a possibility of being put into a state. An attacker can exploit this issue to trigger an affected device to crash and reload, causing denial-of-service conditions. This issue is documented by Cisco Bug ID CSCsy27708. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers Advisory ID: cisco-sa-20090727-wlc http://www.cisco.com/warp/public/707/cisco-sa-20090727-wlc.shtml Revision 1.0 For Public Release 2009 July 27 1600 UTC (GMT) - --------------------------------------------------------------------- Summary Multiple vulnerabilities exist in the Cisco Wireless LAN Controller (WLC) platforms. * The SSH connections denial of service vulnerability affects software versions 4.1 and later. Determination of Software Versions +--------------------------------- To determine the WLC version that is running in a given environment, use one of the following methods: * In the web interface, choose the Monitor tab, click Summary in the left pane, and note the Software Version field. Note: Customers who use a WLC Module in an Integrated Services Router (ISR) will need to issue the service-module wlan-controller 1/0 session command prior to performing the next step on the command line. Customers who use a Cisco Catalyst 3750G Switch with an integrated WLC Module will need to issue the session <Stack-Member-Number> processor 1 session command prior to performing the next step on the command line. * From the command-line interface, type show sysinfo and note the Product Version field, as shown in the following example: (Cisco Controller) >show sysinfo Manufacturer's Name.. Cisco Systems Inc. Product Name......... Cisco Controller Product Version...... 5.1.151.0 RTOS Version......... Linux-2.6.10_mvl401 Bootloader Version... 4.0.207.0 Build Type........... DATA + WPS <output suppressed> Use the show wism module <module number> controller 1 status command on a Cisco Catalyst 6500 Series/7600 Series Switch if you are using a WiSM. Note the software version as demonstrated in the following example, which shows version 5.1.151.0. Router#show wism module 3 controller 1 status WiSM Controller 1 in Slot 3 Operational Status of the Controller : Oper-Up Service VLAN : 192 Service Port : 10 Service Port Mac Address : 0011.92ff.8742 Service IP Address : 192.168.10.1 Management IP Address : 192.168.1.123 Software Version : 5.1.151.0 Port Channel Number : 288 Allowed vlan list : 30,40 Native VLAN ID : 40 WCP Keep Alive Missed : 0 Products Confirmed Not Vulnerable +-------------------------------- The Cisco Wireless Controller 5500 Series is not affected by these vulnerabilities. Details ======= Cisco Wireless LAN Controllers (WLCs) are responsible for system-wide wireless LAN functions, such as security policies, intrusion prevention, RF management, quality of service (QoS), and mobility. These devices communicate with controller-based access points over any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the Lightweight Access Point Protocol (LWAPP). This security advisory describes multiple distinct vulnerabilities in the WLC family of devices. * Malformed HTTP or HTTPS authentication response denial of service vulnerability An attacker with access to the administrative web interface via HTTP or HTTPS may cause the device to reload by providing a malformed response to an authentication request. Note: The vulnerability can be exploited only via the administrative web-based interface; Web Authentication features are not affected. * SSH connections denial of service vulnerability Affected devices may be susceptible to a memory leak when they handle SSH management connections. Note: A three-way handshake is not required to exploit this vulnerability. Note: The vulnerability can be exploited only via the administrative web-based interface; Web Authentication features are not affected. * Crafted HTTP or HTTPS request unauthorized configuration modification vulnerability An unauthorized configuration modification vulnerability exists in all software versions prior to the first fixed release. A remote, unauthenticated attacker who can submit HTTP or HTTPS requests to the WLC directly could gain full control of the affected device. Note: The vulnerability can be exploited only by submitting such a request to an IP address that is bound to an administrative interface or VLAN. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsx03715 - Malformed HTTP or HTTPS authentication response denial of service vulnerability +----------------------------------------------------- CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsw40789 - SSH connections denial of service vulnerability +----------------------------------------------------- CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsy27708 - Crafted HTTP or HTTPS request denial of service vulnerability +----------------------------------------------------- CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsy44672 - Crafted HTTP or HTTPS request unauthorized configuration modification vulnerability +----------------------------------------------------- CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ===== Successful exploitation of the denial of service (DoS) vulnerabilities may cause the affected device to reload. Repeated exploitation could result in a sustained DoS condition. An unauthenticated, remote attacker may be able to use the unauthorized configuration modification vulnerability to gain full control over the Wireless LAN Controller if the attacker is able to submit a crafted request directly to an administrative interface of the affected device. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.comw/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +------------------------------------------------------+ | Vulnerability/ | Affected | First | Recommended | | Bug ID | Release | Fixed | Release | | | | Version | | |----------------+----------+------------+-------------| | | 4.1 | Not | Not | | | | Vulnerable | Vulnerable | | |----------+------------+-------------| | | 4.1M | Not | Not | | | | Vulnerable | Vulnerable | | |----------+------------+-------------| | | 4.2 | 4.2.205.0 | 4.2.207.0 | | |----------+------------+-------------| | Malformed HTTP | 4.2M | Not | Not | | or HTTPS | | Vulnerable | Vulnerable | |authentication |----------+------------+-------------| | response | | Migrate to | 5.2.193.0 | | denial of | 5.0 | 5.2 or 6.0 | or | | service | | | 6.0.182.0 | |vulnerability |----------+------------+-------------| | (CSCsx03715) | | Migrate to | 5.2.193.0 | | | 5.1 | 5.2 or 6.0 | or | | | | | 6.0.182.0 | | |----------+------------+-------------| | | | | 5.2.193.0 | | | 5.2 | 5.2.178.0 | or | | | | | 6.0.182.0 | | |----------+------------+-------------| | | 6.0 | Not | Not | | | | Vulnerable | Vulnerable | |----------------+----------+------------+-------------| | | 4.1 | Migrate to | 4.2.205.0 | | | | 4.2 | | | |----------+------------+-------------| | | | | 5.2.193.0, | | | | Migrate to | 6.0.182.0 | | | 4.1M | 5.2, 6.0, | or | | | | or 4.2M | 4.2.176.51 | | | | | Mesh | | |----------+------------+-------------| | | 4.2 | 4.2.205.0 | 4.2.207.0 | | |----------+------------+-------------| | SSH | 4.2M | Not | Not | | connections | | Vulnerable | Vulnerable | |denial of |----------+------------+-------------| | service | | Migrate to | 5.2.193.0 | | vulnerability | 5.0 | 5.2 or 6.0 | or | | (CSCsw40789) | | | 6.0.182.0 | | |----------+------------+-------------| | | | | 5.2.193.0 | | | 5.1 | 5.1.163.0 | or | | | | | 6.0.182.0 | | |----------+------------+-------------| | | | | 5.2.193.0 | | | 5.2 | 5.2.178.0 | or | | | | | 6.0.182.0 | | |----------+------------+-------------| | | 6.0 | Not | Not | | | | Vulnerable | Vulnerable | |----------------+----------+------------+-------------| | | 4.1 | Migrate to | 4.2.205.0 | | | | 4.2 | | | |----------+------------+-------------| | | | | 5.2.193.0, | | | | Migrate to | 6.0.182.0 | | | 4.1 M | 5.2, 6.0, | or | | | | or 4.2M | 4.2.176.51 | | | | | Mesh | | |----------+------------+-------------| | | 4.2 | 4.2.205.0 | 4.2.207.0 | | |----------+------------+-------------| | Crafted HTTP | 4.2M | Not | Not | | request may | | Vulnerable | Vulnerable | |cause the WLC |----------+------------+-------------| | to crash | | Migrate to | 5.2.193.0 | | (CSCsy27708) | 5.0 | 5.2 or 6.0 | or | | | | | 6.0.182.0 | | |----------+------------+-------------| | | | Migrate to | 5.2.193.0 | | | 5.1 | 5.2 or 6.0 | or | | | | | 6.0.182.0 | | |----------+------------+-------------| | | | | 5.2.193.0 | | | 5.2 | 5.2.191.0 | or | | | | | 6.0.182.0 | | |----------+------------+-------------| | | 6.0 | Not | Not | | | | Vulnerable | Vulnerable | |----------------+----------+------------+-------------| | | 4.1 | Migrate to | 4.2.205.0 | | | | 4.2 | | | |----------+------------+-------------| | | | | 5.2.193.0, | | | | Migrate to | 6.0.182.0 | | | 4.1M | 5.2, 6.0, | or | | | | or 4.2M | 4.2.176.51 | | | | | Mesh | | |----------+------------+-------------| | Crafted HTTP | 4.2 | 4.2.205.0 | 4.2.207.0 | |or HTTPS |----------+------------+-------------| | request | 4.2M | Not | Not | | unauthorized | | Vulnerable | Vulnerable | |configuration |----------+------------+-------------| | modification | 5.0 | Migrate to | 5.2.193.0, | | vulnerability | | 5.2 or 6.0 | 6.0.182.0 | |(CSCsy44672) |----------+------------+-------------| | | | Migrate to | 5.2.193.0 | | | 5.1 | 5.2 or 6.0 | or | | | | | 6.0.182.0 | | |----------+------------+-------------| | | | | 5.2.193.0 | | | 5.2 | 5.2.191.0 | or | | | | | 6.0.182.0 | | |----------+------------+-------------| | | 6.0 | Not | Not | | | | Vulnerable | Vulnerable | +------------------------------------------------------+ Workarounds =========== The SSH connections denial of service vulnerability identified by Cisco Bug ID CSCsw40789 may be remediated by disabling SSH on the affected device. This workaround requires subsequent management of the device to be performed using the HTTP/HTTPS web management interface or the serial console of the device. Additional mitigations that can be deployed on Cisco devices in the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts ================================ Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory at the time of release. The DoS vulnerability documented by CSCsw40789 was discovered during the resolution of customer support cases. The unauthorized configuration modification vulnerability documented by CSCsy44672 was found during internal testing. The DoS vulnerability documented by CSCsx03715 was discovered by Christoph Bott of SySS GmbH. The DoS vulnerability documented by CSCsy27708 was discovered by IBM Research. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20090727-wlc.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2009-July-27 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt \xa9 2008 - 2009 Cisco Systems, Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFKbdU786n/Gc8U/uARAkG6AKCKI8yrbakylICPezA8Up2E1t372QCePJmj RTTknUlr0VuKxVZLT0f8+gQ= =x8Ly -----END PGP SIGNATURE-----

SQL injection vulnerability in the console in IBM WebSphere Partner Gateway (WPG) Enterprise 6.0 before FP8, 6.1 before FP3, 6.1.1 before FP2, and 6.2 before FP1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. The issue affects the following: WebSphere Partner Gateway 6.0 Enterprise WebSphere Partner Gateway 6.1.0 Enterprise WebSphere Partner Gateway 6.1.1 Enterprise WebSphere Partner Gateway 6.2 Enterprise. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. WebSphere Partner Gateway 6.0: Apply the latest Fix Pack (WPG 6.0 FP8 or later) or APAR JR32608. WebSphere Partner Gateway 6.1: Apply the latest Fix Pack (WPG 6.1 FP3, WPG 6.1.1 FP2 or later), or APAR JR32609 or APAR JR32386. WebSphere Partner Gateway 6.2: Apply the latest Fix Pack (WPG 6.2 FP1 or later) or APAR JR32607 (JR33176). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: IBM: http://www-01.ibm.com/support/docview.wss?uid=swg21382117 IBM ISS X-Force: http://xforce.iss.net/xforce/xfdb/52393 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The administrative web interface on the Cisco Wireless LAN Controller (WLC) platform 4.2 before 4.2.205.0 and 5.x before 5.2.178.0, as used in Cisco 1500 Series, 2000 Series, 2100 Series, 4100 Series, 4200 Series, and 4400 Series Wireless Services Modules (WiSM), WLC Modules for Integrated Services Routers, and Catalyst 3750G Integrated Wireless LAN Controllers, allows remote attackers to cause a denial of service (device reload) via a malformed response to a (1) HTTP or (2) HTTPS authentication request, aka Bug ID CSCsx03715. plural Cisco Used in products Cisco Wireless LAN Controller (WLC) For managing Web Interface has a service disruption (DoS) There is a vulnerability that becomes a condition. The problem is Bug ID : CSCsx03715 It is a problem.By a third party HTTP Or HTTPS Service disruption through malformed responses to authentication requests (DoS) There is a possibility of being put into a state. An attacker can exploit this issue to trigger an affected device to reboot, causing denial-of-service conditions. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers Advisory ID: cisco-sa-20090727-wlc http://www.cisco.com/warp/public/707/cisco-sa-20090727-wlc.shtml Revision 1.0 For Public Release 2009 July 27 1600 UTC (GMT) - --------------------------------------------------------------------- Summary Multiple vulnerabilities exist in the Cisco Wireless LAN Controller (WLC) platforms. This security advisory outlines the details of the following vulnerabilities: * Malformed HTTP or HTTPS authentication response denial of service vulnerability * SSH connections denial of service vulnerability * Crafted HTTP or HTTPS request denial of service vulnerability * Crafted HTTP or HTTPS request unauthorized configuration modification vulnerability Cisco has released free software updates that address these vulnerabilities. * The SSH connections denial of service vulnerability affects software versions 4.1 and later. * The crafted HTTP or HTTPS request denial of service vulnerability affects software versions 4.1 and later. * The crafted HTTP or HTTPS request unauthorized configuration modification vulnerability affects software versions 4.1 and later. Determination of Software Versions +--------------------------------- To determine the WLC version that is running in a given environment, use one of the following methods: * In the web interface, choose the Monitor tab, click Summary in the left pane, and note the Software Version field. Note: Customers who use a WLC Module in an Integrated Services Router (ISR) will need to issue the service-module wlan-controller 1/0 session command prior to performing the next step on the command line. Customers who use a Cisco Catalyst 3750G Switch with an integrated WLC Module will need to issue the session <Stack-Member-Number> processor 1 session command prior to performing the next step on the command line. * From the command-line interface, type show sysinfo and note the Product Version field, as shown in the following example: (Cisco Controller) >show sysinfo Manufacturer's Name.. Cisco Systems Inc. Product Name......... Cisco Controller Product Version...... 5.1.151.0 RTOS Version......... Linux-2.6.10_mvl401 Bootloader Version... 4.0.207.0 Build Type........... DATA + WPS <output suppressed> Use the show wism module <module number> controller 1 status command on a Cisco Catalyst 6500 Series/7600 Series Switch if you are using a WiSM. Note the software version as demonstrated in the following example, which shows version 5.1.151.0. Router#show wism module 3 controller 1 status WiSM Controller 1 in Slot 3 Operational Status of the Controller : Oper-Up Service VLAN : 192 Service Port : 10 Service Port Mac Address : 0011.92ff.8742 Service IP Address : 192.168.10.1 Management IP Address : 192.168.1.123 Software Version : 5.1.151.0 Port Channel Number : 288 Allowed vlan list : 30,40 Native VLAN ID : 40 WCP Keep Alive Missed : 0 Products Confirmed Not Vulnerable +-------------------------------- The Cisco Wireless Controller 5500 Series is not affected by these vulnerabilities. Details ======= Cisco Wireless LAN Controllers (WLCs) are responsible for system-wide wireless LAN functions, such as security policies, intrusion prevention, RF management, quality of service (QoS), and mobility. These devices communicate with controller-based access points over any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the Lightweight Access Point Protocol (LWAPP). This security advisory describes multiple distinct vulnerabilities in the WLC family of devices. Note: The vulnerability can be exploited only via the administrative web-based interface; Web Authentication features are not affected. This vulnerability is documented in Cisco Bug ID CSCsx03715 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2009-1164. * SSH connections denial of service vulnerability Affected devices may be susceptible to a memory leak when they handle SSH management connections. Note: A three-way handshake is not required to exploit this vulnerability. This vulnerability is documented in Cisco Bug ID CSCsw40789 and has been assigned CVE ID CVE-2009-1165. * Crafted HTTP or HTTPS request denial of service vulnerability An attacker with the ability to send a malicious HTTP request to an affected WLC could cause the device to crash and reload. Note: The vulnerability can be exploited only via the administrative web-based interface; Web Authentication features are not affected. This vulnerability is documented in Cisco Bug ID CSCsy27708 and has been assigned CVE ID CVE-2009-1166. * Crafted HTTP or HTTPS request unauthorized configuration modification vulnerability An unauthorized configuration modification vulnerability exists in all software versions prior to the first fixed release. A remote, unauthenticated attacker who can submit HTTP or HTTPS requests to the WLC directly could gain full control of the affected device. Note: The vulnerability can be exploited only by submitting such a request to an IP address that is bound to an administrative interface or VLAN. The vulnerability is documented by Cisco Bug ID CSCsy44672 and has been assigned CVE ID CVE-2009-1167. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsx03715 - Malformed HTTP or HTTPS authentication response denial of service vulnerability +----------------------------------------------------- CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsw40789 - SSH connections denial of service vulnerability +----------------------------------------------------- CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsy27708 - Crafted HTTP or HTTPS request denial of service vulnerability +----------------------------------------------------- CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsy44672 - Crafted HTTP or HTTPS request unauthorized configuration modification vulnerability +----------------------------------------------------- CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ===== Successful exploitation of the denial of service (DoS) vulnerabilities may cause the affected device to reload. Repeated exploitation could result in a sustained DoS condition. An unauthenticated, remote attacker may be able to use the unauthorized configuration modification vulnerability to gain full control over the Wireless LAN Controller if the attacker is able to submit a crafted request directly to an administrative interface of the affected device. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.comw/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +------------------------------------------------------+ | Vulnerability/ | Affected | First | Recommended | | Bug ID | Release | Fixed | Release | | | | Version | | |----------------+----------+------------+-------------| | | 4.1 | Not | Not | | | | Vulnerable | Vulnerable | | |----------+------------+-------------| | | 4.1M | Not | Not | | | | Vulnerable | Vulnerable | | |----------+------------+-------------| | | 4.2 | 4.2.205.0 | 4.2.207.0 | | |----------+------------+-------------| | Malformed HTTP | 4.2M | Not | Not | | or HTTPS | | Vulnerable | Vulnerable | |authentication |----------+------------+-------------| | response | | Migrate to | 5.2.193.0 | | denial of | 5.0 | 5.2 or 6.0 | or | | service | | | 6.0.182.0 | |vulnerability |----------+------------+-------------| | (CSCsx03715) | | Migrate to | 5.2.193.0 | | | 5.1 | 5.2 or 6.0 | or | | | | | 6.0.182.0 | | |----------+------------+-------------| | | | | 5.2.193.0 | | | 5.2 | 5.2.178.0 | or | | | | | 6.0.182.0 | | |----------+------------+-------------| | | 6.0 | Not | Not | | | | Vulnerable | Vulnerable | |----------------+----------+------------+-------------| | | 4.1 | Migrate to | 4.2.205.0 | | | | 4.2 | | | |----------+------------+-------------| | | | | 5.2.193.0, | | | | Migrate to | 6.0.182.0 | | | 4.1M | 5.2, 6.0, | or | | | | or 4.2M | 4.2.176.51 | | | | | Mesh | | |----------+------------+-------------| | | 4.2 | 4.2.205.0 | 4.2.207.0 | | |----------+------------+-------------| | SSH | 4.2M | Not | Not | | connections | | Vulnerable | Vulnerable | |denial of |----------+------------+-------------| | service | | Migrate to | 5.2.193.0 | | vulnerability | 5.0 | 5.2 or 6.0 | or | | (CSCsw40789) | | | 6.0.182.0 | | |----------+------------+-------------| | | | | 5.2.193.0 | | | 5.1 | 5.1.163.0 | or | | | | | 6.0.182.0 | | |----------+------------+-------------| | | | | 5.2.193.0 | | | 5.2 | 5.2.178.0 | or | | | | | 6.0.182.0 | | |----------+------------+-------------| | | 6.0 | Not | Not | | | | Vulnerable | Vulnerable | |----------------+----------+------------+-------------| | | 4.1 | Migrate to | 4.2.205.0 | | | | 4.2 | | | |----------+------------+-------------| | | | | 5.2.193.0, | | | | Migrate to | 6.0.182.0 | | | 4.1 M | 5.2, 6.0, | or | | | | or 4.2M | 4.2.176.51 | | | | | Mesh | | |----------+------------+-------------| | | 4.2 | 4.2.205.0 | 4.2.207.0 | | |----------+------------+-------------| | Crafted HTTP | 4.2M | Not | Not | | request may | | Vulnerable | Vulnerable | |cause the WLC |----------+------------+-------------| | to crash | | Migrate to | 5.2.193.0 | | (CSCsy27708) | 5.0 | 5.2 or 6.0 | or | | | | | 6.0.182.0 | | |----------+------------+-------------| | | | Migrate to | 5.2.193.0 | | | 5.1 | 5.2 or 6.0 | or | | | | | 6.0.182.0 | | |----------+------------+-------------| | | | | 5.2.193.0 | | | 5.2 | 5.2.191.0 | or | | | | | 6.0.182.0 | | |----------+------------+-------------| | | 6.0 | Not | Not | | | | Vulnerable | Vulnerable | |----------------+----------+------------+-------------| | | 4.1 | Migrate to | 4.2.205.0 | | | | 4.2 | | | |----------+------------+-------------| | | | | 5.2.193.0, | | | | Migrate to | 6.0.182.0 | | | 4.1M | 5.2, 6.0, | or | | | | or 4.2M | 4.2.176.51 | | | | | Mesh | | |----------+------------+-------------| | Crafted HTTP | 4.2 | 4.2.205.0 | 4.2.207.0 | |or HTTPS |----------+------------+-------------| | request | 4.2M | Not | Not | | unauthorized | | Vulnerable | Vulnerable | |configuration |----------+------------+-------------| | modification | 5.0 | Migrate to | 5.2.193.0, | | vulnerability | | 5.2 or 6.0 | 6.0.182.0 | |(CSCsy44672) |----------+------------+-------------| | | | Migrate to | 5.2.193.0 | | | 5.1 | 5.2 or 6.0 | or | | | | | 6.0.182.0 | | |----------+------------+-------------| | | | | 5.2.193.0 | | | 5.2 | 5.2.191.0 | or | | | | | 6.0.182.0 | | |----------+------------+-------------| | | 6.0 | Not | Not | | | | Vulnerable | Vulnerable | +------------------------------------------------------+ Workarounds =========== The SSH connections denial of service vulnerability identified by Cisco Bug ID CSCsw40789 may be remediated by disabling SSH on the affected device. This workaround requires subsequent management of the device to be performed using the HTTP/HTTPS web management interface or the serial console of the device. Additional mitigations that can be deployed on Cisco devices in the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts ================================ Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory at the time of release. The DoS vulnerability documented by CSCsw40789 was discovered during the resolution of customer support cases. The unauthorized configuration modification vulnerability documented by CSCsy44672 was found during internal testing. The DoS vulnerability documented by CSCsx03715 was discovered by Christoph Bott of SySS GmbH. The DoS vulnerability documented by CSCsy27708 was discovered by IBM Research. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20090727-wlc.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2009-July-27 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt \xa9 2008 - 2009 Cisco Systems, Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFKbdU786n/Gc8U/uARAkG6AKCKI8yrbakylICPezA8Up2E1t372QCePJmj RTTknUlr0VuKxVZLT0f8+gQ= =x8Ly -----END PGP SIGNATURE-----

contrib/pdfmark/pdfroff.sh in GNU troff (aka groff) before 1.21 launches the Ghostscript program without the -dSAFER option, which allows remote attackers to create, overwrite, rename, or delete arbitrary files via a crafted document. Successful exploits may allow attackers mount a symlink attack, which may allow the attacker to delete or corrupt sensitive files. Attackers can also rename arbitrary files and potentially cause a denial-of-service condition. Other attacks are also possible. Groff (GNU Troff) is the latest open source implementation of Troff, a document preparation system that generates print and screen documents for various devices from the same input source. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2015-08-13-2 OS X Yosemite v10.10.5 and Security Update 2015-006 OS X Yosemite v10.10.5 and Security Update 2015-006 is now available and addresses the following: apache Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Multiple vulnerabilities existed in Apache 2.4.16, the most serious of which may allow a remote attacker to cause a denial of service. Description: Multiple vulnerabilities existed in Apache versions prior to 2.4.16. These were addressed by updating Apache to version 2.4.16. CVE-ID CVE-2014-3581 CVE-2014-3583 CVE-2014-8109 CVE-2015-0228 CVE-2015-0253 CVE-2015-3183 CVE-2015-3185 apache_mod_php Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Multiple vulnerabilities existed in PHP 5.5.20, the most serious of which may lead to arbitrary code execution. Description: Multiple vulnerabilities existed in PHP versions prior to 5.5.20. These were addressed by updating Apache to version 5.5.27. CVE-ID CVE-2015-2783 CVE-2015-2787 CVE-2015-3307 CVE-2015-3329 CVE-2015-3330 CVE-2015-4021 CVE-2015-4022 CVE-2015-4024 CVE-2015-4025 CVE-2015-4026 CVE-2015-4147 CVE-2015-4148 Apple ID OD Plug-in Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able change the password of a local user Description: In some circumstances, a state management issue existed in password authentication. The issue was addressed through improved state management. CVE-ID CVE-2015-3799 : an anonymous researcher working with HP's Zero Day Initiative AppleGraphicsControl Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able to determine kernel memory layout Description: An issue existed in AppleGraphicsControl which could have led to the disclosure of kernel memory layout. This issue was addressed through improved bounds checking. CVE-ID CVE-2015-5768 : JieTao Yang of KeenTeam Bluetooth Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A local user may be able to execute arbitrary code with system privileges Description: A memory corruption issue existed in IOBluetoothHCIController. This issue was addressed through improved memory handling. CVE-ID CVE-2015-3779 : Teddy Reed of Facebook Security Bluetooth Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able to determine kernel memory layout Description: A memory management issue could have led to the disclosure of kernel memory layout. This issue was addressed with improved memory management. CVE-ID CVE-2015-3780 : Roberto Paleari and Aristide Fattori of Emaze Networks Bluetooth Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious app may be able to access notifications from other iCloud devices Description: An issue existed where a malicious app could access a Bluetooth-paired Mac or iOS device's Notification Center notifications via the Apple Notification Center Service. The issue affected devices using Handoff and logged into the same iCloud account. This issue was resolved by revoking access to the Apple Notification Center Service. CVE-ID CVE-2015-3786 : Xiaolong Bai (Tsinghua University), System Security Lab (Indiana University), Tongxin Li (Peking University), XiaoFeng Wang (Indiana University) Bluetooth Available for: OS X Yosemite v10.10 to v10.10.4 Impact: An attacker with privileged network position may be able to perform denial of service attack using malformed Bluetooth packets Description: An input validation issue existed in parsing of Bluetooth ACL packets. This issue was addressed through improved input validation. CVE-ID CVE-2015-3787 : Trend Micro Bluetooth Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A local attacker may be able to cause unexpected application termination or arbitrary code execution Description: Multiple buffer overflow issues existed in blued's handling of XPC messages. These issues were addressed through improved bounds checking. CVE-ID CVE-2015-3777 : mitp0sh of [PDX] bootp Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious Wi-Fi network may be able to determine networks a device has previously accessed Description: Upon connecting to a Wi-Fi network, iOS may have broadcast MAC addresses of previously accessed networks via the DNAv4 protocol. This issue was addressed through disabling DNAv4 on unencrypted Wi-Fi networks. CVE-ID CVE-2015-3778 : Piers O'Hanlon of Oxford Internet Institute, University of Oxford (on the EPSRC Being There project) CloudKit Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able to access the iCloud user record of a previously signed in user Description: A state inconsistency existed in CloudKit when signing out users. This issue was addressed through improved state handling. CVE-ID CVE-2015-3782 : Deepkanwal Plaha of University of Toronto CoreMedia Playback Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: Memory corruption issues existed in CoreMedia Playback. These were addressed through improved memory handling. CVE-ID CVE-2015-5777 : Apple CVE-2015-5778 : Apple CoreText Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Processing a maliciously crafted font file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation. CVE-ID CVE-2015-5761 : John Villamil (@day6reak), Yahoo Pentest Team CoreText Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Processing a maliciously crafted font file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation. CVE-ID CVE-2015-5755 : John Villamil (@day6reak), Yahoo Pentest Team curl Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Multiple vulnerabilities in cURL and libcurl prior to 7.38.0, one of which may allow remote attackers to bypass the Same Origin Policy. Description: Multiple vulnerabilities existed in cURL and libcurl prior to 7.38.0. These issues were addressed by updating cURL to version 7.43.0. CVE-ID CVE-2014-3613 CVE-2014-3620 CVE-2014-3707 CVE-2014-8150 CVE-2014-8151 CVE-2015-3143 CVE-2015-3144 CVE-2015-3145 CVE-2015-3148 CVE-2015-3153 Data Detectors Engine Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Processing a sequence of unicode characters can lead to an unexpected application termination or arbitrary code execution Description: Memory corruption issues existed in processing of Unicode characters. These issues were addressed through improved memory handling. CVE-ID CVE-2015-5750 : M1x7e1 of Safeye Team (www.safeye.org) Date & Time pref pane Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Applications that rely on system time may have unexpected behavior Description: An authorization issue existed when modifying the system date and time preferences. This issue was addressed with additional authorization checks. CVE-ID CVE-2015-3757 : Mark S C Smith Dictionary Application Available for: OS X Yosemite v10.10 to v10.10.4 Impact: An attacker with a privileged network position may be able to intercept users' Dictionary app queries Description: An issue existed in the Dictionary app, which did not properly secure user communications. This issue was addressed by moving Dictionary queries to HTTPS. CVE-ID CVE-2015-3774 : Jeffrey Paul of EEQJ, Jan Bee of the Google Security Team DiskImages Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Processing a maliciously crafted DMG file may lead to an unexpected application termination or arbitrary code execution with system privileges Description: A memory corruption issue existed in parsing of malformed DMG images. This issue was addressed through improved memory handling. CVE-ID CVE-2015-3800 : Frank Graziano of the Yahoo Pentest Team dyld Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A local user may be able to execute arbitrary code with system privileges Description: A path validation issue existed in dyld. This was addressed through improved environment sanitization. CVE-ID CVE-2015-3760 : beist of grayhash, Stefan Esser FontParser Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Processing a maliciously crafted font file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation. CVE-ID CVE-2015-3804 : Apple CVE-2015-5775 : Apple FontParser Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Processing a maliciously crafted font file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation. CVE-ID CVE-2015-5756 : John Villamil (@day6reak), Yahoo Pentest Team groff Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Multiple issues in pdfroff Description: Multiple issues existed in pdfroff, the most serious of which may allow arbitrary filesystem modification. These issues were addressed by removing pdfroff. CVE-ID CVE-2009-5044 CVE-2009-5078 ImageIO Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Processing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the processing of TIFF images. This issue was addressed through improved bounds checking. CVE-ID CVE-2015-5758 : Apple ImageIO Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Visiting a maliciously crafted website may result in the disclosure of process memory Description: An uninitialized memory access issue existed in ImageIO's handling of PNG and TIFF images. Visiting a malicious website may result in sending data from process memory to the website. This issue is addressed through improved memory initialization and additional validation of PNG and TIFF images. CVE-ID CVE-2015-5781 : Michal Zalewski CVE-2015-5782 : Michal Zalewski Install Framework Legacy Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able to execute arbitrary code with root privileges Description: An issue existed in how Install.framework's 'runner' binary dropped privileges. This issue was addressed through improved privilege management. CVE-ID CVE-2015-5784 : Ian Beer of Google Project Zero Install Framework Legacy Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A race condition existed in Install.framework's 'runner' binary that resulted in privileges being incorrectly dropped. This issue was addressed through improved object locking. CVE-ID CVE-2015-5754 : Ian Beer of Google Project Zero IOFireWireFamily Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A local user may be able to execute arbitrary code with system privileges Description: Memory corruption issues existed in IOFireWireFamily. These issues were addressed through additional type input validation. CVE-ID CVE-2015-3769 : Ilja van Sprundel CVE-2015-3771 : Ilja van Sprundel CVE-2015-3772 : Ilja van Sprundel IOGraphics Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A memory corruption issue existed in IOGraphics. This issue was addressed through additional type input validation. CVE-ID CVE-2015-3770 : Ilja van Sprundel CVE-2015-5783 : Ilja van Sprundel IOHIDFamily Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A local user may be able to execute arbitrary code with system privileges Description: A buffer overflow issue existed in IOHIDFamily. This issue was addressed through improved memory handling. CVE-ID CVE-2015-5774 : TaiG Jailbreak Team Kernel Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able to determine kernel memory layout Description: An issue existed in the mach_port_space_info interface, which could have led to the disclosure of kernel memory layout. This was addressed by disabling the mach_port_space_info interface. CVE-ID CVE-2015-3766 : Cererdlong of Alibaba Mobile Security Team, @PanguTeam Kernel Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: An integer overflow existed in the handling of IOKit functions. This issue was addressed through improved validation of IOKit API arguments. CVE-ID CVE-2015-3768 : Ilja van Sprundel Kernel Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A local user may be able to cause a system denial of service Description: A resource exhaustion issue existed in the fasttrap driver. This was addressed through improved memory handling. CVE-ID CVE-2015-5747 : Maxime VILLARD of m00nbsd Kernel Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A local user may be able to cause a system denial of service Description: A validation issue existed in the mounting of HFS volumes. This was addressed by adding additional checks. CVE-ID CVE-2015-5748 : Maxime VILLARD of m00nbsd Kernel Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able to execute unsigned code Description: An issue existed that allowed unsigned code to be appended to signed code in a specially crafted executable file. This issue was addressed through improved code signature validation. CVE-ID CVE-2015-3806 : TaiG Jailbreak Team Kernel Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A specially crafted executable file could allow unsigned, malicious code to execute Description: An issue existed in the way multi-architecture executable files were evaluated that could have allowed unsigned code to be executed. This issue was addressed through improved validation of executable files. CVE-ID CVE-2015-3803 : TaiG Jailbreak Team Kernel Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A local user may be able to execute unsigned code Description: A validation issue existed in the handling of Mach-O files. This was addressed by adding additional checks. CVE-ID CVE-2015-3802 : TaiG Jailbreak Team CVE-2015-3805 : TaiG Jailbreak Team Kernel Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Parsing a maliciously crafted plist may lead to an unexpected application termination or arbitrary code execution with system privileges Description: A memory corruption existed in processing of malformed plists. This issue was addressed through improved memory handling. CVE-ID CVE-2015-3776 : Teddy Reed of Facebook Security, Patrick Stein (@jollyjinx) of Jinx Germany Kernel Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A local user may be able to execute arbitrary code with system privileges Description: A path validation issue existed. This was addressed through improved environment sanitization. CVE-ID CVE-2015-3761 : Apple Libc Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Processing a maliciously crafted regular expression may lead to an unexpected application termination or arbitrary code execution Description: Memory corruption issues existed in the TRE library. These were addressed through improved memory handling. CVE-ID CVE-2015-3796 : Ian Beer of Google Project Zero CVE-2015-3797 : Ian Beer of Google Project Zero CVE-2015-3798 : Ian Beer of Google Project Zero Libinfo Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: Memory corruption issues existed in handling AF_INET6 sockets. These were addressed by improved memory handling. CVE-ID CVE-2015-5776 : Apple libpthread Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A memory corruption issue existed in handling syscalls. This issue was addressed through improved lock state checking. CVE-ID CVE-2015-5757 : Lufeng Li of Qihoo 360 libxml2 Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Multiple vulnerabilities existed in libxml2 versions prior to 2.9.2, the most serious of which may allow a remote attacker to cause a denial of service Description: Multiple vulnerabilities existed in libxml2 versions prior to 2.9.2. These were addressed by updating libxml2 to version 2.9.2. CVE-ID CVE-2012-6685 : Felix Groebert of Google CVE-2014-0191 : Felix Groebert of Google libxml2 Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Parsing a maliciously crafted XML document may lead to disclosure of user information Description: A memory access issue existed in libxml2. This was addressed by improved memory handling CVE-ID CVE-2014-3660 : Felix Groebert of Google libxml2 Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Parsing a maliciously crafted XML document may lead to disclosure of user information Description: A memory corruption issue existed in parsing of XML files. This issue was addressed through improved memory handling. CVE-ID CVE-2015-3807 : Apple libxpc Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A memory corruption issue existed in handling of malformed XPC messages. This issue was improved through improved bounds checking. CVE-ID CVE-2015-3795 : Mathew Rowley mail_cmds Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A local user may be able to execute arbitrary shell commands Description: A validation issue existed in the mailx parsing of email addresses. This was addressed by improved sanitization. CVE-ID CVE-2014-7844 Notification Center OSX Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able to access all notifications previously displayed to users Description: An issue existed in Notification Center, which did not properly delete user notifications. This issue was addressed by correctly deleting notifications dismissed by users. CVE-ID CVE-2015-3764 : Jonathan Zdziarski ntfs Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A local user may be able to execute arbitrary code with system privileges Description: A memory corruption issue existed in NTFS. This issue was addressed through improved memory handling. CVE-ID CVE-2015-5763 : Roberto Paleari and Aristide Fattori of Emaze Networks OpenSSH Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Remote attackers may be able to circumvent a time delay for failed login attempts and conduct brute-force attacks Description: An issue existed when processing keyboard-interactive devices. This issue was addressed through improved authentication request validation. CVE-ID CVE-2015-5600 OpenSSL Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Multiple vulnerabilities existed in OpenSSL versions prior to 0.9.8zg, the most serious of which may allow a remote attacker to cause a denial of service. Description: Multiple vulnerabilities existed in OpenSSL versions prior to 0.9.8zg. These were addressed by updating OpenSSL to version 0.9.8zg. CVE-ID CVE-2015-1788 CVE-2015-1789 CVE-2015-1790 CVE-2015-1791 CVE-2015-1792 perl Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Parsing a maliciously crafted regular expression may lead to disclosure of unexpected application termination or arbitrary code execution Description: An integer underflow issue existed in the way Perl parsed regular expressions. This issue was addressed through improved memory handling. CVE-ID CVE-2013-7422 PostgreSQL Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: An attacker may be able to cause unexpected application termination or gain access to data without proper authentication Description: Multiple issues existed in PostgreSQL 9.2.4. These issues were addressed by updating PostgreSQL to 9.2.13. CVE-ID CVE-2014-0067 CVE-2014-8161 CVE-2015-0241 CVE-2015-0242 CVE-2015-0243 CVE-2015-0244 python Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Multiple vulnerabilities existed in Python 2.7.6, the most serious of which may lead to arbitrary code execution Description: Multiple vulnerabilities existed in Python versions prior to 2.7.6. These were addressed by updating Python to version 2.7.10. CVE-ID CVE-2013-7040 CVE-2013-7338 CVE-2014-1912 CVE-2014-7185 CVE-2014-9365 QL Office Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Parsing a maliciously crafted Office document may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in parsing of Office documents. This issue was addressed through improved memory handling. CVE-ID CVE-2015-5773 : Apple QL Office Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Parsing a maliciously crafted XML file may lead to disclosure of user information Description: An external entity reference issue existed in XML file parsing. This issue was addressed through improved parsing. CVE-ID CVE-2015-3784 : Bruno Morisson of INTEGRITY S.A. Quartz Composer Framework Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Parsing a maliciously crafted QuickTime file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in parsing of QuickTime files. This issue was addressed through improved memory handling. CVE-ID CVE-2015-5771 : Apple Quick Look Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Searching for a previously viewed website may launch the web browser and render that website Description: An issue existed where QuickLook had the capability to execute JavaScript. The issue was addressed by disallowing execution of JavaScript. CVE-ID CVE-2015-3781 : Andrew Pouliot of Facebook, Anto Loyola of Qubole QuickTime 7 Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Processing a maliciously crafted file may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in QuickTime. These issues were addressed through improved memory handling. CVE-ID CVE-2015-3772 CVE-2015-3779 CVE-2015-5753 : Apple CVE-2015-5779 : Apple QuickTime 7 Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Processing a maliciously crafted file may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in QuickTime. These issues were addressed through improved memory handling. CVE-ID CVE-2015-3765 : Joe Burnett of Audio Poison CVE-2015-3788 : Ryan Pentney and Richard Johnson of Cisco Talos CVE-2015-3789 : Ryan Pentney and Richard Johnson of Cisco Talos CVE-2015-3790 : Ryan Pentney and Richard Johnson of Cisco Talos CVE-2015-3791 : Ryan Pentney and Richard Johnson of Cisco Talos CVE-2015-3792 : Ryan Pentney and Richard Johnson of Cisco Talos CVE-2015-5751 : WalkerFuz SceneKit Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Viewing a maliciously crafted Collada file may lead to arbitrary code execution Description: A heap buffer overflow existed in SceneKit's handling of Collada files. This issue was addressed through improved input validation. CVE-ID CVE-2015-5772 : Apple SceneKit Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in SceneKit. This issue was addressed through improved memory handling. CVE-ID CVE-2015-3783 : Haris Andrianakis of Google Security Team Security Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A standard user may be able to gain access to admin privileges without proper authentication Description: An issue existed in handling of user authentication. This issue was addressed through improved authentication checks. CVE-ID CVE-2015-3775 : [Eldon Ahrold] SMBClient Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the SMB client. This issue was addressed through improved memory handling. CVE-ID CVE-2015-3773 : Ilja van Sprundel Speech UI Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Parsing a maliciously crafted unicode string with speech alerts enabled may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in handling of Unicode strings. This issue was addressed by improved memory handling. CVE-ID CVE-2015-3794 : Adam Greenbaum of Refinitive sudo Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Multiple vulnerabilities existed in sudo versions prior to 1.7.10p9, the most serious of which may allow an attacker access to arbitrary files Description: Multiple vulnerabilities existed in sudo versions prior to 1.7.10p9. These were addressed by updating sudo to version 1.7.10p9. CVE-ID CVE-2013-1775 CVE-2013-1776 CVE-2013-2776 CVE-2013-2777 CVE-2014-0106 CVE-2014-9680 tcpdump Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Multiple vulnerabilities existed in tcpdump 4.7.3, the most serious of which may allow a remote attacker to cause a denial of service. Description: Multiple vulnerabilities existed in tcpdump versions prior to 4.7.3. These were addressed by updating tcpdump to version 4.7.3. CVE-ID CVE-2014-8767 CVE-2014-8769 CVE-2014-9140 Text Formats Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Parsing a maliciously crafted text file may lead to disclosure of user information Description: An XML external entity reference issue existed with TextEdit parsing. This issue was addressed through improved parsing. CVE-ID CVE-2015-3762 : Xiaoyong Wu of the Evernote Security Team udf Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Processing a maliciously crafted DMG file may lead to an unexpected application termination or arbitrary code execution with system privileges Description: A memory corruption issue existed in parsing of malformed DMG images. This issue was addressed through improved memory handling. CVE-ID CVE-2015-3767 : beist of grayhash OS X Yosemite v10.10.5 includes the security content of Safari 8.0.8: https://support.apple.com/en-us/HT205033 OS X Yosemite 10.10.5 and Security Update 2015-006 may be obtained from the Mac App Store or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJVzM3+AAoJEBcWfLTuOo7tx/YP/RTsUUx0UTk7rXj6AEcHmiR4 Y2xTUOXqRmxhieSbsGK9laKL5++lIzkGh5RC7oYag0+OgWtZz+EU/EtdoEJmGNJ6 +PgoEnizYdKhO1kos1KCHOwG6UFCqoeEm6Icm33nVUqWp7uAmhVRMRxtMJEScLSR 2LpsK0grIhFXtJGqu053TSKSCa1UTab8XWteZTT84uFGMSKbAFONj5CPIrR6+uev QpVTwrnskPDBOXJwGhjypvIBTbt2aa1wjCukOAWFHwf7Pma/QUdhKRkUK4vAb9/k fu2t2fBOvSMguJHRO+340NsQR9LvmdruBeAyNUH64srF1jtbAg0QnvZsPyO5aIyR A8WrzHl3oIc0II0y7VpI+3o0J3Nn03EcBPtIKeoeyznnjNziDm72HPI2d2+5ZSRz xjAd4Nmw+dgGq+UMkusIXgtRK4HcEpwzfImf3zqnKHakSncnFPhGKyNEgn8bK9a7 AeAvSqMXXsJg8weHUF2NLnAn/42k2wIE8d5BOLaIy13xz6MJn7VUI21pK0zCaGBF sfkRFZP0eEVh8ZzU/nWp9E5KDpbsd72biJwvjWH4OrmkfzUWxStQiVwPTxtZD9LW c5ZWe+vqZJV9eYRH2hAOMPaYkOQ5Z4DySNVVOFAG0eq9til8+V0k3L7ipIVd2XUB msu6gVP8uZhFYNb8byVJ =+0e/ -----END PGP SIGNATURE----- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201310-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Groff: Multiple Vulnerabilities Date: October 25, 2013 Bugs: #386335 ID: 201310-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Groff, allowing context-dependent attackers to conduct symlink attacks. Background ========== GNU Troff (Groff) is a text formatter used for man pages. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Groff users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-apps/groff-1.22.2" References ========== [ 1 ] CVE-2009-5044 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5044 [ 2 ] CVE-2009-5078 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5078 [ 3 ] CVE-2009-5079 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5079 [ 4 ] CVE-2009-5080 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5080 [ 5 ] CVE-2009-5081 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5081 [ 6 ] CVE-2009-5082 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5082 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201310-14.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2013 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

contrib/pdfmark/pdfroff.sh in GNU troff (aka groff) before 1.21 allows local users to overwrite arbitrary files via a symlink attack on a pdf#####.tmp temporary file. Successful exploits may allow attackers mount a symlink attack, which may allow the attacker to delete or corrupt sensitive files. Attackers can also rename arbitrary files and potentially cause a denial-of-service condition. Other attacks are also possible. Groff (GNU Troff) is the latest open source implementation of Troff, a document preparation system that generates print and screen documents for various devices from the same input source. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2015-08-13-2 OS X Yosemite v10.10.5 and Security Update 2015-006 OS X Yosemite v10.10.5 and Security Update 2015-006 is now available and addresses the following: apache Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Multiple vulnerabilities existed in Apache 2.4.16, the most serious of which may allow a remote attacker to cause a denial of service. Description: Multiple vulnerabilities existed in Apache versions prior to 2.4.16. These were addressed by updating Apache to version 2.4.16. CVE-ID CVE-2014-3581 CVE-2014-3583 CVE-2014-8109 CVE-2015-0228 CVE-2015-0253 CVE-2015-3183 CVE-2015-3185 apache_mod_php Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Multiple vulnerabilities existed in PHP 5.5.20, the most serious of which may lead to arbitrary code execution. Description: Multiple vulnerabilities existed in PHP versions prior to 5.5.20. These were addressed by updating Apache to version 5.5.27. CVE-ID CVE-2015-2783 CVE-2015-2787 CVE-2015-3307 CVE-2015-3329 CVE-2015-3330 CVE-2015-4021 CVE-2015-4022 CVE-2015-4024 CVE-2015-4025 CVE-2015-4026 CVE-2015-4147 CVE-2015-4148 Apple ID OD Plug-in Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able change the password of a local user Description: In some circumstances, a state management issue existed in password authentication. The issue was addressed through improved state management. CVE-ID CVE-2015-3799 : an anonymous researcher working with HP's Zero Day Initiative AppleGraphicsControl Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able to determine kernel memory layout Description: An issue existed in AppleGraphicsControl which could have led to the disclosure of kernel memory layout. This issue was addressed through improved bounds checking. CVE-ID CVE-2015-5768 : JieTao Yang of KeenTeam Bluetooth Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A local user may be able to execute arbitrary code with system privileges Description: A memory corruption issue existed in IOBluetoothHCIController. This issue was addressed through improved memory handling. CVE-ID CVE-2015-3779 : Teddy Reed of Facebook Security Bluetooth Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able to determine kernel memory layout Description: A memory management issue could have led to the disclosure of kernel memory layout. This issue was addressed with improved memory management. CVE-ID CVE-2015-3780 : Roberto Paleari and Aristide Fattori of Emaze Networks Bluetooth Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious app may be able to access notifications from other iCloud devices Description: An issue existed where a malicious app could access a Bluetooth-paired Mac or iOS device's Notification Center notifications via the Apple Notification Center Service. The issue affected devices using Handoff and logged into the same iCloud account. This issue was resolved by revoking access to the Apple Notification Center Service. CVE-ID CVE-2015-3786 : Xiaolong Bai (Tsinghua University), System Security Lab (Indiana University), Tongxin Li (Peking University), XiaoFeng Wang (Indiana University) Bluetooth Available for: OS X Yosemite v10.10 to v10.10.4 Impact: An attacker with privileged network position may be able to perform denial of service attack using malformed Bluetooth packets Description: An input validation issue existed in parsing of Bluetooth ACL packets. This issue was addressed through improved input validation. CVE-ID CVE-2015-3787 : Trend Micro Bluetooth Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A local attacker may be able to cause unexpected application termination or arbitrary code execution Description: Multiple buffer overflow issues existed in blued's handling of XPC messages. These issues were addressed through improved bounds checking. CVE-ID CVE-2015-3777 : mitp0sh of [PDX] bootp Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious Wi-Fi network may be able to determine networks a device has previously accessed Description: Upon connecting to a Wi-Fi network, iOS may have broadcast MAC addresses of previously accessed networks via the DNAv4 protocol. This issue was addressed through disabling DNAv4 on unencrypted Wi-Fi networks. CVE-ID CVE-2015-3778 : Piers O'Hanlon of Oxford Internet Institute, University of Oxford (on the EPSRC Being There project) CloudKit Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able to access the iCloud user record of a previously signed in user Description: A state inconsistency existed in CloudKit when signing out users. This issue was addressed through improved state handling. CVE-ID CVE-2015-3782 : Deepkanwal Plaha of University of Toronto CoreMedia Playback Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: Memory corruption issues existed in CoreMedia Playback. These were addressed through improved memory handling. CVE-ID CVE-2015-5777 : Apple CVE-2015-5778 : Apple CoreText Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Processing a maliciously crafted font file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation. CVE-ID CVE-2015-5761 : John Villamil (@day6reak), Yahoo Pentest Team CoreText Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Processing a maliciously crafted font file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation. CVE-ID CVE-2015-5755 : John Villamil (@day6reak), Yahoo Pentest Team curl Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Multiple vulnerabilities in cURL and libcurl prior to 7.38.0, one of which may allow remote attackers to bypass the Same Origin Policy. Description: Multiple vulnerabilities existed in cURL and libcurl prior to 7.38.0. These issues were addressed by updating cURL to version 7.43.0. CVE-ID CVE-2014-3613 CVE-2014-3620 CVE-2014-3707 CVE-2014-8150 CVE-2014-8151 CVE-2015-3143 CVE-2015-3144 CVE-2015-3145 CVE-2015-3148 CVE-2015-3153 Data Detectors Engine Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Processing a sequence of unicode characters can lead to an unexpected application termination or arbitrary code execution Description: Memory corruption issues existed in processing of Unicode characters. These issues were addressed through improved memory handling. CVE-ID CVE-2015-5750 : M1x7e1 of Safeye Team (www.safeye.org) Date & Time pref pane Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Applications that rely on system time may have unexpected behavior Description: An authorization issue existed when modifying the system date and time preferences. This issue was addressed with additional authorization checks. CVE-ID CVE-2015-3757 : Mark S C Smith Dictionary Application Available for: OS X Yosemite v10.10 to v10.10.4 Impact: An attacker with a privileged network position may be able to intercept users' Dictionary app queries Description: An issue existed in the Dictionary app, which did not properly secure user communications. This issue was addressed by moving Dictionary queries to HTTPS. CVE-ID CVE-2015-3774 : Jeffrey Paul of EEQJ, Jan Bee of the Google Security Team DiskImages Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Processing a maliciously crafted DMG file may lead to an unexpected application termination or arbitrary code execution with system privileges Description: A memory corruption issue existed in parsing of malformed DMG images. This issue was addressed through improved memory handling. CVE-ID CVE-2015-3800 : Frank Graziano of the Yahoo Pentest Team dyld Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A local user may be able to execute arbitrary code with system privileges Description: A path validation issue existed in dyld. This was addressed through improved environment sanitization. CVE-ID CVE-2015-3760 : beist of grayhash, Stefan Esser FontParser Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Processing a maliciously crafted font file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation. CVE-ID CVE-2015-3804 : Apple CVE-2015-5775 : Apple FontParser Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Processing a maliciously crafted font file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation. CVE-ID CVE-2015-5756 : John Villamil (@day6reak), Yahoo Pentest Team groff Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Multiple issues in pdfroff Description: Multiple issues existed in pdfroff, the most serious of which may allow arbitrary filesystem modification. These issues were addressed by removing pdfroff. CVE-ID CVE-2009-5044 CVE-2009-5078 ImageIO Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Processing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the processing of TIFF images. This issue was addressed through improved bounds checking. CVE-ID CVE-2015-5758 : Apple ImageIO Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Visiting a maliciously crafted website may result in the disclosure of process memory Description: An uninitialized memory access issue existed in ImageIO's handling of PNG and TIFF images. Visiting a malicious website may result in sending data from process memory to the website. This issue is addressed through improved memory initialization and additional validation of PNG and TIFF images. CVE-ID CVE-2015-5781 : Michal Zalewski CVE-2015-5782 : Michal Zalewski Install Framework Legacy Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able to execute arbitrary code with root privileges Description: An issue existed in how Install.framework's 'runner' binary dropped privileges. This issue was addressed through improved privilege management. CVE-ID CVE-2015-5784 : Ian Beer of Google Project Zero Install Framework Legacy Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A race condition existed in Install.framework's 'runner' binary that resulted in privileges being incorrectly dropped. This issue was addressed through improved object locking. CVE-ID CVE-2015-5754 : Ian Beer of Google Project Zero IOFireWireFamily Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A local user may be able to execute arbitrary code with system privileges Description: Memory corruption issues existed in IOFireWireFamily. These issues were addressed through additional type input validation. CVE-ID CVE-2015-3769 : Ilja van Sprundel CVE-2015-3771 : Ilja van Sprundel CVE-2015-3772 : Ilja van Sprundel IOGraphics Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A memory corruption issue existed in IOGraphics. This issue was addressed through additional type input validation. CVE-ID CVE-2015-3770 : Ilja van Sprundel CVE-2015-5783 : Ilja van Sprundel IOHIDFamily Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A local user may be able to execute arbitrary code with system privileges Description: A buffer overflow issue existed in IOHIDFamily. This issue was addressed through improved memory handling. CVE-ID CVE-2015-5774 : TaiG Jailbreak Team Kernel Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able to determine kernel memory layout Description: An issue existed in the mach_port_space_info interface, which could have led to the disclosure of kernel memory layout. This was addressed by disabling the mach_port_space_info interface. CVE-ID CVE-2015-3766 : Cererdlong of Alibaba Mobile Security Team, @PanguTeam Kernel Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: An integer overflow existed in the handling of IOKit functions. This issue was addressed through improved validation of IOKit API arguments. CVE-ID CVE-2015-3768 : Ilja van Sprundel Kernel Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A local user may be able to cause a system denial of service Description: A resource exhaustion issue existed in the fasttrap driver. This was addressed through improved memory handling. CVE-ID CVE-2015-5747 : Maxime VILLARD of m00nbsd Kernel Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A local user may be able to cause a system denial of service Description: A validation issue existed in the mounting of HFS volumes. This was addressed by adding additional checks. CVE-ID CVE-2015-5748 : Maxime VILLARD of m00nbsd Kernel Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able to execute unsigned code Description: An issue existed that allowed unsigned code to be appended to signed code in a specially crafted executable file. This issue was addressed through improved code signature validation. CVE-ID CVE-2015-3806 : TaiG Jailbreak Team Kernel Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A specially crafted executable file could allow unsigned, malicious code to execute Description: An issue existed in the way multi-architecture executable files were evaluated that could have allowed unsigned code to be executed. This issue was addressed through improved validation of executable files. CVE-ID CVE-2015-3803 : TaiG Jailbreak Team Kernel Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A local user may be able to execute unsigned code Description: A validation issue existed in the handling of Mach-O files. This was addressed by adding additional checks. CVE-ID CVE-2015-3802 : TaiG Jailbreak Team CVE-2015-3805 : TaiG Jailbreak Team Kernel Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Parsing a maliciously crafted plist may lead to an unexpected application termination or arbitrary code execution with system privileges Description: A memory corruption existed in processing of malformed plists. This issue was addressed through improved memory handling. CVE-ID CVE-2015-3776 : Teddy Reed of Facebook Security, Patrick Stein (@jollyjinx) of Jinx Germany Kernel Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A local user may be able to execute arbitrary code with system privileges Description: A path validation issue existed. This was addressed through improved environment sanitization. CVE-ID CVE-2015-3761 : Apple Libc Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Processing a maliciously crafted regular expression may lead to an unexpected application termination or arbitrary code execution Description: Memory corruption issues existed in the TRE library. These were addressed through improved memory handling. CVE-ID CVE-2015-3796 : Ian Beer of Google Project Zero CVE-2015-3797 : Ian Beer of Google Project Zero CVE-2015-3798 : Ian Beer of Google Project Zero Libinfo Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: Memory corruption issues existed in handling AF_INET6 sockets. These were addressed by improved memory handling. CVE-ID CVE-2015-5776 : Apple libpthread Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A memory corruption issue existed in handling syscalls. This issue was addressed through improved lock state checking. CVE-ID CVE-2015-5757 : Lufeng Li of Qihoo 360 libxml2 Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Multiple vulnerabilities existed in libxml2 versions prior to 2.9.2, the most serious of which may allow a remote attacker to cause a denial of service Description: Multiple vulnerabilities existed in libxml2 versions prior to 2.9.2. These were addressed by updating libxml2 to version 2.9.2. CVE-ID CVE-2012-6685 : Felix Groebert of Google CVE-2014-0191 : Felix Groebert of Google libxml2 Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Parsing a maliciously crafted XML document may lead to disclosure of user information Description: A memory access issue existed in libxml2. This was addressed by improved memory handling CVE-ID CVE-2014-3660 : Felix Groebert of Google libxml2 Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Parsing a maliciously crafted XML document may lead to disclosure of user information Description: A memory corruption issue existed in parsing of XML files. This issue was addressed through improved memory handling. CVE-ID CVE-2015-3807 : Apple libxpc Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A memory corruption issue existed in handling of malformed XPC messages. This issue was improved through improved bounds checking. CVE-ID CVE-2015-3795 : Mathew Rowley mail_cmds Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A local user may be able to execute arbitrary shell commands Description: A validation issue existed in the mailx parsing of email addresses. This was addressed by improved sanitization. CVE-ID CVE-2014-7844 Notification Center OSX Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A malicious application may be able to access all notifications previously displayed to users Description: An issue existed in Notification Center, which did not properly delete user notifications. This issue was addressed by correctly deleting notifications dismissed by users. CVE-ID CVE-2015-3764 : Jonathan Zdziarski ntfs Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A local user may be able to execute arbitrary code with system privileges Description: A memory corruption issue existed in NTFS. This issue was addressed through improved memory handling. CVE-ID CVE-2015-5763 : Roberto Paleari and Aristide Fattori of Emaze Networks OpenSSH Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Remote attackers may be able to circumvent a time delay for failed login attempts and conduct brute-force attacks Description: An issue existed when processing keyboard-interactive devices. This issue was addressed through improved authentication request validation. CVE-ID CVE-2015-5600 OpenSSL Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Multiple vulnerabilities existed in OpenSSL versions prior to 0.9.8zg, the most serious of which may allow a remote attacker to cause a denial of service. Description: Multiple vulnerabilities existed in OpenSSL versions prior to 0.9.8zg. These were addressed by updating OpenSSL to version 0.9.8zg. CVE-ID CVE-2015-1788 CVE-2015-1789 CVE-2015-1790 CVE-2015-1791 CVE-2015-1792 perl Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Parsing a maliciously crafted regular expression may lead to disclosure of unexpected application termination or arbitrary code execution Description: An integer underflow issue existed in the way Perl parsed regular expressions. This issue was addressed through improved memory handling. CVE-ID CVE-2013-7422 PostgreSQL Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: An attacker may be able to cause unexpected application termination or gain access to data without proper authentication Description: Multiple issues existed in PostgreSQL 9.2.4. These issues were addressed by updating PostgreSQL to 9.2.13. CVE-ID CVE-2014-0067 CVE-2014-8161 CVE-2015-0241 CVE-2015-0242 CVE-2015-0243 CVE-2015-0244 python Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Multiple vulnerabilities existed in Python 2.7.6, the most serious of which may lead to arbitrary code execution Description: Multiple vulnerabilities existed in Python versions prior to 2.7.6. These were addressed by updating Python to version 2.7.10. CVE-ID CVE-2013-7040 CVE-2013-7338 CVE-2014-1912 CVE-2014-7185 CVE-2014-9365 QL Office Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Parsing a maliciously crafted Office document may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in parsing of Office documents. This issue was addressed through improved memory handling. CVE-ID CVE-2015-5773 : Apple QL Office Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Parsing a maliciously crafted XML file may lead to disclosure of user information Description: An external entity reference issue existed in XML file parsing. This issue was addressed through improved parsing. CVE-ID CVE-2015-3784 : Bruno Morisson of INTEGRITY S.A. Quartz Composer Framework Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Parsing a maliciously crafted QuickTime file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in parsing of QuickTime files. This issue was addressed through improved memory handling. CVE-ID CVE-2015-5771 : Apple Quick Look Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Searching for a previously viewed website may launch the web browser and render that website Description: An issue existed where QuickLook had the capability to execute JavaScript. The issue was addressed by disallowing execution of JavaScript. CVE-ID CVE-2015-3781 : Andrew Pouliot of Facebook, Anto Loyola of Qubole QuickTime 7 Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Processing a maliciously crafted file may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in QuickTime. These issues were addressed through improved memory handling. CVE-ID CVE-2015-3772 CVE-2015-3779 CVE-2015-5753 : Apple CVE-2015-5779 : Apple QuickTime 7 Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: Processing a maliciously crafted file may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in QuickTime. These issues were addressed through improved memory handling. CVE-ID CVE-2015-3765 : Joe Burnett of Audio Poison CVE-2015-3788 : Ryan Pentney and Richard Johnson of Cisco Talos CVE-2015-3789 : Ryan Pentney and Richard Johnson of Cisco Talos CVE-2015-3790 : Ryan Pentney and Richard Johnson of Cisco Talos CVE-2015-3791 : Ryan Pentney and Richard Johnson of Cisco Talos CVE-2015-3792 : Ryan Pentney and Richard Johnson of Cisco Talos CVE-2015-5751 : WalkerFuz SceneKit Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Viewing a maliciously crafted Collada file may lead to arbitrary code execution Description: A heap buffer overflow existed in SceneKit's handling of Collada files. This issue was addressed through improved input validation. CVE-ID CVE-2015-5772 : Apple SceneKit Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10 to v10.10.4 Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in SceneKit. This issue was addressed through improved memory handling. CVE-ID CVE-2015-3783 : Haris Andrianakis of Google Security Team Security Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A standard user may be able to gain access to admin privileges without proper authentication Description: An issue existed in handling of user authentication. This issue was addressed through improved authentication checks. CVE-ID CVE-2015-3775 : [Eldon Ahrold] SMBClient Available for: OS X Yosemite v10.10 to v10.10.4 Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the SMB client. This issue was addressed through improved memory handling. CVE-ID CVE-2015-3773 : Ilja van Sprundel Speech UI Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Parsing a maliciously crafted unicode string with speech alerts enabled may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in handling of Unicode strings. This issue was addressed by improved memory handling. CVE-ID CVE-2015-3794 : Adam Greenbaum of Refinitive sudo Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Multiple vulnerabilities existed in sudo versions prior to 1.7.10p9, the most serious of which may allow an attacker access to arbitrary files Description: Multiple vulnerabilities existed in sudo versions prior to 1.7.10p9. These were addressed by updating sudo to version 1.7.10p9. CVE-ID CVE-2013-1775 CVE-2013-1776 CVE-2013-2776 CVE-2013-2777 CVE-2014-0106 CVE-2014-9680 tcpdump Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Multiple vulnerabilities existed in tcpdump 4.7.3, the most serious of which may allow a remote attacker to cause a denial of service. Description: Multiple vulnerabilities existed in tcpdump versions prior to 4.7.3. These were addressed by updating tcpdump to version 4.7.3. CVE-ID CVE-2014-8767 CVE-2014-8769 CVE-2014-9140 Text Formats Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Parsing a maliciously crafted text file may lead to disclosure of user information Description: An XML external entity reference issue existed with TextEdit parsing. This issue was addressed through improved parsing. CVE-ID CVE-2015-3762 : Xiaoyong Wu of the Evernote Security Team udf Available for: OS X Yosemite v10.10 to v10.10.4 Impact: Processing a maliciously crafted DMG file may lead to an unexpected application termination or arbitrary code execution with system privileges Description: A memory corruption issue existed in parsing of malformed DMG images. This issue was addressed through improved memory handling. CVE-ID CVE-2015-3767 : beist of grayhash OS X Yosemite v10.10.5 includes the security content of Safari 8.0.8: https://support.apple.com/en-us/HT205033 OS X Yosemite 10.10.5 and Security Update 2015-006 may be obtained from the Mac App Store or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJVzM3+AAoJEBcWfLTuOo7tx/YP/RTsUUx0UTk7rXj6AEcHmiR4 Y2xTUOXqRmxhieSbsGK9laKL5++lIzkGh5RC7oYag0+OgWtZz+EU/EtdoEJmGNJ6 +PgoEnizYdKhO1kos1KCHOwG6UFCqoeEm6Icm33nVUqWp7uAmhVRMRxtMJEScLSR 2LpsK0grIhFXtJGqu053TSKSCa1UTab8XWteZTT84uFGMSKbAFONj5CPIrR6+uev QpVTwrnskPDBOXJwGhjypvIBTbt2aa1wjCukOAWFHwf7Pma/QUdhKRkUK4vAb9/k fu2t2fBOvSMguJHRO+340NsQR9LvmdruBeAyNUH64srF1jtbAg0QnvZsPyO5aIyR A8WrzHl3oIc0II0y7VpI+3o0J3Nn03EcBPtIKeoeyznnjNziDm72HPI2d2+5ZSRz xjAd4Nmw+dgGq+UMkusIXgtRK4HcEpwzfImf3zqnKHakSncnFPhGKyNEgn8bK9a7 AeAvSqMXXsJg8weHUF2NLnAn/42k2wIE8d5BOLaIy13xz6MJn7VUI21pK0zCaGBF sfkRFZP0eEVh8ZzU/nWp9E5KDpbsd72biJwvjWH4OrmkfzUWxStQiVwPTxtZD9LW c5ZWe+vqZJV9eYRH2hAOMPaYkOQ5Z4DySNVVOFAG0eq9til8+V0k3L7ipIVd2XUB msu6gVP8uZhFYNb8byVJ =+0e/ -----END PGP SIGNATURE----- . This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions with escalated privileges. For more information: SA44999 SOLUTION: Apply updated packages via the zypper package manager. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. ---------------------------------------------------------------------- Join Secunia @ FIRST Conference, 12-17 June, Hilton Vienna, Austria See to the presentation "The Dynamics and Threats of End-Point Software Portfolios" by Secunia's Research Analyst Director, Stefan Frei. Read more: http://conference.first.org/ ---------------------------------------------------------------------- TITLE: GNU Troff "pdfroff" Script Insecure Temporary File Creation SECUNIA ADVISORY ID: SA44999 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/44999/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=44999 RELEASE DATE: 2011-06-18 DISCUSS ADVISORY: http://secunia.com/advisories/44999/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/44999/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=44999 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in GNU Troff, which can be exploited by malicious, local users to perform certain actions with escalated privileges. The vulnerability is caused due to the "pdfroff" script creating temporary files insecurely. The vulnerability is reported in version 1.20. Other versions may also be affected. SOLUTION: Restrict access to trusted users only. PROVIDED AND/OR DISCOVERED BY: Reported in a Debian bug report by Brian M. Carlson. ORIGINAL ADVISORY: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538330 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201310-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Groff: Multiple Vulnerabilities Date: October 25, 2013 Bugs: #386335 ID: 201310-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Groff, allowing context-dependent attackers to conduct symlink attacks. Background ========== GNU Troff (Groff) is a text formatter used for man pages. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Groff users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-apps/groff-1.22.2" References ========== [ 1 ] CVE-2009-5044 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5044 [ 2 ] CVE-2009-5078 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5078 [ 3 ] CVE-2009-5079 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5079 [ 4 ] CVE-2009-5080 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5080 [ 5 ] CVE-2009-5081 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5081 [ 6 ] CVE-2009-5082 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5082 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201310-14.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2013 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

The JavaScript API in Adobe Reader and Acrobat 9.x before 9.5.1 and 10.x before 10.1.3 on Mac OS X and Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. Adobe Flash contains a vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Adobe Flash Player, Reader, Acrobat, and other products that include Flash support are affected. Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely cause denial-of-service conditions. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: acroread security update Advisory ID: RHSA-2012:0469-01 Product: Red Hat Enterprise Linux Extras Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0469.html Issue date: 2012-04-10 CVE Names: CVE-2012-0774 CVE-2012-0775 CVE-2012-0777 ===================================================================== 1. Summary: Updated acroread packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 3. Description: Adobe Reader allows users to view and print documents in Portable Document Format (PDF). This update fixes multiple security flaws in Adobe Reader. These flaws are detailed on the Adobe security page APSB12-08, listed in the References section. A specially-crafted PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader when opened. (CVE-2012-0774, CVE-2012-0775, CVE-2012-0777) All Adobe Reader users should install these updated packages. They contain Adobe Reader version 9.5.1, which is not vulnerable to these issues. All running instances of Adobe Reader must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 810397 - CVE-2012-0774 CVE-2012-0775 CVE-2012-0777 acroread: multiple unspecified flaws (APSB12-08) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 5): i386: acroread-9.5.1-1.el5.i386.rpm acroread-plugin-9.5.1-1.el5.i386.rpm x86_64: acroread-9.5.1-1.el5.i386.rpm acroread-plugin-9.5.1-1.el5.i386.rpm Red Hat Enterprise Linux Server Supplementary (v. 5): i386: acroread-9.5.1-1.el5.i386.rpm acroread-plugin-9.5.1-1.el5.i386.rpm x86_64: acroread-9.5.1-1.el5.i386.rpm acroread-plugin-9.5.1-1.el5.i386.rpm Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: acroread-9.5.1-1.el6_2.i686.rpm acroread-plugin-9.5.1-1.el6_2.i686.rpm x86_64: acroread-9.5.1-1.el6_2.i686.rpm acroread-plugin-9.5.1-1.el6_2.i686.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: acroread-9.5.1-1.el6_2.i686.rpm acroread-plugin-9.5.1-1.el6_2.i686.rpm x86_64: acroread-9.5.1-1.el6_2.i686.rpm acroread-plugin-9.5.1-1.el6_2.i686.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: acroread-9.5.1-1.el6_2.i686.rpm acroread-plugin-9.5.1-1.el6_2.i686.rpm x86_64: acroread-9.5.1-1.el6_2.i686.rpm acroread-plugin-9.5.1-1.el6_2.i686.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-0774.html https://www.redhat.com/security/data/cve/CVE-2012-0775.html https://www.redhat.com/security/data/cve/CVE-2012-0777.html https://access.redhat.com/security/updates/classification/#critical http://www.adobe.com/support/security/bulletins/apsb12-08.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPhKRJXlSAg2UNWIIRAsVrAJ9UzVzzjYFWUh47R5dgHQiRssfFOgCfWmLi Icw8el8KnX3f3bgyqMCsWO0= =NK8r -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Flash player version 10.0.22.87 and earlier 10.x versions as well as Flash player version 9.0.159.0 and earlier 9.x versions are affected. An attacker could exploit this vulnerability by convincing a user to visit a website that hosts a specially crafted SWF file. The Adobe Flash browser plugin is available for multiple web browsers and operating systems, any of which could be affected. An attacker could also create a PDF document that has an embedded SWF file to exploit the vulnerability. This vulnerability is being actively exploited. II. III. Solution These vulnerabilities can be mitigated by disabling the Flash plugin or by using the NoScript extension for Mozilla Firefox or SeaMonkey to whitelist websites that can access the Flash plugin. For more information about securely configuring web browsers, please see the Securing Your Web Browser document. US-CERT Vulnerability Note VU#259425 has additional details, as well as information about mitigating the PDF document attack vector. Thanks to Department of Defense Cyber Crime Center/DCISE for information used in this document. IV. References * Vulnerability Note VU#259425 - <http://www.kb.cert.org/vuls/id/259425> * Security advisory for Adobe Reader, Acrobat and Flash Player - <http://www.adobe.com/support/security/advisories/apsa09-03.html> * Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/> * NoScript - <https://addons.mozilla.org/addon/722> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA09-204A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA09-204A Feedback VU#259425" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2009 by US-CERT, a government organization. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201206-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Adobe Reader: Multiple vulnerabilities Date: June 22, 2012 Bugs: #405949, #411499 ID: 201206-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities in Adobe Reader might allow remote attackers to execute arbitrary code or conduct various other attacks. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-text/acroread < 9.5.1 >= 9.5.1 Description =========== Multiple vulnerabilities have been found in Adobe Reader, including an integer overflow in TrueType Font handling (CVE-2012-0774) and multiple unspecified errors which could cause memory corruption. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Reader users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-text/acroread-9.5.1" References ========== [ 1 ] CVE-2011-4370 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4370 [ 2 ] CVE-2011-4371 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4371 [ 3 ] CVE-2011-4372 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4372 [ 4 ] CVE-2011-4373 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4373 [ 5 ] CVE-2012-0774 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0774 [ 6 ] CVE-2012-0775 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0775 [ 7 ] CVE-2012-0776 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0776 [ 8 ] CVE-2012-0777 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0777 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201206-14.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

SAP NetWeaver is prone to an information-disclosure vulnerability because it fails to properly secure communication channels between clients and servers. Successful exploits will allow attackers to obtain sensitive information that may aid in further attacks.

Directory traversal vulnerability in the Administration interface in Cisco Customer Response Solutions (CRS) before 7.0(1) SR2 in Cisco Unified Contact Center Express (aka CCX) server allows remote authenticated users to read, modify, or delete arbitrary files via unspecified vectors. Cisco Unified Contact Center Express is prone to a directory-traversal vulnerability. An attacker can exploit this issue to view, modify, or delete any file on the server through the CRS Administration interface. Successful exploits may lead to other attacks. This issue is tracked by Cisco BugID CSCsw76644. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Cisco Unified Contact Center Express Two Vulnerabilities SECUNIA ADVISORY ID: SA35861 VERIFY ADVISORY: http://secunia.com/advisories/35861/ DESCRIPTION: Two vulnerabilities have been reported in Cisco Unified Contact Center Express, which can be exploited by malicious users to conduct script insertion attacks, manipulate certain data, disclose potentially sensitive information, and potentially compromise a vulnerable system. 2) Certain input to the Cisco Unified CCX database is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is viewed. CRS 7x: Update to CRS version 7.0(1) SR2. CRS 5.x and 6.x: Apply hotfix crs5.0.2sr2es09 or crs6.0.1sr1es05. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20090715-uccx.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Exploitation of these vulnerabilities could result in a denial of service condition, information disclosure, or a privilege escalation attack. Cisco has released free software updates that address these two vulnerabilities in the latest version of Cisco Unified CCX software. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090715-uccx.shtml. Vulnerable Products +------------------ All versions of Cisco Unified CCX server running the following software may be affected by these vulnerabilities, to include: * Cisco Customer Response Solution (CRS) versions 3.x, 4.x, 5.x, 6.x, and 7.x * Cisco Unified IP Interactive Voice Response (Cisco Unified IP IVR) versions 3.x, 4.x, 5.x, 6.x, and 7.x * Cisco Unified CCX 4.x, 5.x, 6.x, and 7.x * Cisco Unified IP Contact Center Express versions 3.x, 5.x, 6.x, and 7.x * Cisco Customer Response Applications versions 3.x * Cisco IP Queue Manager (IP QM) versions 3.x Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. This vulnerability is documented in Cisco Bug ID CSCsw76644 and has been assigned Common Vulnerability and Exposures (CVE) ID CVE-2009-2047. The script injection vulnerability may allow authenticated users to enter JavaScript into the Cisco Unified CCX database. The stored script could be executed in the browser of the next authenticated user. This vulnerability is documented in Cisco Bug ID CSCsw76649 and has been assigned CVE ID CVE-2009-2048. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss. * Incomplete input validation allows modification of OS files/directories (CSCsw76644) CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * script injection vulnerability in admin interface pages (CSCsw76649) CVSS Base Score - 5.5 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - None Integrity Impact - Partial Availability Impact - Partial CVSS Temporal Score - 4.5 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the directory traversal vulnerability may result in read and write access to files on the underlying operating system. Successful exploitation of the script injection vulnerability may result in the execution of JavaScript of authenticated users and prevent server pages from displaying properly. Software Versions and Fixes =========================== The fixes for these vulnerabilities are included in CRS version 7.0(1)SR2 and are available as a hotfix for customers running versions 5.x and 6.x. The hotfixes are crs5.0.2sr2es09 and crs6.0.1sr1es05. Information about how to obtain the hotfixes can be found in the release notes enclosures of the bugs at: CSCsw76644 and CSCsw76649. When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Workarounds =========== There are no workarounds for these vulnerabilities. The script injection attacks that are described in this advisory are a specific classification of stored cross-site scripting attacks. A description and mitigation technique can be found in the applied mitigation bulletin available at the following link: http://www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a008073f7b3.html These vulnerabilities can be detected and mitigated with IDS signatures 3216-0 and 19001-0. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were reported to Cisco by National Australia Bank's Security Assurance team. Cisco would like to thank the National Australia Bank's Security Assurance team for the discovery and reporting of these vulnerabilities. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20090715-uccx.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +-----------------------------------------------------------+ | Revision 1.0 | 2009-July-15 | Initial public release | +-----------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. All rights reserved. +-------------------------------------------------------------------- Updated: Jul 15, 2009 Document ID: 110307 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkpeCwIACgkQ86n/Gc8U/uCRVACfQ16BguNxTclUmslEdX/l/W8Y 6DcAoJ3WjD6cV2PJ5LPVei8F9mMDyXLj =wNQ1 -----END PGP SIGNATURE-----

Cross-site scripting (XSS) vulnerability in the Administration interface in Cisco Customer Response Solutions (CRS) before 7.0(1) SR2 in Cisco Unified Contact Center Express (aka CCX) server allows remote authenticated users to inject arbitrary web script or HTML into the CCX database via unspecified vectors. An attacker can exploit this issue to execute arbitrary script code in the context of the user running the application, which may aid in further attacks. This issue is documented by Cisco Bug ID CSCsw76649. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. 2) Certain input to the Cisco Unified CCX database is not properly sanitised before being used. CRS 7x: Update to CRS version 7.0(1) SR2. CRS 5.x and 6.x: Apply hotfix crs5.0.2sr2es09 or crs6.0.1sr1es05. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20090715-uccx.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Exploitation of these vulnerabilities could result in a denial of service condition, information disclosure, or a privilege escalation attack. Cisco has released free software updates that address these two vulnerabilities in the latest version of Cisco Unified CCX software. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090715-uccx.shtml. Vulnerable Products +------------------ All versions of Cisco Unified CCX server running the following software may be affected by these vulnerabilities, to include: * Cisco Customer Response Solution (CRS) versions 3.x, 4.x, 5.x, 6.x, and 7.x * Cisco Unified IP Interactive Voice Response (Cisco Unified IP IVR) versions 3.x, 4.x, 5.x, 6.x, and 7.x * Cisco Unified CCX 4.x, 5.x, 6.x, and 7.x * Cisco Unified IP Contact Center Express versions 3.x, 5.x, 6.x, and 7.x * Cisco Customer Response Applications versions 3.x * Cisco IP Queue Manager (IP QM) versions 3.x Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. The stored script could be executed in the browser of the next authenticated user. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss. * Incomplete input validation allows modification of OS files/directories (CSCsw76644) CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * script injection vulnerability in admin interface pages (CSCsw76649) CVSS Base Score - 5.5 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - None Integrity Impact - Partial Availability Impact - Partial CVSS Temporal Score - 4.5 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the directory traversal vulnerability may result in read and write access to files on the underlying operating system. Successful exploitation of the script injection vulnerability may result in the execution of JavaScript of authenticated users and prevent server pages from displaying properly. Software Versions and Fixes =========================== The fixes for these vulnerabilities are included in CRS version 7.0(1)SR2 and are available as a hotfix for customers running versions 5.x and 6.x. The hotfixes are crs5.0.2sr2es09 and crs6.0.1sr1es05. The latest version of Cisco Unified Contact Center Express is available at the following link: http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=7.0%281%29_SR2&mdfid=270569179&sftType=Cisco+Customer+Response+Solution+Software+Releases&optPlat=&nodecount=11&edesignator=null&modelName=Cisco+Unified+Contact+Center+Express&treeMdfId=2788752. Information about how to obtain the hotfixes can be found in the release notes enclosures of the bugs at: CSCsw76644 and CSCsw76649. When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Workarounds =========== There are no workarounds for these vulnerabilities. The script injection attacks that are described in this advisory are a specific classification of stored cross-site scripting attacks. A description and mitigation technique can be found in the applied mitigation bulletin available at the following link: http://www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a008073f7b3.html These vulnerabilities can be detected and mitigated with IDS signatures 3216-0 and 19001-0. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were reported to Cisco by National Australia Bank's Security Assurance team. Cisco would like to thank the National Australia Bank's Security Assurance team for the discovery and reporting of these vulnerabilities. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20090715-uccx.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +-----------------------------------------------------------+ | Revision 1.0 | 2009-July-15 | Initial public release | +-----------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2008-2009 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Jul 15, 2009 Document ID: 110307 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkpeCwIACgkQ86n/Gc8U/uCRVACfQ16BguNxTclUmslEdX/l/W8Y 6DcAoJ3WjD6cV2PJ5LPVei8F9mMDyXLj =wNQ1 -----END PGP SIGNATURE-----

Unspecified vulnerability in HP ProCurve Threat Management Services zl Module (J9155A) ST.1.0.090213 and earlier allows remote attackers to gain privileges via unknown vectors, aka PR_41209. Successful exploits may allow attackers to bypass certain security restrictions, which may aid in launching further attacks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01803910 Version: 1 HPSBGN02446 SSRT090111 rev.1 - HP ProCurve Threat Management Services zl Module (J9155A), Remote Unauthorized Access, Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. These vulnerabilities could be exploited remotely to gain unauthorized access or to create a Denial of Service (DoS). References: CVE-2009-1422 (PR_41209), CVE-2009-1423 (PR_39898), CVE-2009-1424 (PR_39412), CVE-2009-1425 (PR_18770) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. PRODUCT SPECIFIC INFORMATION None HISTORY Version:1 (rev.1) - 13 July 2009 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-alert@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches -check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems -verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." Copyright 2009 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (HP-UX) iEYEARECAAYFAkpbRhEACgkQ4B86/C0qfVl3xgCg7jEzheufkiLM8p1GIyuHszFs /8IAoL0opXD/2eUOpTzzyT7cZcfmkjhQ =pOEf -----END PGP SIGNATURE-----

Unspecified vulnerability in HP ProCurve Threat Management Services zl Module (J9155A) ST.1.0.090213 and earlier allows remote attackers to cause a denial of service via unknown vectors, aka PR_39898, a different vulnerability than CVE-2009-1424 and CVE-2009-1425. This vulnerability CVE-2009-1424 and CVE-2009-1425 Is a different vulnerability.Service disruption by a third party (DoS) There is a possibility of being put into a state. Attackers can exploit this issue to crash the affected application, denying service to legitimate users. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01803910 Version: 1 HPSBGN02446 SSRT090111 rev.1 - HP ProCurve Threat Management Services zl Module (J9155A), Remote Unauthorized Access, Denial of Service (DoS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. These vulnerabilities could be exploited remotely to gain unauthorized access or to create a Denial of Service (DoS). References: CVE-2009-1422 (PR_41209), CVE-2009-1423 (PR_39898), CVE-2009-1424 (PR_39412), CVE-2009-1425 (PR_18770) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. PRODUCT SPECIFIC INFORMATION None HISTORY Version:1 (rev.1) - 13 July 2009 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-alert@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches -check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems -verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." Copyright 2009 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (HP-UX) iEYEARECAAYFAkpbRhEACgkQ4B86/C0qfVl3xgCg7jEzheufkiLM8p1GIyuHszFs /8IAoL0opXD/2eUOpTzzyT7cZcfmkjhQ =pOEf -----END PGP SIGNATURE-----