VARIoT IoT vulnerabilities database

Affected products: vendor, model and version
CWE format is 'CWE-number'. Threat type can be: remote or local
Look up free text in title and description

VAR-201206-0202 CVE-2012-0920 Dropbear SSH Server Remote Code Execution Vulnerability CVSS V2: 7.1
CVSS V3: -
Severity: HIGH
Use-after-free vulnerability in Dropbear SSH Server 0.52 through 2012.54, when command restriction and public key authentication are enabled, allows remote authenticated users to execute arbitrary code and bypass command restrictions via multiple crafted command requests, related to "channels concurrency.". Dropbear SSH Server is a small Secure Shell server for embedded environments. A remote code execution vulnerability exists in Dropbear SSH Server that was caused by a post-release error. An attacker could exploit the vulnerability to execute arbitrary code with root-level privileges, which could allow an attacker to fully manipulate the affected system. Note: To exploit the issue an attacker must be authenticated using a public key and a command restriction is enforced. Solution: Upgrade to version 2012.55 or higher. 2012-02-24 - Coordinated public release of advisory. Credit: This vulnerability was discovered by Danny Fullerton from Mantor Organization. Special thanks to Matt. This fixes a vulnerability, which can be exploited by malicious users to gain escalated privileges. For more information: SA48147 SOLUTION: Apply updated packages via the apt-get package manager. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2456-1 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff April 23, 2012 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : dropbear Vulnerability : use after free Problem type : remote Debian-specific: no CVE ID : CVE-2012-0920 Danny Fullerton discovered a use-after-free in the Dropbear SSH daemon, resulting in potential execution of arbitrary code. For the stable distribution (squeeze), this problem has been fixed in version 0.52-5+squeeze1. For the testing distribution (wheezy), this problem has been fixed in version 2012.55-1. For the unstable distribution (sid), this problem has been fixed in version 2012.55-1. We recommend that you upgrade your dropbear packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAk+XCosACgkQXm3vHE4uylrKpQCfZpU4eKxztqi8zGzsAKdxzhLV kOcAoIshssbewzstn+sNTIJyNP7MJ10i =uWaI -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Dropbear SSH Server Use-After-Free Vulnerability SECUNIA ADVISORY ID: SA48147 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48147/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48147 RELEASE DATE: 2012-02-27 DISCUSS ADVISORY: http://secunia.com/advisories/48147/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48147/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48147 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Danny Fullerton has reported a vulnerability in Dropbear SSH Server, which can be exploited by malicious users to gain escalated privileges. The vulnerability is reported in version 0.52 through 2011.54. SOLUTION: Update to version 2012.55 PROVIDED AND/OR DISCOVERED BY: Danny Fullerton, Mantor Organization ORIGINAL ADVISORY: Dropbear: http://matt.ucc.asn.au/dropbear/CHANGES Danny Fullerton: http://archives.neohapsis.com/archives/fulldisclosure/2012-02/0404.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201309-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Dropbear: Multiple vulnerabilities Date: September 26, 2013 Bugs: #328409, #405607 ID: 201309-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Dropbear, the worst of which could lead to arbitrary code execution. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/dropbear < 2012.55 >= 2012.55 Description =========== Multiple vulnerabilities have been discovered in Dropbear. Please review the CVE identifier and Gentoo bug referenced below for details. Impact ====== A remote attacker could send a specially crafted request to trigger a use-after-free condition, possibly resulting in arbitrary code execution or a Denial of Service condition. Additionally, the bundled version of libtommath has an error in its prime number generation, which could result in the generation of weak keys. Workaround ========== There is no known workaround at this time. Resolution ========== All Dropbear users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/dropbear-2012.55" References ========== [ 1 ] CVE-2012-0920 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0920 [ 2 ] libtommath Gentoo bug https://bugs.gentoo.org/show_bug.cgi?id=328383 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201309-20.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2013 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5
VAR-201202-0352 No CVE D-Link DCS product 'security.cgi' Cross-Site Request Forgery Vulnerability CVSS V2: -
CVSS V3: -
Severity: MEDIUM
D-Link DCS is a camera device product. There is a vulnerability in D-Link DCS. Because the 'security.cgi' provided by the D-Link DCS product fails to properly filter the user-submitted input, it can trigger a cross-site request forgery attack. The attacker constructs a malicious URI, entice the user to access, and can perform malicious operations with administrator privileges. The D-Link DCS-900, DCS-2000, and DCS-5300 are prone to a cross-site request-forgery vulnerability. Successful exploits may allow attackers to run privileged commands on the affected device, change configuration, cause denial-of-service conditions, or inject arbitrary script code. Other attacks are also possible. This issue affects D-Link DCS-900, DCS-2000, and DCS-5300
VAR-201202-0171 CVE-2012-0365 plural Cisco Product Local TFTP file-upload Application directory traversal vulnerability CVSS V2: 9.0
CVSS V3: -
Severity: HIGH
Directory traversal vulnerability in the Local TFTP file-upload application on Cisco SRP 520 series devices with firmware before 1.1.26 and SRP 520W-U and 540 series devices with firmware before 1.2.4 allows remote authenticated users to upload software to arbitrary directories via unspecified vectors, aka Bug ID CSCtw56009. plural Cisco Product Local TFTP file-upload The application contains a directory traversal vulnerability. The problem is Bug ID CSCtw56009 It is a problem.Remotely authenticated users can upload software to any directory. Cisco Small Business SRP500 series appliances are prone to a directory-traversal vulnerability. Exploiting this issue will allow an attacker to access sensitive information, including password files and system logs, and and allow installation of malicious software on the Cisco SRP 500 series device. This could help the attacker launch further attacks. This issue is tracked by Cisco BugID CSCtw56009. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Cisco Small Business SRP 500 Series Multiple Vulnerabilities Advisory ID: cisco-sa-20120223-srp500 Revision 1.0 For Public Release 2012 February 23 16:00 UTC (GMT) Summary ======= Cisco Small Business (SRP 500) Series Services Ready Platforms contain the following three vulnerabilities: * Cisco SRP 500 Series Web Interface Command Injection Vulnerability * Cisco SRP 500 Series Unauthenticated Configuration Upload Vulnerability * Cisco SRP 500 Series Directory Traversal Vulnerability These vulnerabilities can be exploited using sessions to the Services Ready Platform Configuration Utility web interface. These vulnerabilities could be exploited from the local LAN side of the SRP device by default configuration and the WAN side of the SRP device if remote management is enabled. Remote management is disabled by default. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120223-srp500 Affected Products ================= Vulnerable Products +------------------ The following Cisco SRP 520 Series models are affected if running firmware prior to version 1.1.26: * Cisco SRP 521W * Cisco SRP 526W * Cisco SRP 527W The following Cisco SRP 520W-U Series models are affected if running firmware prior to version 1.2.4: * Cisco SRP 521W-U * Cisco SRP 526W-U * Cisco SRP 527W-U The following Cisco SRP 540 Series models are affected if running firmware prior to version 1.2.4: * Cisco SRP 541W * Cisco SRP 546W * Cisco SRP 547W To view the firmware version on a device, log in to the Services Ready Platform Configuration Utility and navigate to the Status > Router page to view information about the Cisco SRP Series device and its firmware status. The Firmware Version field indicates the current running version of firmware on the Cisco SRP 500 Series device. Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco SRP 500 Series devices are a flexible, cost-effective, fixed-configuration customer premises equipment (CPE) with embedded intelligence to enable service providers to create, provision, and deploy premium revenue-generating services to small businesses on an as-needed basis. These vulnerabilities could be exploited from the local LAN side of the SRP device by default configuration and the WAN side of the SRP device if remote management is enabled. Remote management is disabled by default. Cisco SRP 500 Series Web Interface Command Injection Vulnerability +----------------------------------------------------------------- Cisco SRP 500 Series devices contain a command injection vulnerability that could allow an authenticated session to inject commands to be executed by the operating system. An attacker could exploit this vulnerability by either enticing an administrator to access a crafted link or by performing a man-in-the-middle attack to intercept an authenticated session. An exploit could allow the attacker to execute operating system commands on the device that are run in the context of the root user. This vulnerability has been documented in Cisco bug ID CSCtt46871 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2012-0363. An attacker could exploit this vulnerability by first creating a desired configuration file and then uploading it using the unauthenticated URL. This vulnerability has been documented in Cisco bug ID CSCtw55495 and has been assigned CVE ID CVE-2012-0364. An attacker could exploit this vulnerability by enticing an authenticated user to click on a crafted link or by installing malicious files on the FTP or HTTP server that the administrators of the device may use. This vulnerability has been documented in Cisco bug ID CSCtw56009 and has been assigned CVE ID CVE-2012-0365. Vulnerability Scoring Details ============================= Cisco has scored the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response. Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks. Cisco has provided additional information regarding CVSS at the following link: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtt46871 - Cisco SRP 500 Series Web Interface Command Injection Vulnerability CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtw55495 - Cisco SRP 500 Series Unauthenticated Configuration Upload Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - Complete Availability Impact - None CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtw56009 - Cisco SRP 500 Series Directory Traversal Vulnerability CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities may result in the execution of arbitrary commands on the device or the uploading of files that may be malicious, which may allow the attacker to alter the device configuration. Software Versions and Fixes =========================== When considering software upgrades, also consult: http://www.cisco.com/go/psirt As well as any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +---------------------------------------------------------------+ | Affected Product | First Fixed Release | |-----------------------------+---------------------------------| | Cisco SRP 521W | 1.1.26 | |-----------------------------+---------------------------------| | Cisco SRP 526W | 1.1.26 | |-----------------------------+---------------------------------| | Cisco SRP 527W | 1.1.26 | |-----------------------------+---------------------------------| | Cisco SRP 521W-U | 1.2.4 | |-----------------------------+---------------------------------| | Cisco SRP 526W-U | 1.2.4 | |-----------------------------+---------------------------------| | Cisco SRP 527W-U | 1.2.4 | |-----------------------------+---------------------------------| | Cisco SRP 541W | 1.2.4 | |-----------------------------+---------------------------------| | Cisco SRP 546W | 1.2.4 | |-----------------------------+---------------------------------| | Cisco SRP 547W | 1.2.4 | +---------------------------------------------------------------+ The latest Cisco SRP 500 Series Services Ready Platforms firmware can be downloaded at: http://www.cisco.com/cisco/software/navigator.html?mdfid=282736194&i=rm Workarounds =========== The Cisco SRP 500 Series devices are designed as CPE devices, and only disabling access from the outside network will prevent exploitation, from remote networks. The following mitigations help limit exposure to this vulnerability: * Disable Remote Management Caution: Do not disable remote management if administrators manage devices using the WAN connection. This action will result in a loss of management connectivity to the device. Remote Management is disabled by default. If it is enabled, administrators can disable this feature by choosing Administration > Web Access Management. Change the setting for the Remote Management field to Disabled. Disabling remote management limits exposure because the vulnerability can then be exploited from the inter-LAN network only. * Limit Remote Management Access to Specific IP Addresses If remote management is required, secure the device so that it can be accessed by certain IP addresses only, rather than the default setting of All IP Addresses. After choosing Administration > Web Access Management, an administrator can change the Allowed Remote IP Address setting to ensure that only devices with specified IP addresses can access the device. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html Or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at: http://www.cisco.com If the information is not clear, please contact the Cisco Small Business Support Center or your contracted maintenance provider for assistance. Small Business Support Center contacts are as follows. +1 866 606 1866 (toll free from within North America) +1 408 418 1866 (toll call from anywhere in the world) Customers should have their product serial number available. For additional support contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages refer to: http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html Customers with Service Contracts +------------------------------- See the Obtaining Fixed Software section of this advisory. Customers Using Third-Party Support Organizations +------------------------------------------------ See the Obtaining Fixed Software section of this advisory. Customers Without Service Contracts +---------------------------------- See the Obtaining Fixed Software section of this advisory. Exploitation and Public Announcements ===================================== The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory. These vulnerabilities were reported to Cisco by Michal Sajdak of Securitum, Poland. Status of This Notice: Final ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco Security Intelligence Operations at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120223-srp500 Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses: * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates. Revision History ================ +-------------------------------------------------------------------+ | Revision 1.0 | 2012-02-23 | Initial Public Release | +-------------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2012 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iF4EAREIAAYFAk9FbNgACgkQQXnnBKKRMNAfIAD/WMs9GOrkuwOl4hChGWKdtysj zrvZf97YvaI0rShqp0gA/33sBJSMX3KcSYgYZS5RgYG5ZLFV0Cc2zXURzQRzxY85 =WMsW -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
VAR-201202-0170 CVE-2012-0364 plural Cisco Vulnerabilities that can replace configuration files in products CVSS V2: 7.8
CVSS V3: -
Severity: HIGH
Cisco SRP 520 series devices with firmware before 1.1.26 and SRP 520W-U and 540 series devices with firmware before 1.2.4 allow remote attackers to replace the configuration file via an upload request to an unspecified URL, aka Bug ID CSCtw55495. plural Cisco The product contains a vulnerability that can replace configuration files. Cisco Small Business SRP500 series appliances are prone to a security-bypass vulnerability because they allow attackers to gain unauthorized access to the device. This issue is being tracked by Cisco Bug ID CSCtw55495. An unauthenticated attacker can exploit this issue to upload a specially crafted configuration file to the affected device, thereby aiding in further attacks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Cisco Small Business SRP 500 Series Multiple Vulnerabilities Advisory ID: cisco-sa-20120223-srp500 Revision 1.0 For Public Release 2012 February 23 16:00 UTC (GMT) Summary ======= Cisco Small Business (SRP 500) Series Services Ready Platforms contain the following three vulnerabilities: * Cisco SRP 500 Series Web Interface Command Injection Vulnerability * Cisco SRP 500 Series Unauthenticated Configuration Upload Vulnerability * Cisco SRP 500 Series Directory Traversal Vulnerability These vulnerabilities can be exploited using sessions to the Services Ready Platform Configuration Utility web interface. These vulnerabilities could be exploited from the local LAN side of the SRP device by default configuration and the WAN side of the SRP device if remote management is enabled. Remote management is disabled by default. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120223-srp500 Affected Products ================= Vulnerable Products +------------------ The following Cisco SRP 520 Series models are affected if running firmware prior to version 1.1.26: * Cisco SRP 521W * Cisco SRP 526W * Cisco SRP 527W The following Cisco SRP 520W-U Series models are affected if running firmware prior to version 1.2.4: * Cisco SRP 521W-U * Cisco SRP 526W-U * Cisco SRP 527W-U The following Cisco SRP 540 Series models are affected if running firmware prior to version 1.2.4: * Cisco SRP 541W * Cisco SRP 546W * Cisco SRP 547W To view the firmware version on a device, log in to the Services Ready Platform Configuration Utility and navigate to the Status > Router page to view information about the Cisco SRP Series device and its firmware status. Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco SRP 500 Series devices are a flexible, cost-effective, fixed-configuration customer premises equipment (CPE) with embedded intelligence to enable service providers to create, provision, and deploy premium revenue-generating services to small businesses on an as-needed basis. These vulnerabilities could be exploited from the local LAN side of the SRP device by default configuration and the WAN side of the SRP device if remote management is enabled. Remote management is disabled by default. An attacker could exploit this vulnerability by either enticing an administrator to access a crafted link or by performing a man-in-the-middle attack to intercept an authenticated session. An exploit could allow the attacker to execute operating system commands on the device that are run in the context of the root user. An attacker could exploit this vulnerability by enticing an authenticated user to click on a crafted link or by installing malicious files on the FTP or HTTP server that the administrators of the device may use. Vulnerability Scoring Details ============================= Cisco has scored the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response. Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks. Cisco has provided additional information regarding CVSS at the following link: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtt46871 - Cisco SRP 500 Series Web Interface Command Injection Vulnerability CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtw55495 - Cisco SRP 500 Series Unauthenticated Configuration Upload Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - Complete Availability Impact - None CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtw56009 - Cisco SRP 500 Series Directory Traversal Vulnerability CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities may result in the execution of arbitrary commands on the device or the uploading of files that may be malicious, which may allow the attacker to alter the device configuration. Software Versions and Fixes =========================== When considering software upgrades, also consult: http://www.cisco.com/go/psirt As well as any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +---------------------------------------------------------------+ | Affected Product | First Fixed Release | |-----------------------------+---------------------------------| | Cisco SRP 521W | 1.1.26 | |-----------------------------+---------------------------------| | Cisco SRP 526W | 1.1.26 | |-----------------------------+---------------------------------| | Cisco SRP 527W | 1.1.26 | |-----------------------------+---------------------------------| | Cisco SRP 521W-U | 1.2.4 | |-----------------------------+---------------------------------| | Cisco SRP 526W-U | 1.2.4 | |-----------------------------+---------------------------------| | Cisco SRP 527W-U | 1.2.4 | |-----------------------------+---------------------------------| | Cisco SRP 541W | 1.2.4 | |-----------------------------+---------------------------------| | Cisco SRP 546W | 1.2.4 | |-----------------------------+---------------------------------| | Cisco SRP 547W | 1.2.4 | +---------------------------------------------------------------+ The latest Cisco SRP 500 Series Services Ready Platforms firmware can be downloaded at: http://www.cisco.com/cisco/software/navigator.html?mdfid=282736194&i=rm Workarounds =========== The Cisco SRP 500 Series devices are designed as CPE devices, and only disabling access from the outside network will prevent exploitation, from remote networks. The following mitigations help limit exposure to this vulnerability: * Disable Remote Management Caution: Do not disable remote management if administrators manage devices using the WAN connection. This action will result in a loss of management connectivity to the device. Remote Management is disabled by default. If it is enabled, administrators can disable this feature by choosing Administration > Web Access Management. Change the setting for the Remote Management field to Disabled. Disabling remote management limits exposure because the vulnerability can then be exploited from the inter-LAN network only. * Limit Remote Management Access to Specific IP Addresses If remote management is required, secure the device so that it can be accessed by certain IP addresses only, rather than the default setting of All IP Addresses. After choosing Administration > Web Access Management, an administrator can change the Allowed Remote IP Address setting to ensure that only devices with specified IP addresses can access the device. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html Or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at: http://www.cisco.com If the information is not clear, please contact the Cisco Small Business Support Center or your contracted maintenance provider for assistance. Small Business Support Center contacts are as follows. +1 866 606 1866 (toll free from within North America) +1 408 418 1866 (toll call from anywhere in the world) Customers should have their product serial number available. For additional support contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages refer to: http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html Customers with Service Contracts +------------------------------- See the Obtaining Fixed Software section of this advisory. Customers Using Third-Party Support Organizations +------------------------------------------------ See the Obtaining Fixed Software section of this advisory. Customers Without Service Contracts +---------------------------------- See the Obtaining Fixed Software section of this advisory. Exploitation and Public Announcements ===================================== The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory. These vulnerabilities were reported to Cisco by Michal Sajdak of Securitum, Poland. Status of This Notice: Final ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco Security Intelligence Operations at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120223-srp500 Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses: * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates. Revision History ================ +-------------------------------------------------------------------+ | Revision 1.0 | 2012-02-23 | Initial Public Release | +-------------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2012 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iF4EAREIAAYFAk9FbNgACgkQQXnnBKKRMNAfIAD/WMs9GOrkuwOl4hChGWKdtysj zrvZf97YvaI0rShqp0gA/33sBJSMX3KcSYgYZS5RgYG5ZLFV0Cc2zXURzQRzxY85 =WMsW -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
VAR-201202-0169 CVE-2012-0363 plural Cisco Product Web An arbitrary command execution vulnerability in the interface CVSS V2: 9.0
CVSS V3: -
Severity: HIGH
The web interface on Cisco SRP 520 series devices with firmware before 1.1.26 and SRP 520W-U and 540 series devices with firmware before 1.2.4 allows remote authenticated users to execute arbitrary commands via unspecified vectors, related to a "command injection vulnerability," aka Bug ID CSCtt46871. plural Cisco Product Web The interface contains a vulnerability that allows arbitrary commands to be executed. The problem is Bug ID CSCtt46871 It is a problem.An arbitrary command may be executed by a remotely authenticated user. Cisco Small Business SRP500 series appliances are prone to a remote command-injection vulnerability. Successful exploits will result in the execution of operating system commands in the context of the root user. This may facilitate a complete compromise of an affected computer. This issue is being tracked by Cisco bug ID CSCtt46871. These vulnerabilities could be exploited from the local LAN side of the SRP device by default configuration and the WAN side of the SRP device if remote management is enabled. Remote management is disabled by default. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120223-srp500 Affected Products ================= Vulnerable Products +------------------ The following Cisco SRP 520 Series models are affected if running firmware prior to version 1.1.26: * Cisco SRP 521W * Cisco SRP 526W * Cisco SRP 527W The following Cisco SRP 520W-U Series models are affected if running firmware prior to version 1.2.4: * Cisco SRP 521W-U * Cisco SRP 526W-U * Cisco SRP 527W-U The following Cisco SRP 540 Series models are affected if running firmware prior to version 1.2.4: * Cisco SRP 541W * Cisco SRP 546W * Cisco SRP 547W To view the firmware version on a device, log in to the Services Ready Platform Configuration Utility and navigate to the Status > Router page to view information about the Cisco SRP Series device and its firmware status. The Firmware Version field indicates the current running version of firmware on the Cisco SRP 500 Series device. Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco SRP 500 Series devices are a flexible, cost-effective, fixed-configuration customer premises equipment (CPE) with embedded intelligence to enable service providers to create, provision, and deploy premium revenue-generating services to small businesses on an as-needed basis. These vulnerabilities could be exploited from the local LAN side of the SRP device by default configuration and the WAN side of the SRP device if remote management is enabled. Remote management is disabled by default. An attacker could exploit this vulnerability by either enticing an administrator to access a crafted link or by performing a man-in-the-middle attack to intercept an authenticated session. An attacker could exploit this vulnerability by first creating a desired configuration file and then uploading it using the unauthenticated URL. An exploit could allow the attacker to alter the configuration of the Cisco SRP 500 Series device. An attacker could exploit this vulnerability by enticing an authenticated user to click on a crafted link or by installing malicious files on the FTP or HTTP server that the administrators of the device may use. An exploit could allow the attacker to install malicious software on the Cisco SRP 500 Series device to launch future attacks. Vulnerability Scoring Details ============================= Cisco has scored the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response. Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks. Cisco has provided additional information regarding CVSS at the following link: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to compute the environmental impact for individual networks at the following link: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtt46871 - Cisco SRP 500 Series Web Interface Command Injection Vulnerability CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtw55495 - Cisco SRP 500 Series Unauthenticated Configuration Upload Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - Complete Availability Impact - None CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtw56009 - Cisco SRP 500 Series Directory Traversal Vulnerability CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities may result in the execution of arbitrary commands on the device or the uploading of files that may be malicious, which may allow the attacker to alter the device configuration. Software Versions and Fixes =========================== When considering software upgrades, also consult: http://www.cisco.com/go/psirt As well as any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +---------------------------------------------------------------+ | Affected Product | First Fixed Release | |-----------------------------+---------------------------------| | Cisco SRP 521W | 1.1.26 | |-----------------------------+---------------------------------| | Cisco SRP 526W | 1.1.26 | |-----------------------------+---------------------------------| | Cisco SRP 527W | 1.1.26 | |-----------------------------+---------------------------------| | Cisco SRP 521W-U | 1.2.4 | |-----------------------------+---------------------------------| | Cisco SRP 526W-U | 1.2.4 | |-----------------------------+---------------------------------| | Cisco SRP 527W-U | 1.2.4 | |-----------------------------+---------------------------------| | Cisco SRP 541W | 1.2.4 | |-----------------------------+---------------------------------| | Cisco SRP 546W | 1.2.4 | |-----------------------------+---------------------------------| | Cisco SRP 547W | 1.2.4 | +---------------------------------------------------------------+ The latest Cisco SRP 500 Series Services Ready Platforms firmware can be downloaded at: http://www.cisco.com/cisco/software/navigator.html?mdfid=282736194&i=rm Workarounds =========== The Cisco SRP 500 Series devices are designed as CPE devices, and only disabling access from the outside network will prevent exploitation, from remote networks. The following mitigations help limit exposure to this vulnerability: * Disable Remote Management Caution: Do not disable remote management if administrators manage devices using the WAN connection. This action will result in a loss of management connectivity to the device. Remote Management is disabled by default. If it is enabled, administrators can disable this feature by choosing Administration > Web Access Management. Change the setting for the Remote Management field to Disabled. Disabling remote management limits exposure because the vulnerability can then be exploited from the inter-LAN network only. * Limit Remote Management Access to Specific IP Addresses If remote management is required, secure the device so that it can be accessed by certain IP addresses only, rather than the default setting of All IP Addresses. After choosing Administration > Web Access Management, an administrator can change the Allowed Remote IP Address setting to ensure that only devices with specified IP addresses can access the device. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html Or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at: http://www.cisco.com If the information is not clear, please contact the Cisco Small Business Support Center or your contracted maintenance provider for assistance. Small Business Support Center contacts are as follows. +1 866 606 1866 (toll free from within North America) +1 408 418 1866 (toll call from anywhere in the world) Customers should have their product serial number available. For additional support contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages refer to: http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html Customers with Service Contracts +------------------------------- See the Obtaining Fixed Software section of this advisory. Customers Using Third-Party Support Organizations +------------------------------------------------ See the Obtaining Fixed Software section of this advisory. Customers Without Service Contracts +---------------------------------- See the Obtaining Fixed Software section of this advisory. Exploitation and Public Announcements ===================================== The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory. These vulnerabilities were reported to Cisco by Michal Sajdak of Securitum, Poland. Status of This Notice: Final ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco Security Intelligence Operations at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120223-srp500 Additionally, a text version of this advisory is clear signed with the Cisco PSIRT PGP key and circulated among the following e-mail addresses: * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk Future updates of this advisory, if any, will reside on Cisco.com but may not be announced on mailing lists. Users can monitor this advisory's URL for any updates. Revision History ================ +-------------------------------------------------------------------+ | Revision 1.0 | 2012-02-23 | Initial Public Release | +-------------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt +-------------------------------------------------------------------- Copyright 2010-2012 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iF4EAREIAAYFAk9FbNgACgkQQXnnBKKRMNAfIAD/WMs9GOrkuwOl4hChGWKdtysj zrvZf97YvaI0rShqp0gA/33sBJSMX3KcSYgYZS5RgYG5ZLFV0Cc2zXURzQRzxY85 =WMsW -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
VAR-201210-0417 CVE-2012-5323 Xavi X7968 Vulnerable to cross-site request forgery

Related entries in the VARIoT exploits database: VAR-E-201202-0072, VAR-E-201202-0070, VAR-E-201202-0071
CVSS V2: 6.8
CVSS V3: -
Severity: MEDIUM
Cross-site request forgery (CSRF) vulnerability in webconfig/admin_passwd/passwd.html/admin_passwd in Xavi X7968 allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via the sysUserName, sysPassword, and sysCfmPwd parameters. The Xavi 7968 ADSL Router is an ADSL router device. There is a vulnerability in the Xavi 7968 ADSL Router. Because the program fails to properly validate user-submitted requests, an attacker can build a malicious URI, trick the user into parsing, and run privileged commands on the device, such as changing the configuration, performing a denial of service attack, or injecting arbitrary script code. Xavi 7968 ADSL Router is prone to cross-site scripting, HTML-injection and cross-site request forgery vulnerabilities. The attacker can exploit the issues to execute arbitrary script code in the context of the vulnerable site, potentially allowing the attacker to steal cookie-based authentication credentials, or perform certain administrative functions on victim's behalf. Other attacks are also possible. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: XAVi X7968 Cross-Site Scripting and Request Forgery Vulnerabilities SECUNIA ADVISORY ID: SA48050 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48050/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48050 RELEASE DATE: 2012-03-06 DISCUSS ADVISORY: http://secunia.com/advisories/48050/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48050/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48050 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in XAVi X7968, which can be exploited by malicious people to conduct cross-site scripting and request forgery attacks. 1) Input passed via the "pvcName" parameter to webconfig/wan/confirm.html/confirm is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected device. 2) The device's web interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. change an administrator's password or conduct script insertion attacks by tricking a logged in administrator into visiting a malicious web site. SOLUTION: Filter malicious characters and character sequences using a proxy. Do not browse untrusted sites or follow untrusted links while being logged-in to the device. PROVIDED AND/OR DISCOVERED BY: Busindre OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . (Admin privileges) ** XSS example: (Alert with Cookie) http://192.168.1.1/webconfig/wan/confirm.html/confirm?context=pageAction%3Dadd%26pvcName%3D%2522%253e%253c%252ftd%253e%253cscript%253ealert%28document.cookie%29%253c%252fscript%253e%26vpi%3D0%26vci%3D38%26scat%3DUBR%26accessmode%3Dpppoe%26encap%3Dvcmux%26encapmode%3Dbridged%26iptype%3Ddhcp%26nat_enable%3Dfalse%26def_route_enable%3Dfalse%26qos_enable%3Dfalse%26chkPPPOEAC%3Dfalse%26tBoxPPPOEAC%3DNot%2520Configured%26sessiontype%3Dalways_on%26username%3Da%26password%3Dss&confirm=+Apply+ ** Persistent XSS example: (Alert with Cookie) Add code: http://192.168.1.1/webconfig/lan/lan_config.html/local_lan_config?ip_add_txtbox=192.168.1.1&sub_mask_txtbox=255.255.255.0&host_name_txtbox=Hack<SCRIPT>alert(document.cookie)</script>&domain_name_txtbox=local.lan&mtu_txtbox=1500&next=Apply Exploit URL: http://192.168.1.1/webconfig/upgrade_image/image_upgrade.html ** Cross site request forgery example: (Change admin Password 1234 -> 12345): http://192.168.1.2/webconfig/admin_passwd/passwd.html/admin_passwd?sysUserName=1234&sysPassword=12345&sysCfmPwd=12345&cmdSubmit=Apply This is just an example, all forms in the router interface are vulnerable to CSRF and if they accept text input, to XSS. Author: Busindre busilezas[@]gmail.com
VAR-201202-0350 No CVE Advantech/Broadwin HMI/SCADA RPC Remote code execution vulnerability CVSS V2: 7.0
CVSS V3: -
Severity: HIGH
BroadWin SCADA WebAccess is a web browser-based HMI and SCADA software for industrial control systems and automation. A vulnerability exists in the implementation of Advantech/Broadwin HMI/SCADA WebAccess 6.x.x/7.x.x that could be exploited by a remote attacker to execute arbitrary code on the system
VAR-201202-0342 CVE-2012-1234 Advantech/BroadWin WebAccess SQL Injection Vulnerability CVSS V2: 6.5
CVSS V3: -
Severity: MEDIUM
SQL injection vulnerability in Advantech/BroadWin WebAccess 7.0 allows remote authenticated users to execute arbitrary SQL commands via a malformed URL. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0234. BroadWin SCADA WebAccess is a web browser-based HMI and SCADA software for industrial control systems and automation
VAR-201202-0343 CVE-2012-1235 Advantech/BroadWin WebAccess Cross-Site Request Forgery Vulnerability CVSS V2: 6.0
CVSS V3: -
Severity: MEDIUM
Cross-site request forgery (CSRF) vulnerability in Advantech/BroadWin WebAccess 7.0 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0235. Advantech/BroadWin WebAccess Contains a cross-site request forgery vulnerability. BroadWin SCADA WebAccess is a web browser-based HMI and SCADA software for industrial control systems and automation
VAR-201202-0323 CVE-2012-0870 Samba of smbd Inside process.c Heap-based buffer overflow vulnerability CVSS V2: 7.9
CVSS V3: -
Severity: HIGH
Heap-based buffer overflow in process.c in smbd in Samba 3.0, as used in the file-sharing service on the BlackBerry PlayBook tablet before 2.0.0.7971 and other products, allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a Batched (aka AndX) request that triggers infinite recursion. It highlights game, media publishing and collaboration features. The BlackBerry PlayBook Tablet is a tablet from BlackBerry. The Samba service is used for file sharing between the platform computer and the computer, and remote attackers can exploit the vulnerability to gain control over the Wi-Fi file sharing system through the Wi-Fi network. This vulnerability is also affected when the tablet is connected to the computer using USB and if the attacker can physically access the computer. Samba is prone to a heap-based buffer-overflow vulnerability. Failed exploit attempts will result in a denial-of-service condition. Samba versions prior to 3.4.0 are affected. ---------------------------------------------------------------------- Secunia presentations @ RSA Conference 2012, San Francisco, USA, 27 Feb-02 March Listen to our Chief Security Specialist, Research Analyst Director, and Director Product Management & Quality Assurance discuss the industry's key topics. Also, visit the Secunia stand #817. Find out more: http://www.rsaconference.com/events/2012/usa/index.htm ---------------------------------------------------------------------- TITLE: Samba Any Batched Request Handling Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA48152 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48152/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48152 RELEASE DATE: 2012-02-24 DISCUSS ADVISORY: http://secunia.com/advisories/48152/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48152/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48152 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Samba, which can be exploited by malicious people to compromise a vulnerable system. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: Originally reported in BlackBerry Tablet OS by Andy Davis, NGS Secure. ORIGINAL ADVISORY: http://www.samba.org/samba/security/CVE-2012-0870 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0870 _______________________________________________________________________ Updated Packages: Mandriva Enterprise Server 5: f1c5c40a39960bf0be8b4f7b0eb07f1c mes5/i586/libnetapi0-3.3.12-0.8mdvmes5.2.i586.rpm c09851ea48666122ce67fb3bb5d863b7 mes5/i586/libnetapi-devel-3.3.12-0.8mdvmes5.2.i586.rpm 574874125ee63e520110e73158fa1c53 mes5/i586/libsmbclient0-3.3.12-0.8mdvmes5.2.i586.rpm ed39a5badbcb3dff984d099d995e4654 mes5/i586/libsmbclient0-devel-3.3.12-0.8mdvmes5.2.i586.rpm 37f6c8edc6af9e4439fe1cfa74162fd4 mes5/i586/libsmbclient0-static-devel-3.3.12-0.8mdvmes5.2.i586.rpm e06527be75deb64802f8bfa4c266f9bc mes5/i586/libsmbsharemodes0-3.3.12-0.8mdvmes5.2.i586.rpm 9926b5aa94649fe5e4563d7d30eea094 mes5/i586/libsmbsharemodes-devel-3.3.12-0.8mdvmes5.2.i586.rpm 13ed1d18924705829149f27c89cff483 mes5/i586/libtalloc1-3.3.12-0.8mdvmes5.2.i586.rpm 0dcc0cadaff5d3e9e9b26a4aa76320b9 mes5/i586/libtalloc-devel-3.3.12-0.8mdvmes5.2.i586.rpm f66dc353d8f7cc28d9e9922bc731bd06 mes5/i586/libtdb1-3.3.12-0.8mdvmes5.2.i586.rpm 87689dca4f04ccc56c8b7e2958f870a5 mes5/i586/libtdb-devel-3.3.12-0.8mdvmes5.2.i586.rpm eac4493389bdd505786b2a813800ec21 mes5/i586/libwbclient0-3.3.12-0.8mdvmes5.2.i586.rpm 0a4d9665399a405ec33352bac8b085d7 mes5/i586/libwbclient-devel-3.3.12-0.8mdvmes5.2.i586.rpm 31d01f8f5ac236bdeb5da6c0b1103c26 mes5/i586/mount-cifs-3.3.12-0.8mdvmes5.2.i586.rpm 4d65a41c7adf287f33146cb51976c12f mes5/i586/nss_wins-3.3.12-0.8mdvmes5.2.i586.rpm 95851e4895bebace6a800c21411c2c98 mes5/i586/samba-client-3.3.12-0.8mdvmes5.2.i586.rpm 615ae2342634aa724e233fe7c38e1021 mes5/i586/samba-common-3.3.12-0.8mdvmes5.2.i586.rpm 593f4559e2e7927c3d2be07c75f69fc2 mes5/i586/samba-doc-3.3.12-0.8mdvmes5.2.i586.rpm 082b8b10f48f87102f5f4e5734192274 mes5/i586/samba-server-3.3.12-0.8mdvmes5.2.i586.rpm 671a8293f5c9970eff7f41a382ce1de8 mes5/i586/samba-swat-3.3.12-0.8mdvmes5.2.i586.rpm d0826b2d50dd03a8a2def0ab8217a10b mes5/i586/samba-winbind-3.3.12-0.8mdvmes5.2.i586.rpm e63162eb725a3c786a9d6ce6e3ffa834 mes5/SRPMS/samba-3.3.12-0.8mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 08052ae7f504d3afebc2592c4563cb26 mes5/x86_64/lib64netapi0-3.3.12-0.8mdvmes5.2.x86_64.rpm 959b440b7a52de85774c7826c23e5a0d mes5/x86_64/lib64netapi-devel-3.3.12-0.8mdvmes5.2.x86_64.rpm 4fbf3c6550bbd781101b19a5f59db31f mes5/x86_64/lib64smbclient0-3.3.12-0.8mdvmes5.2.x86_64.rpm fa0e52cf4f492cb5d991ca5305f4eca7 mes5/x86_64/lib64smbclient0-devel-3.3.12-0.8mdvmes5.2.x86_64.rpm 3aab55b5470b2dd3fe21bc22aac57881 mes5/x86_64/lib64smbclient0-static-devel-3.3.12-0.8mdvmes5.2.x86_64.rpm 62faaa06906b9b03f73d130c30841e24 mes5/x86_64/lib64smbsharemodes0-3.3.12-0.8mdvmes5.2.x86_64.rpm 2989b58fbd3b45bc9f59c252c694970f mes5/x86_64/lib64smbsharemodes-devel-3.3.12-0.8mdvmes5.2.x86_64.rpm 7b02247f56fbae2c39148fbbdb2a9753 mes5/x86_64/lib64talloc1-3.3.12-0.8mdvmes5.2.x86_64.rpm c06c34fbdf4472157ce75f438c8975fe mes5/x86_64/lib64talloc-devel-3.3.12-0.8mdvmes5.2.x86_64.rpm 05412945bb2a1b2be22aab619395366e mes5/x86_64/lib64tdb1-3.3.12-0.8mdvmes5.2.x86_64.rpm a5d3e798398970a92129d182766049ab mes5/x86_64/lib64tdb-devel-3.3.12-0.8mdvmes5.2.x86_64.rpm fa4659a2d3591b354ed48fe4780e318a mes5/x86_64/lib64wbclient0-3.3.12-0.8mdvmes5.2.x86_64.rpm a647ebd6ed3d00f8e0cf32db8deddd89 mes5/x86_64/lib64wbclient-devel-3.3.12-0.8mdvmes5.2.x86_64.rpm 5075846b37b482eee78d1390284d221f mes5/x86_64/mount-cifs-3.3.12-0.8mdvmes5.2.x86_64.rpm 08968a5c3682f2af4dab4433d3c4906c mes5/x86_64/nss_wins-3.3.12-0.8mdvmes5.2.x86_64.rpm 1f391d0c654c0efa93a4a9b90ff8abad mes5/x86_64/samba-client-3.3.12-0.8mdvmes5.2.x86_64.rpm 9d374a84dab147dd3a7e20f38032740f mes5/x86_64/samba-common-3.3.12-0.8mdvmes5.2.x86_64.rpm fbc801397a2f7b94b06397aed9e037a8 mes5/x86_64/samba-doc-3.3.12-0.8mdvmes5.2.x86_64.rpm 39fde58a25e8180b574cf6e5a8f7e432 mes5/x86_64/samba-server-3.3.12-0.8mdvmes5.2.x86_64.rpm d9f108c12ade5b0f8905cb453cdb99dc mes5/x86_64/samba-swat-3.3.12-0.8mdvmes5.2.x86_64.rpm 78f300cd217228b7e44d0845f2b29c53 mes5/x86_64/samba-winbind-3.3.12-0.8mdvmes5.2.x86_64.rpm e63162eb725a3c786a9d6ce6e3ffa834 mes5/SRPMS/samba-3.3.12-0.8mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFPTQdAmqjQ0CJFipgRAjl5AKCHFXTjEFCIjESHT9QE+lzC/znTUQCeKcKO gBbgJhbdLqBQlAb9QBUHTIM= =j351 -----END PGP SIGNATURE----- . High Risk Vulnerability in Samba 25 February 2012 Andy Davis of NGS Secure has discovered a high risk vulnerability in the Samba service Impact: Remote Code Execution Versions affected: Samba versions up to 3.4.0 More details about this vulnerability and how to obtain software updates can be found here: http://www.samba.org/samba/security/CVE-2012-0870 NGS Secure is going to withhold details of this flaw for three months. This three month window will allow users the time needed to apply the patch before the details are released to the general public. This reflects the NGS Secure approach to responsible disclosure. NGS Secure Research http://www.ngssecure.com . This fixes multiple vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks. ============================================================================ Ubuntu Security Notice USN-1374-1 February 24, 2012 samba vulnerability ============================================================================ A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 8.04 LTS Summary: Samba could be made to crash or run programs if it received specially crafted network traffic. Software Description: - samba: SMB/CIFS file, print, and login server for Unix Details: Andy Davis discovered that Samba incorrectly handled certain AndX offsets. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 8.04 LTS: samba 3.0.28a-1ubuntu4.17 In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: samba security update Advisory ID: RHSA-2012:0332-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0332.html Issue date: 2012-02-23 CVE Names: CVE-2012-0870 ===================================================================== 1. Summary: Updated samba packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5, and Red Hat Enterprise Linux 5.3 Long Life, and 5.6 Extended Update Support. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux EUS (v. 5.6 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Long Life (v. 5.3 server) - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: Samba is a suite of programs used by machines to share files, printers, and other information. An input validation flaw was found in the way Samba handled Any Batched (AndX) requests. A remote, unauthenticated attacker could send a specially-crafted SMB packet to the Samba server, possibly resulting in arbitrary code execution with the privileges of the Samba server (root). (CVE-2012-0870) Red Hat would like to thank the Samba team for reporting this issue. Upstream acknowledges Andy Davis of NGS Secure as the original reporter. Users of Samba are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing this update, the smb service will be restarted automatically. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 795509 - CVE-2012-0870 samba: Any Batched ("AndX") request processing infinite recursion and heap-based buffer overflow 6. Package List: Red Hat Enterprise Linux AS version 4: Source: ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/samba-3.0.33-0.35.el4.src.rpm i386: samba-3.0.33-0.35.el4.i386.rpm samba-client-3.0.33-0.35.el4.i386.rpm samba-common-3.0.33-0.35.el4.i386.rpm samba-debuginfo-3.0.33-0.35.el4.i386.rpm samba-swat-3.0.33-0.35.el4.i386.rpm ia64: samba-3.0.33-0.35.el4.ia64.rpm samba-client-3.0.33-0.35.el4.ia64.rpm samba-common-3.0.33-0.35.el4.i386.rpm samba-common-3.0.33-0.35.el4.ia64.rpm samba-debuginfo-3.0.33-0.35.el4.i386.rpm samba-debuginfo-3.0.33-0.35.el4.ia64.rpm samba-swat-3.0.33-0.35.el4.ia64.rpm ppc: samba-3.0.33-0.35.el4.ppc.rpm samba-client-3.0.33-0.35.el4.ppc.rpm samba-common-3.0.33-0.35.el4.ppc.rpm samba-common-3.0.33-0.35.el4.ppc64.rpm samba-debuginfo-3.0.33-0.35.el4.ppc.rpm samba-debuginfo-3.0.33-0.35.el4.ppc64.rpm samba-swat-3.0.33-0.35.el4.ppc.rpm s390: samba-3.0.33-0.35.el4.s390.rpm samba-client-3.0.33-0.35.el4.s390.rpm samba-common-3.0.33-0.35.el4.s390.rpm samba-debuginfo-3.0.33-0.35.el4.s390.rpm samba-swat-3.0.33-0.35.el4.s390.rpm s390x: samba-3.0.33-0.35.el4.s390x.rpm samba-client-3.0.33-0.35.el4.s390x.rpm samba-common-3.0.33-0.35.el4.s390.rpm samba-common-3.0.33-0.35.el4.s390x.rpm samba-debuginfo-3.0.33-0.35.el4.s390.rpm samba-debuginfo-3.0.33-0.35.el4.s390x.rpm samba-swat-3.0.33-0.35.el4.s390x.rpm x86_64: samba-3.0.33-0.35.el4.x86_64.rpm samba-client-3.0.33-0.35.el4.x86_64.rpm samba-common-3.0.33-0.35.el4.i386.rpm samba-common-3.0.33-0.35.el4.x86_64.rpm samba-debuginfo-3.0.33-0.35.el4.i386.rpm samba-debuginfo-3.0.33-0.35.el4.x86_64.rpm samba-swat-3.0.33-0.35.el4.x86_64.rpm Red Hat Enterprise Linux Desktop version 4: Source: ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/samba-3.0.33-0.35.el4.src.rpm i386: samba-3.0.33-0.35.el4.i386.rpm samba-client-3.0.33-0.35.el4.i386.rpm samba-common-3.0.33-0.35.el4.i386.rpm samba-debuginfo-3.0.33-0.35.el4.i386.rpm samba-swat-3.0.33-0.35.el4.i386.rpm x86_64: samba-3.0.33-0.35.el4.x86_64.rpm samba-client-3.0.33-0.35.el4.x86_64.rpm samba-common-3.0.33-0.35.el4.i386.rpm samba-common-3.0.33-0.35.el4.x86_64.rpm samba-debuginfo-3.0.33-0.35.el4.i386.rpm samba-debuginfo-3.0.33-0.35.el4.x86_64.rpm samba-swat-3.0.33-0.35.el4.x86_64.rpm Red Hat Enterprise Linux ES version 4: Source: ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/samba-3.0.33-0.35.el4.src.rpm i386: samba-3.0.33-0.35.el4.i386.rpm samba-client-3.0.33-0.35.el4.i386.rpm samba-common-3.0.33-0.35.el4.i386.rpm samba-debuginfo-3.0.33-0.35.el4.i386.rpm samba-swat-3.0.33-0.35.el4.i386.rpm ia64: samba-3.0.33-0.35.el4.ia64.rpm samba-client-3.0.33-0.35.el4.ia64.rpm samba-common-3.0.33-0.35.el4.i386.rpm samba-common-3.0.33-0.35.el4.ia64.rpm samba-debuginfo-3.0.33-0.35.el4.i386.rpm samba-debuginfo-3.0.33-0.35.el4.ia64.rpm samba-swat-3.0.33-0.35.el4.ia64.rpm x86_64: samba-3.0.33-0.35.el4.x86_64.rpm samba-client-3.0.33-0.35.el4.x86_64.rpm samba-common-3.0.33-0.35.el4.i386.rpm samba-common-3.0.33-0.35.el4.x86_64.rpm samba-debuginfo-3.0.33-0.35.el4.i386.rpm samba-debuginfo-3.0.33-0.35.el4.x86_64.rpm samba-swat-3.0.33-0.35.el4.x86_64.rpm Red Hat Enterprise Linux WS version 4: Source: ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/samba-3.0.33-0.35.el4.src.rpm i386: samba-3.0.33-0.35.el4.i386.rpm samba-client-3.0.33-0.35.el4.i386.rpm samba-common-3.0.33-0.35.el4.i386.rpm samba-debuginfo-3.0.33-0.35.el4.i386.rpm samba-swat-3.0.33-0.35.el4.i386.rpm ia64: samba-3.0.33-0.35.el4.ia64.rpm samba-client-3.0.33-0.35.el4.ia64.rpm samba-common-3.0.33-0.35.el4.i386.rpm samba-common-3.0.33-0.35.el4.ia64.rpm samba-debuginfo-3.0.33-0.35.el4.i386.rpm samba-debuginfo-3.0.33-0.35.el4.ia64.rpm samba-swat-3.0.33-0.35.el4.ia64.rpm x86_64: samba-3.0.33-0.35.el4.x86_64.rpm samba-client-3.0.33-0.35.el4.x86_64.rpm samba-common-3.0.33-0.35.el4.i386.rpm samba-common-3.0.33-0.35.el4.x86_64.rpm samba-debuginfo-3.0.33-0.35.el4.i386.rpm samba-debuginfo-3.0.33-0.35.el4.x86_64.rpm samba-swat-3.0.33-0.35.el4.x86_64.rpm Red Hat Enterprise Linux Desktop (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/samba-3.0.33-3.38.el5_8.src.rpm i386: libsmbclient-3.0.33-3.38.el5_8.i386.rpm samba-3.0.33-3.38.el5_8.i386.rpm samba-client-3.0.33-3.38.el5_8.i386.rpm samba-common-3.0.33-3.38.el5_8.i386.rpm samba-debuginfo-3.0.33-3.38.el5_8.i386.rpm samba-swat-3.0.33-3.38.el5_8.i386.rpm x86_64: libsmbclient-3.0.33-3.38.el5_8.i386.rpm libsmbclient-3.0.33-3.38.el5_8.x86_64.rpm samba-3.0.33-3.38.el5_8.x86_64.rpm samba-client-3.0.33-3.38.el5_8.x86_64.rpm samba-common-3.0.33-3.38.el5_8.i386.rpm samba-common-3.0.33-3.38.el5_8.x86_64.rpm samba-debuginfo-3.0.33-3.38.el5_8.i386.rpm samba-debuginfo-3.0.33-3.38.el5_8.x86_64.rpm samba-swat-3.0.33-3.38.el5_8.x86_64.rpm RHEL Desktop Workstation (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/samba-3.0.33-3.38.el5_8.src.rpm i386: libsmbclient-devel-3.0.33-3.38.el5_8.i386.rpm samba-debuginfo-3.0.33-3.38.el5_8.i386.rpm x86_64: libsmbclient-devel-3.0.33-3.38.el5_8.i386.rpm libsmbclient-devel-3.0.33-3.38.el5_8.x86_64.rpm samba-debuginfo-3.0.33-3.38.el5_8.i386.rpm samba-debuginfo-3.0.33-3.38.el5_8.x86_64.rpm Red Hat Enterprise Linux Long Life (v. 5.3 server): Source: samba-3.0.33-3.7.el5_3.4.src.rpm i386: samba-3.0.33-3.7.el5_3.4.i386.rpm samba-client-3.0.33-3.7.el5_3.4.i386.rpm samba-common-3.0.33-3.7.el5_3.4.i386.rpm samba-debuginfo-3.0.33-3.7.el5_3.4.i386.rpm samba-swat-3.0.33-3.7.el5_3.4.i386.rpm ia64: samba-3.0.33-3.7.el5_3.4.ia64.rpm samba-client-3.0.33-3.7.el5_3.4.ia64.rpm samba-common-3.0.33-3.7.el5_3.4.ia64.rpm samba-debuginfo-3.0.33-3.7.el5_3.4.ia64.rpm samba-swat-3.0.33-3.7.el5_3.4.ia64.rpm x86_64: samba-3.0.33-3.7.el5_3.4.x86_64.rpm samba-client-3.0.33-3.7.el5_3.4.x86_64.rpm samba-common-3.0.33-3.7.el5_3.4.i386.rpm samba-common-3.0.33-3.7.el5_3.4.x86_64.rpm samba-debuginfo-3.0.33-3.7.el5_3.4.i386.rpm samba-debuginfo-3.0.33-3.7.el5_3.4.x86_64.rpm samba-swat-3.0.33-3.7.el5_3.4.x86_64.rpm Red Hat Enterprise Linux EUS (v. 5.6 server): Source: samba-3.0.33-3.29.el5_6.4.src.rpm i386: libsmbclient-3.0.33-3.29.el5_6.4.i386.rpm libsmbclient-devel-3.0.33-3.29.el5_6.4.i386.rpm samba-3.0.33-3.29.el5_6.4.i386.rpm samba-client-3.0.33-3.29.el5_6.4.i386.rpm samba-common-3.0.33-3.29.el5_6.4.i386.rpm samba-debuginfo-3.0.33-3.29.el5_6.4.i386.rpm samba-swat-3.0.33-3.29.el5_6.4.i386.rpm ia64: libsmbclient-3.0.33-3.29.el5_6.4.ia64.rpm libsmbclient-devel-3.0.33-3.29.el5_6.4.ia64.rpm samba-3.0.33-3.29.el5_6.4.ia64.rpm samba-client-3.0.33-3.29.el5_6.4.ia64.rpm samba-common-3.0.33-3.29.el5_6.4.ia64.rpm samba-debuginfo-3.0.33-3.29.el5_6.4.ia64.rpm samba-swat-3.0.33-3.29.el5_6.4.ia64.rpm ppc: libsmbclient-3.0.33-3.29.el5_6.4.ppc.rpm libsmbclient-3.0.33-3.29.el5_6.4.ppc64.rpm libsmbclient-devel-3.0.33-3.29.el5_6.4.ppc.rpm libsmbclient-devel-3.0.33-3.29.el5_6.4.ppc64.rpm samba-3.0.33-3.29.el5_6.4.ppc.rpm samba-client-3.0.33-3.29.el5_6.4.ppc.rpm samba-common-3.0.33-3.29.el5_6.4.ppc.rpm samba-common-3.0.33-3.29.el5_6.4.ppc64.rpm samba-debuginfo-3.0.33-3.29.el5_6.4.ppc.rpm samba-debuginfo-3.0.33-3.29.el5_6.4.ppc64.rpm samba-swat-3.0.33-3.29.el5_6.4.ppc.rpm s390x: libsmbclient-3.0.33-3.29.el5_6.4.s390.rpm libsmbclient-3.0.33-3.29.el5_6.4.s390x.rpm libsmbclient-devel-3.0.33-3.29.el5_6.4.s390.rpm libsmbclient-devel-3.0.33-3.29.el5_6.4.s390x.rpm samba-3.0.33-3.29.el5_6.4.s390x.rpm samba-client-3.0.33-3.29.el5_6.4.s390x.rpm samba-common-3.0.33-3.29.el5_6.4.s390.rpm samba-common-3.0.33-3.29.el5_6.4.s390x.rpm samba-debuginfo-3.0.33-3.29.el5_6.4.s390.rpm samba-debuginfo-3.0.33-3.29.el5_6.4.s390x.rpm samba-swat-3.0.33-3.29.el5_6.4.s390x.rpm x86_64: libsmbclient-3.0.33-3.29.el5_6.4.i386.rpm libsmbclient-3.0.33-3.29.el5_6.4.x86_64.rpm libsmbclient-devel-3.0.33-3.29.el5_6.4.i386.rpm libsmbclient-devel-3.0.33-3.29.el5_6.4.x86_64.rpm samba-3.0.33-3.29.el5_6.4.x86_64.rpm samba-client-3.0.33-3.29.el5_6.4.x86_64.rpm samba-common-3.0.33-3.29.el5_6.4.i386.rpm samba-common-3.0.33-3.29.el5_6.4.x86_64.rpm samba-debuginfo-3.0.33-3.29.el5_6.4.i386.rpm samba-debuginfo-3.0.33-3.29.el5_6.4.x86_64.rpm samba-swat-3.0.33-3.29.el5_6.4.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/samba-3.0.33-3.38.el5_8.src.rpm i386: libsmbclient-3.0.33-3.38.el5_8.i386.rpm libsmbclient-devel-3.0.33-3.38.el5_8.i386.rpm samba-3.0.33-3.38.el5_8.i386.rpm samba-client-3.0.33-3.38.el5_8.i386.rpm samba-common-3.0.33-3.38.el5_8.i386.rpm samba-debuginfo-3.0.33-3.38.el5_8.i386.rpm samba-swat-3.0.33-3.38.el5_8.i386.rpm ia64: libsmbclient-3.0.33-3.38.el5_8.ia64.rpm libsmbclient-devel-3.0.33-3.38.el5_8.ia64.rpm samba-3.0.33-3.38.el5_8.ia64.rpm samba-client-3.0.33-3.38.el5_8.ia64.rpm samba-common-3.0.33-3.38.el5_8.ia64.rpm samba-debuginfo-3.0.33-3.38.el5_8.ia64.rpm samba-swat-3.0.33-3.38.el5_8.ia64.rpm ppc: libsmbclient-3.0.33-3.38.el5_8.ppc.rpm libsmbclient-3.0.33-3.38.el5_8.ppc64.rpm libsmbclient-devel-3.0.33-3.38.el5_8.ppc.rpm libsmbclient-devel-3.0.33-3.38.el5_8.ppc64.rpm samba-3.0.33-3.38.el5_8.ppc.rpm samba-client-3.0.33-3.38.el5_8.ppc.rpm samba-common-3.0.33-3.38.el5_8.ppc.rpm samba-common-3.0.33-3.38.el5_8.ppc64.rpm samba-debuginfo-3.0.33-3.38.el5_8.ppc.rpm samba-debuginfo-3.0.33-3.38.el5_8.ppc64.rpm samba-swat-3.0.33-3.38.el5_8.ppc.rpm s390x: libsmbclient-3.0.33-3.38.el5_8.s390.rpm libsmbclient-3.0.33-3.38.el5_8.s390x.rpm libsmbclient-devel-3.0.33-3.38.el5_8.s390.rpm libsmbclient-devel-3.0.33-3.38.el5_8.s390x.rpm samba-3.0.33-3.38.el5_8.s390x.rpm samba-client-3.0.33-3.38.el5_8.s390x.rpm samba-common-3.0.33-3.38.el5_8.s390.rpm samba-common-3.0.33-3.38.el5_8.s390x.rpm samba-debuginfo-3.0.33-3.38.el5_8.s390.rpm samba-debuginfo-3.0.33-3.38.el5_8.s390x.rpm samba-swat-3.0.33-3.38.el5_8.s390x.rpm x86_64: libsmbclient-3.0.33-3.38.el5_8.i386.rpm libsmbclient-3.0.33-3.38.el5_8.x86_64.rpm libsmbclient-devel-3.0.33-3.38.el5_8.i386.rpm libsmbclient-devel-3.0.33-3.38.el5_8.x86_64.rpm samba-3.0.33-3.38.el5_8.x86_64.rpm samba-client-3.0.33-3.38.el5_8.x86_64.rpm samba-common-3.0.33-3.38.el5_8.i386.rpm samba-common-3.0.33-3.38.el5_8.x86_64.rpm samba-debuginfo-3.0.33-3.38.el5_8.i386.rpm samba-debuginfo-3.0.33-3.38.el5_8.x86_64.rpm samba-swat-3.0.33-3.38.el5_8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-0870.html https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPRq5BXlSAg2UNWIIRAi8UAKCeG0OK/toZruQMW71pNgX/9EFWJACfWhgR 2fYxfIbc/dSB94Bi22p/vW4= =Pybf -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201206-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Samba: Multiple vulnerabilities Date: June 24, 2012 Bugs: #290633, #310105, #323785, #332063, #337295, #356917, #382263, #386375, #405551, #411487, #414319 ID: 201206-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Samba, the worst of which may allow execution of arbitrary code with root privileges. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-fs/samba < 3.5.15 >= 3.5.15 Description =========== Multiple vulnerabilities have been discovered in Samba. Please review the CVE identifiers referenced below for details. Furthermore, a local attacker may be able to cause a Denial of Service condition or obtain sensitive information in a Samba credentials file. Workaround ========== There is no known workaround at this time. Resolution ========== All Samba users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-fs/samba-3.5.15" References ========== [ 1 ] CVE-2009-2906 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2906 [ 2 ] CVE-2009-2948 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2948 [ 3 ] CVE-2010-0728 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0728 [ 4 ] CVE-2010-1635 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1635 [ 5 ] CVE-2010-1642 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1642 [ 6 ] CVE-2010-2063 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2063 [ 7 ] CVE-2010-3069 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3069 [ 8 ] CVE-2011-0719 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0719 [ 9 ] CVE-2011-1678 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1678 [ 10 ] CVE-2011-2724 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2724 [ 11 ] CVE-2012-0870 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0870 [ 12 ] CVE-2012-1182 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1182 [ 13 ] CVE-2012-2111 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2111 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201206-22.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5
VAR-201209-0274 CVE-2012-4999 Mercury MR804 Denial of service in router (DoS) Vulnerability

Related entries in the VARIoT exploits database: VAR-E-201202-0309
CVSS V2: 6.1
CVSS V3: -
Severity: MEDIUM
Mercury MR804 Router 8.0 3.8.1 Build 101220 Rel.53006nB allows remote attackers to cause a denial of service (service hang) via a crafted string in HTTP header fields such as (1) If-Modified-Since, (2) If-None-Match, or (3) If-Unmodified-Since. NOTE: some of these details are obtained from third party information. The Mercury MR804 Router is a router device. Mercury MR804 router is prone to multiple denial-of-service vulnerabilities. Remote attackers can exploit these issues to cause the device to crash, denying service to legitimate users. Mercury MR804 running version 3.8.1 Build 101220 is vulnerable. ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Mercury MR804 Denial of Service Vulnerability SECUNIA ADVISORY ID: SA48079 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48079/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48079 RELEASE DATE: 2012-03-07 DISCUSS ADVISORY: http://secunia.com/advisories/48079/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48079/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48079 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Mercury MR804, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is reported in version 8. Other versions may also be affected. SOLUTION: Restrict access to trusted hosts only. PROVIDED AND/OR DISCOVERED BY: demonalex@163.com. OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-201202-0348 CVE-2012-1292 SAP NetWeaver In MessagingSystem Performance Data Vulnerability to get important information about CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
Unspecified vulnerability in the MessagingSystem servlet in SAP NetWeaver 7.0 allows remote attackers to obtain sensitive information about the MessagingSystem Performance Data via unspecified vectors. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. There is a vulnerability in SAP NetWeaver. Because the input passed to the b2b/admin/log_view.jsp or b2b/admin/log.jsp script in the Internet Sales module via the \"logfilename\" parameter is missing validation before being used to display the file, it can result in arbitrary files being obtained through the directory traversal sequence. information. SAP NetWeaver is prone to multiple input-validation vulnerabilities, including: 1. A cross-site scripting vulnerability 2. Multiple directory traversal vulnerabilities 3. Multiple information-disclosure vulnerabilities Attackers can exploit these issues to execute arbitrary script code in the context of the website, steal cookie-based authentication information, and disclose sensitive information. Other attacks are also possible. ---------------------------------------------------------------------- Secunia presentations @ RSA Conference 2012, San Francisco, USA, 27 Feb-02 March Listen to our Chief Security Specialist, Research Analyst Director, and Director Product Management & Quality Assurance discuss the industry's key topics. Also, visit the Secunia stand #817. Find out more: http://www.rsaconference.com/events/2012/usa/index.htm ---------------------------------------------------------------------- TITLE: SAP NetWeaver Multiple Vulnerabilities SECUNIA ADVISORY ID: SA47861 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47861/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47861 RELEASE DATE: 2012-02-21 DISCUSS ADVISORY: http://secunia.com/advisories/47861/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47861/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47861 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Digital Security Research Group has reported some vulnerabilities in SAP NetWeaver, which can be exploited by malicious people to conduct cross-site scripting attacks and by malicious users and malicious people to disclose sensitive information. This can be exploited to disclose the contents of arbitrary files via directory traversal sequences. This can be exploited to disclose the contents of arbitrary files via directory traversal sequences. Successful exploitation of vulnerabilities #1 and #2 may require permission to view logs. The vulnerabilities are reported in version 7.0. Other versions may also be affected. SOLUTION: Apply SAP Security Notes 1585527 and 1583300. PROVIDED AND/OR DISCOVERED BY: Dmitriy Chastukhin, Digital Security Research Group. ORIGINAL ADVISORY: Digital Security Research Group: http://dsecrg.com/pages/vul/show.php?id=412 http://dsecrg.com/pages/vul/show.php?id=413 http://dsecrg.com/pages/vul/show.php?id=414 http://dsecrg.com/pages/vul/show.php?id=415 http://dsecrg.com/pages/vul/show.php?id=416 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-201202-0347 CVE-2012-1291 SAP NetWeaver In Adapter Monitor Vulnerability to get important information about CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
Unspecified vulnerability in the com.sap.aii.mdt.amt.web.AMTPageProcessor servlet in SAP NetWeaver 7.0 allows remote attackers to obtain sensitive information about the Adapter Monitor via unspecified vectors, possibly related to the EnableInvokerServletGlobally property in the servlet_jsp service. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. There is a vulnerability in SAP NetWeaver. Because the input passed to the b2b/admin/log_view.jsp or b2b/admin/log.jsp script in the Internet Sales module via the \"logfilename\" parameter is missing validation before being used to display the file, it can result in arbitrary files being obtained through the directory traversal sequence. information. SAP NetWeaver is prone to multiple input-validation vulnerabilities, including: 1. A cross-site scripting vulnerability 2. Multiple directory traversal vulnerabilities 3. Multiple information-disclosure vulnerabilities Attackers can exploit these issues to execute arbitrary script code in the context of the website, steal cookie-based authentication information, and disclose sensitive information. Other attacks are also possible. ---------------------------------------------------------------------- Secunia presentations @ RSA Conference 2012, San Francisco, USA, 27 Feb-02 March Listen to our Chief Security Specialist, Research Analyst Director, and Director Product Management & Quality Assurance discuss the industry's key topics. Also, visit the Secunia stand #817. Find out more: http://www.rsaconference.com/events/2012/usa/index.htm ---------------------------------------------------------------------- TITLE: SAP NetWeaver Multiple Vulnerabilities SECUNIA ADVISORY ID: SA47861 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47861/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47861 RELEASE DATE: 2012-02-21 DISCUSS ADVISORY: http://secunia.com/advisories/47861/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47861/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47861 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Digital Security Research Group has reported some vulnerabilities in SAP NetWeaver, which can be exploited by malicious people to conduct cross-site scripting attacks and by malicious users and malicious people to disclose sensitive information. This can be exploited to disclose the contents of arbitrary files via directory traversal sequences. This can be exploited to disclose the contents of arbitrary files via directory traversal sequences. Successful exploitation of vulnerabilities #1 and #2 may require permission to view logs. The vulnerabilities are reported in version 7.0. Other versions may also be affected. SOLUTION: Apply SAP Security Notes 1585527 and 1583300. PROVIDED AND/OR DISCOVERED BY: Dmitriy Chastukhin, Digital Security Research Group. ORIGINAL ADVISORY: Digital Security Research Group: http://dsecrg.com/pages/vul/show.php?id=412 http://dsecrg.com/pages/vul/show.php?id=413 http://dsecrg.com/pages/vul/show.php?id=414 http://dsecrg.com/pages/vul/show.php?id=415 http://dsecrg.com/pages/vul/show.php?id=416 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-201202-0346 CVE-2012-1290 SAP NetWeaver of b2b/auction/container.jsp Vulnerable to cross-site scripting CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
Cross-site scripting (XSS) vulnerability in b2b/auction/container.jsp in the Internet Sales (crm.b2b) module in SAP NetWeaver 7.0 allows remote attackers to inject arbitrary web script or HTML via the _loadPage parameter. SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. There is a vulnerability in SAP NetWeaver. information. The SAP NetWeaver com.sap.aii.mdt.amt.web.AMTPageProcessor servlet error can be exploited to leak certain Adapter monitoring information. SAP NetWeaver is prone to multiple input-validation vulnerabilities, including: 1. A cross-site scripting vulnerability 2. Multiple directory traversal vulnerabilities 3. Multiple information-disclosure vulnerabilities Attackers can exploit these issues to execute arbitrary script code in the context of the website, steal cookie-based authentication information, and disclose sensitive information. Other attacks are also possible. ---------------------------------------------------------------------- Secunia presentations @ RSA Conference 2012, San Francisco, USA, 27 Feb-02 March Listen to our Chief Security Specialist, Research Analyst Director, and Director Product Management & Quality Assurance discuss the industry's key topics. Also, visit the Secunia stand #817. Find out more: http://www.rsaconference.com/events/2012/usa/index.htm ---------------------------------------------------------------------- TITLE: SAP NetWeaver Multiple Vulnerabilities SECUNIA ADVISORY ID: SA47861 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47861/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47861 RELEASE DATE: 2012-02-21 DISCUSS ADVISORY: http://secunia.com/advisories/47861/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47861/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47861 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Digital Security Research Group has reported some vulnerabilities in SAP NetWeaver, which can be exploited by malicious people to conduct cross-site scripting attacks and by malicious users and malicious people to disclose sensitive information. This can be exploited to disclose the contents of arbitrary files via directory traversal sequences. This can be exploited to disclose the contents of arbitrary files via directory traversal sequences. Successful exploitation of vulnerabilities #1 and #2 may require permission to view logs. The vulnerabilities are reported in version 7.0. Other versions may also be affected. SOLUTION: Apply SAP Security Notes 1585527 and 1583300. PROVIDED AND/OR DISCOVERED BY: Dmitriy Chastukhin, Digital Security Research Group. ORIGINAL ADVISORY: Digital Security Research Group: http://dsecrg.com/pages/vul/show.php?id=412 http://dsecrg.com/pages/vul/show.php?id=413 http://dsecrg.com/pages/vul/show.php?id=414 http://dsecrg.com/pages/vul/show.php?id=415 http://dsecrg.com/pages/vul/show.php?id=416 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-201202-0344 CVE-2012-1288 UTC Fire & Security GE-MC100-NTP/GPS-ZB Trust Management Vulnerability CVSS V2: 10.0
CVSS V3: -
Severity: HIGH
The UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock device uses hardcoded credentials for an administrative account, which makes it easier for remote attackers to obtain access via an HTTP session. UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock have default administrator login credentials that can not be modified by an administrator. A remote attacker could exploit the vulnerability to gain access via an HTTP session. Successful exploits will result in the complete compromise of the affected device. ---------------------------------------------------------------------- Secunia presentations @ RSA Conference 2012, San Francisco, USA, 27 Feb-02 March Listen to our Chief Security Specialist, Research Analyst Director, and Director Product Management & Quality Assurance discuss the industry's key topics. Also, visit the Secunia stand #817. Find out more: http://www.rsaconference.com/events/2012/usa/index.htm ---------------------------------------------------------------------- TITLE: UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock Default Account Security Issue SECUNIA ADVISORY ID: SA48037 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48037/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48037 RELEASE DATE: 2012-02-23 DISCUSS ADVISORY: http://secunia.com/advisories/48037/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48037/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48037 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A security issue has been reported in UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock, which can be exploited by malicious people to bypass certain security restrictions. SOLUTION: Restrict access to trusted hosts only. PROVIDED AND/OR DISCOVERED BY: US-CERT credits Temple Murphy ORIGINAL ADVISORY: US-CERT (VU#707254): http://www.kb.cert.org/vuls/id/707254 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-201202-0180 CVE-2012-1193 PowerDNS Vulnerabilities that allow continuous name resolution for invalid domain names CVSS V2: 6.4
CVSS V3: -
Severity: MEDIUM
The resolver in PowerDNS Recursor (aka pdns_recursor) 3.3 overwrites cached server names and TTL values in NS records during the processing of a response to an A record query, which allows remote attackers to trigger continued resolvability of revoked domain names via a "ghost domain names" attack. PowerDNS Recursor is a high performance recursive name server. A vulnerability exists in the resolver in version 3.3 of PowerDNS Recursor (also known as pdns_recursor). The cache server name and TTL value in the NS record are overwritten during the processing of the query record response. Successfully exploiting these issues will allow an attacker to manipulate cache data, which may aid in further attacks. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201412-33 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: PowerDNS Recursor: Multiple vulnerabilities Date: December 22, 2014 Bugs: #299942, #404377, #514946, #531992 ID: 201412-33 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in PowerDNS Recursor, the worst of which may allow execution of arbitrary code. Background ========== PowerDNS Recursor is a high-end, high-performance resolving name server Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-dns/pdns-recursor < 3.6.1-r1 >= 3.6.1-r1 Description =========== Multiple vulnerabilities have been discovered in PowerDNS Recursor. Please review the CVE identifiers and PowerDNS blog post referenced below for details. Impact ====== A remote attacker may be able to send specially crafted packets, possibly resulting in arbitrary code execution or a Denial of Service condition. Furthermore, a remote attacker may be able to spoof DNS data. Workaround ========== There is no known workaround at this time. Resolution ========== All PowerDNS Recursor users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-dns/pdns-recursor-3.6.1-r1"= References ========== [ 1 ] CVE-2009-4009 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4009 [ 2 ] CVE-2009-4010 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4010 [ 3 ] CVE-2012-1193 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1193 [ 4 ] CVE-2014-8601 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8601 [ 5 ] Related to recent DoS attacks: Recursor configuration file guidance http://blog.powerdns.com/2014/02/06/related-to-recent-dos-attacks-recurso= r-configuration-file-guidance/ Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201412-33.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2014 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5
VAR-201202-0239 CVE-2012-0224 7T TERMIS DLL Load arbitrary code execution vulnerability CVSS V2: 9.3
CVSS V3: -
Severity: HIGH
Untrusted search path vulnerability in 7-Technologies (7T) AQUIS 1.5 and earlier allows local users to gain privileges via a Trojan horse DLL in the current working directory, a different vulnerability than CVE-2012-0223. DLL It may be possible to get permission through the file. AQUIS Operation is a software product developed by 7-Technologies of Denmark (7T). Used in hydraulic models, automation engineering, systems engineering and software engineering. 7-Technologies AQUIS software has DLL hijacking problem. The attacker can prevent the malicious DLL from being loaded in the software directory and will be loaded before the legal DLL. The attacker must access the host file system to exploit this vulnerability, and the exploit can be exploited in the application context. Execute arbitrary code. 7-Technologies TERMIS is an energy network simulation platform designed to improve system design and operation. An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file. AQUIS 1.5 and prior versions are vulnerable. ---------------------------------------------------------------------- Secunia presentations @ RSA Conference 2012, San Francisco, USA, 27 Feb-02 March Listen to our Chief Security Specialist, Research Analyst Director, and Director Product Management & Quality Assurance discuss the industry's key topics. Also, visit the Secunia stand #817. Find out more: http://www.rsaconference.com/events/2012/usa/index.htm ---------------------------------------------------------------------- TITLE: 7-Technologies AQUIS / TERMIS Insecure Library Loading Vulnerability SECUNIA ADVISORY ID: SA48093 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48093/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48093 RELEASE DATE: 2012-02-20 DISCUSS ADVISORY: http://secunia.com/advisories/48093/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48093/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48093 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in AQUIS and TERMIS, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to the application loading unspecified libraries in an insecure manner. This can be exploited to load arbitrary libraries by tricking a user into e.g. opening a certain file located on a remote WebDAV or SMB share. The vulnerability is reported in the following products: * AQUIS version 1.5 dated October 13, 2011 and prior. * TERMIS version 2.10 dated November 30, 2011 and prior. SOLUTION: Apply patches. Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ PROVIDED AND/OR DISCOVERED BY: ICS-CERT credits Kuang-Chun Hung, Security Research and Service Institute&#8722;Information and Communication Security Technology Center (ICST). ORIGINAL ADVISORY: ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICSA-12-025-01.pdf http://www.us-cert.gov/control_systems/pdf/ICSA-12-025-02.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-201202-0362 No CVE SAP Netweaver SOAP Message Remote Buffer Overflow Vulnerability CVSS V2: -
CVSS V3: -
Severity: HIGH
SAP NetWeaver is the technical foundation for SAP Business Suite solutions, SAP xApps composite applications, partner solutions, and custom applications. The SAPHostControl service has a boundary error when processing certain commands wrapped in SOAP messages. A stack-based buffer overflow can be triggered by a very long command, and a successful exploit can execute arbitrary code in the application context. SAP Netweaver is prone to a remote buffer-overflow vulnerability. Failed exploit attempts may result in a denial-of-service condition. SAP Netweaver 7.02 is affected; other versions may also be vulnerable. ---------------------------------------------------------------------- Secunia presentations @ RSA Conference 2012, San Francisco, USA, 27 Feb-02 March Listen to our Chief Security Specialist, Research Analyst Director, and Director Product Management & Quality Assurance discuss the industry's key topics. Also, visit the Secunia stand #817. Find out more: http://www.rsaconference.com/events/2012/usa/index.htm ---------------------------------------------------------------------- TITLE: SAP NetWeaver SAPHostControl Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA48047 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48047/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48047 RELEASE DATE: 2012-02-20 DISCUSS ADVISORY: http://secunia.com/advisories/48047/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48047/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48047 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Context Information Security has reported a vulnerability in SAP NetWeaver, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is reported in version 7.02. SOLUTION: Apply SAP security note 1638811. PROVIDED AND/OR DISCOVERED BY: Nico Leidecker, Context Information Security. ORIGINAL ADVISORY: SAP: https://service.sap.com/sap/support/notes/1638811 Context Information Security: http://archives.neohapsis.com/archives/fulldisclosure/2012-02/0269.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-201202-0179 CVE-2012-1192 Unbound Vulnerabilities that allow continuous name resolution for invalid domain names CVSS V2: 6.4
CVSS V3: -
Severity: MEDIUM
The resolver in Unbound before 1.4.11 overwrites cached server names and TTL values in NS records during the processing of a response to an A record query, which allows remote attackers to trigger continued resolvability of revoked domain names via a "ghost domain names" attack. Unbound is an open source recursive DNS server software. A vulnerability exists in the resolver in versions prior to Unbound 1.4.11. Unbound is prone to a remote security vulnerability
VAR-201209-0472 CVE-2012-4924 ASUS Net4Switch for ipswcom.dll ActiveX Component buffer overflow vulnerability CVSS V2: 9.3
CVSS V3: -
Severity: HIGH
Buffer overflow in the CxDbgPrint function in the ipswcom.dll ActiveX component 1.0.0.1 for ASUS Net4Switch 1.0.0020 allows remote attackers to execute arbitrary code via a long parameter to the Alert method. ASUS Net4Switch is prone to a remote buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied input. Failed exploit attempts will likely result in denial-of-service conditions. ASUS Net4Switch ipswcom.dll 1.0.0.1 is vulnerable; other versions may also be affected. ASUS Net4Switch is a network management software for ASUS computers. ---------------------------------------------------------------------- Secunia presentations @ RSA Conference 2012, San Francisco, USA, 27 Feb-02 March Listen to our Chief Security Specialist, Research Analyst Director, and Director Product Management & Quality Assurance discuss the industry's key topics. Also, visit the Secunia stand #817. Find out more: http://www.rsaconference.com/events/2012/usa/index.htm ---------------------------------------------------------------------- TITLE: Net4Switch ipswcom ActiveX Control Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA48125 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/48125/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=48125 RELEASE DATE: 2012-02-22 DISCUSS ADVISORY: http://secunia.com/advisories/48125/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/48125/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=48125 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Digital Security Research Group has discovered a vulnerability in Net4Switch ipswcom ActiveX Control, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error within the "CxDbgPrint()" function (cxcmrt.dll) when creating a debug message string. Successful exploitation allows execution of arbitrary code. The vulnerability is confirmed in version 1.0.0020 (ipswcom 1.0.0.1). SOLUTION: Set the kill-bit for the affected ActiveX control. PROVIDED AND/OR DISCOVERED BY: Dmitriy Evdokimov, Digital Security Research Group ORIGINAL ADVISORY: DSECRG-12-017: http://dsecrg.com/pages/vul/show.php?id=417 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------