VARIoT IoT vulnerabilities database

Affected products: vendor, model and version
CWE format is 'CWE-number'. Threat type can be: remote or local
Look up free text in title and description

VAR-201002-0210 CVE-2010-0641 CCS of webline/html/admin/wcs/LoginPage.jhtml Vulnerable to cross-site scripting CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
Cross-site scripting (XSS) vulnerability in webline/html/admin/wcs/LoginPage.jhtml in Cisco Collaboration Server (CCS) 5 allows remote attackers to inject arbitrary web script or HTML via the dest parameter. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Cisco Collaboration Server 5 is vulnerable; other versions may be affected as well. NOTE: The vendor has discontinued this product
VAR-201002-0211 CVE-2010-0642 CCS In JHTML Vulnerability to read file source code CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
Cisco Collaboration Server (CCS) 5 allows remote attackers to read the source code of JHTML files via URL encoded characters in the filename extension, as demonstrated by (1) changing .jhtml to %2Ejhtml, (2) changing .jhtml to .jhtm%6C, (3) appending %00 after .jhtml, and (4) appending %c0%80 after .jhtml, related to the (a) doc/docindex.jhtml, (b) browserId/wizardForm.jhtml, (c) webline/html/forms/callback.jhtml, (d) webline/html/forms/callbackICM.jhtml, (e) webline/html/agent/AgentFrame.jhtml, (f) webline/html/agent/default/badlogin.jhtml, (g) callme/callForm.jhtml, (h) webline/html/multichatui/nowDefunctWindow.jhtml, (i) browserId/wizard.jhtml, (j) admin/CiscoAdmin.jhtml, (k) msccallme/mscCallForm.jhtml, and (l) webline/html/admin/wcs/LoginPage.jhtml components. Cisco Collaboration Server (CCS) Is flawed in the processing related to the following components, JHTML A vulnerability exists that allows the source code of a file to be read. Cisco Collaboration Server is prone to multiple vulnerabilities that may allow remote attackers to obtain sourcecode, which may aid them in further attacks. Cisco Collaboration Server 5 is vulnerable; other versions may be affected as well. NOTE: The vendor has discontinued this product. A remote attacker can read the source code of JHTML script files by adding encoded URLs to the file name extensions of multiple scripts
VAR-201002-0067 CVE-2010-0144 Cisco IronPort Encryption Appliance Etc. WebSafe DistributorServlet Vulnerable to reading arbitrary files CVSS V2: 7.8
CVSS V3: -
Severity: HIGH
Unspecified vulnerability in the WebSafe DistributorServlet in the embedded HTTPS server on the Cisco IronPort Encryption Appliance 6.2.x before 6.2.9.1 and 6.5.x before 6.5.2, and the IronPort PostX MAP before 6.2.9.1, allows remote attackers to read arbitrary files via unknown vectors, aka IronPort Bug 65922
VAR-201002-0338 No CVE SAP J2EE Engine Core Unspecified Phishing Vulnerability CVSS V2: -
CVSS V3: -
Severity: -
SAP J2EE Engine Core is prone to a vulnerability that can aid in phishing attacks. Successful exploits may allow attackers to redirect victims to a malicious website, which may lead to other attacks. Versions prior to the following are vulnerable: J2EE Engine Core 6.40 SP26 J2EE Engine Core 7.00 SP22 J2EE Engine Core 7.01 SP07 J2EE Engine Core 7.02 SP03 Additional products that include the J2EE Engine Core may also be vulnerable.
VAR-201002-0329 No CVE SAP WebDynpro Runtime Unspecified HTML Injection Vulnerability CVSS V2: -
CVSS V3: -
Severity: -
SAP WebDynpro Runtime included in SAP NetWeaver is prone to an HTML-injection vulnerability because the application fails to sanitize user-supplied input. Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
VAR-201002-0756 CVE-2010-0144 Cisco IronPort Encryption Appliance Etc. WebSafe DistributorServlet Vulnerable to reading arbitrary files CVSS V2: 7.8
CVSS V3: -
Severity: HIGH
Unspecified vulnerability in the WebSafe DistributorServlet in the embedded HTTPS server on the Cisco IronPort Encryption Appliance 6.2.x before 6.2.9.1 and 6.5.x before 6.5.2, and the IronPort PostX MAP before 6.2.9.1, allows remote attackers to read arbitrary files via unknown vectors, aka IronPort Bug 65922. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20100210-ironport.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco IronPort Encryption Appliance Advisory ID: cisco-sa-20100210-ironport Revision 1.0 For Public Release 2010 February 10 1600 UTC (GMT) +--------------------------------------------------------------------- Summary ======= Cisco IronPort Encryption Appliance devices contain two vulnerabilities that allow remote, unauthenticated access to any file on the device and one vulnerability that allows remote, unauthenticated users to execute arbitrary code with elevated privileges. There are workarounds available to mitigate these vulnerabilities. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100210-ironport.shtml Affected Products ================= Vulnerable Products +------------------ The following Cisco IronPort Encryption Appliance versions are affected by these vulnerabilities: • Cisco IronPort Encryption Appliance 6.5 versions prior to 6.5.2 • Cisco IronPort Encryption Appliance 6.2 versions prior to 6.2.9.1 • Cisco IronPort PostX MAP versions prior to 6.2.9.1 The version of software that is running on a Cisco IronPort Encryption Appliance is located on the "About" page of the Cisco IronPort Encryption Appliance administration interface. Note: Customers should contact IronPort support to determine which software fixes are applicable for their environment. Please consult the Obtaining Fixed Software section of this advisory for more information. Products Confirmed Not Vulnerable +-------------------------------- Cisco IronPort C, M, and S-Series appliances are not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Note: IronPort tracks bugs using an internal system that is not available to customers. The IronPort bug tracking identifiers are provided for reference only. The first vulnerability affecting the Cisco IronPort Encryption Appliance administration interface is documented in IronPort bug 65921 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0143. The second vulnerability affecting the WebSafe servlet is documented in IronPort bug 65922 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0144. The vulnerability is documented in IronPort bug 65923 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0145. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss IronPort Bug 65921 - Arbitrary File Access Through Administrative Interface CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed IronPort Bug 65922 - WebSafe DistributorServlet Allows Unauthenticated Arbitrary File Access CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed IronPort Bug 65923 - Default Config Allows Unauthenticated Remote Arbitrary Code CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities may allow a remote, unauthenticated attacker to access arbitrary files or execute arbitrary code with elevated privileges. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. Workarounds =========== It is possible to mitigate the administration interface file access vulnerability (IronPort Bug 65921) by using the IP address restriction feature of the administration interface to limit access to trusted hosts. Access to the administration interface is not restricted by default. To configure access limits, an administrator should navigate to "Configuration -> Web Services -> Admin -> Console Security" area in the Cisco IronPort Encryption Appliance administration interface. To disable the HTTP Invoker, an administrator must delete several files in the PostX application home directory and remove a directive from the web server configuration. The following files must be deleted: jboss/server/postx/deploy/http-invoker.sar jboss/server/postx/deploy/jms/jbossmq-httpil.sar The following directive must be removed from the "jboss/server/postx/conf/jboss-service.xml web" server configuration file. <mbean code="org.jboss.varia.deployment.BeanShellSubDeployer" name="jboss.scripts:service=BSHDeployer"> </mbean> After deleting the files and removing the directive from the configuration file, the PostX application service must be restarted. Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20100210-ironport.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. The affected products in this advisory are directly supported by Cisco IronPort. Customers should contact Cisco IronPort technical support at the link below to obtain software fixes. Cisco IronPort technical support will assist customers in determining the correct fixes and installation procedures. Customers should direct all warranty questions to IronPort technical support. Note: Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. http://www.ironport.com/support/contact_support.html Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were discovered and reported to Cisco by Jesse Michael and Alexander Senkevitch of Blue Cross Blue Shield of Illinois. Cisco would like to thank Jesse and Alexander for reporting these vulnerabilities to us and for working with us on a coordinated disclosure. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100210-ironport.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. • cust-security-announce@cisco.com • first-bulletins@lists.first.org • bugtraq@securityfocus.com • vulnwatch@vulnwatch.org • cisco@spot.colorado.edu • cisco-nsp@puck.nether.net • full-disclosure@lists.grok.org.uk • comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ ┌──────────┬─────────────┬──────────────┐ │ Revision │ │ Initial │ │ 1.0 │ 2010-FEB-10 │ public │ │ │ │ release │ └──────────┴─────────────┴──────────────┘ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFLctPY86n/Gc8U/uARAozcAKCZKW3TZKhWHGqRyyPhEz/sFRNGoACbB8rh H9asrIkxuFpOpSgFLdpV7D8= =ahIn -----END PGP SIGNATURE-----
VAR-201002-0066 CVE-2010-0143 Cisco IronPort Encryption Appliance Vulnerability to read arbitrary files in management interfaces such as CVSS V2: 7.8
CVSS V3: -
Severity: HIGH
Unspecified vulnerability in the administrative interface in the embedded HTTPS server on the Cisco IronPort Encryption Appliance 6.2.x before 6.2.9.1 and 6.5.x before 6.5.2, and the IronPort PostX MAP before 6.2.9.1, allows remote attackers to read arbitrary files via unknown vectors, aka IronPort Bug 65921. Cisco IronPort Encryption Appliance is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information contained in arbitrary files. This issue is being tracked by IronPort bug 65921. The following products are affected. IronPort Encryption Appliance 6.5 (prior to 6.5.2) IronPort Encryption Appliance 6.2 (prior to 6.2.9.1) IronPort PostX MAP (prior to 6.2.9.1). A remote attacker reads arbitrary files through unknown vectors
VAR-201002-0068 CVE-2010-0145 Cisco IronPort Encryption Appliance Etc. HTTPS Vulnerability in arbitrary code execution on server CVSS V2: 10.0
CVSS V3: -
Severity: HIGH
Unspecified vulnerability in the embedded HTTPS server on the Cisco IronPort Encryption Appliance 6.2.x before 6.2.9.1 and 6.5.x before 6.5.2, and the IronPort PostX MAP before 6.2.9.1, allows remote attackers to execute arbitrary code via unknown vectors, aka IronPort Bug 65923. Cisco IronPort Encryption Appliance is prone to a remote code-execution vulnerability. This vulnerability is documented by IronPort bug 65923. An attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successful exploits will completely compromise affected computers. Failed exploit attempts will result in a denial-of-service condition
VAR-201002-0325 No CVE RSLinx EDS File Remote Stack Buffer Overflow Vulnerability CVSS V2: -
CVSS V3: -
Severity: -
RSLinx is prone to a remote stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input. Successful exploits may allow remote attackers to execute arbitrary code in the context of the application. Failed exploit attempts will likely cause denial-of-service conditions. RSLinx Lite 2.31.00 is vulnerable; other versions may also be affected.
VAR-201002-0755 CVE-2010-0145 Cisco IronPort Encryption Appliance Etc. HTTPS Vulnerability in arbitrary code execution on server CVSS V2: 10.0
CVSS V3: -
Severity: HIGH
Unspecified vulnerability in the embedded HTTPS server on the Cisco IronPort Encryption Appliance 6.2.x before 6.2.9.1 and 6.5.x before 6.5.2, and the IronPort PostX MAP before 6.2.9.1, allows remote attackers to execute arbitrary code via unknown vectors, aka IronPort Bug 65923. Cisco IronPort Encryption Appliance is prone to a remote code-execution vulnerability. This vulnerability is documented by IronPort bug 65923. An attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successful exploits will completely compromise affected computers. Failed exploit attempts will result in a denial-of-service condition. 2) An error in the IronPort Encryption Appliance WebSafe servlet can be exploited to disclose arbitrary files. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20100210-ironport.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . There are workarounds available to mitigate these vulnerabilities. Cisco has released free software updates that address these vulnerabilities. Note: Customers should contact IronPort support to determine which software fixes are applicable for their environment. Please consult the Obtaining Fixed Software section of this advisory for more information. Products Confirmed Not Vulnerable +-------------------------------- Cisco IronPort C, M, and S-Series appliances are not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Note: IronPort tracks bugs using an internal system that is not available to customers. The IronPort bug tracking identifiers are provided for reference only. The first vulnerability affecting the Cisco IronPort Encryption Appliance administration interface is documented in IronPort bug 65921 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0143. The second vulnerability affecting the WebSafe servlet is documented in IronPort bug 65922 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0144. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss IronPort Bug 65921 - Arbitrary File Access Through Administrative Interface CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed IronPort Bug 65922 - WebSafe DistributorServlet Allows Unauthenticated Arbitrary File Access CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed IronPort Bug 65923 - Default Config Allows Unauthenticated Remote Arbitrary Code CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities may allow a remote, unauthenticated attacker to access arbitrary files or execute arbitrary code with elevated privileges. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. Workarounds =========== It is possible to mitigate the administration interface file access vulnerability (IronPort Bug 65921) by using the IP address restriction feature of the administration interface to limit access to trusted hosts. Access to the administration interface is not restricted by default. To configure access limits, an administrator should navigate to "Configuration -> Web Services -> Admin -> Console Security" area in the Cisco IronPort Encryption Appliance administration interface. To disable the HTTP Invoker, an administrator must delete several files in the PostX application home directory and remove a directive from the web server configuration. The following files must be deleted: jboss/server/postx/deploy/http-invoker.sar jboss/server/postx/deploy/jms/jbossmq-httpil.sar The following directive must be removed from the "jboss/server/postx/conf/jboss-service.xml web" server configuration file. <mbean code="org.jboss.varia.deployment.BeanShellSubDeployer" name="jboss.scripts:service=BSHDeployer"> </mbean> After deleting the files and removing the directive from the configuration file, the PostX application service must be restarted. Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20100210-ironport.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. The affected products in this advisory are directly supported by Cisco IronPort. Customers should contact Cisco IronPort technical support at the link below to obtain software fixes. Cisco IronPort technical support will assist customers in determining the correct fixes and installation procedures. Customers should direct all warranty questions to IronPort technical support. Note: Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. http://www.ironport.com/support/contact_support.html Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were discovered and reported to Cisco by Jesse Michael and Alexander Senkevitch of Blue Cross Blue Shield of Illinois. Cisco would like to thank Jesse and Alexander for reporting these vulnerabilities to us and for working with us on a coordinated disclosure. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100210-ironport.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. • cust-security-announce@cisco.com • first-bulletins@lists.first.org • bugtraq@securityfocus.com • vulnwatch@vulnwatch.org • cisco@spot.colorado.edu • cisco-nsp@puck.nether.net • full-disclosure@lists.grok.org.uk • comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ ┌──────────┬─────────────┬──────────────┐ │ Revision │ │ Initial │ │ 1.0 │ 2010-FEB-10 │ public │ │ │ │ release │ └──────────┴─────────────┴──────────────┘ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFLctPY86n/Gc8U/uARAozcAKCZKW3TZKhWHGqRyyPhEz/sFRNGoACbB8rh H9asrIkxuFpOpSgFLdpV7D8= =ahIn -----END PGP SIGNATURE-----
VAR-201002-0754 CVE-2010-0143 Cisco IronPort Encryption Appliance Vulnerability to read arbitrary files in management interfaces such as CVSS V2: 7.8
CVSS V3: -
Severity: HIGH
Unspecified vulnerability in the administrative interface in the embedded HTTPS server on the Cisco IronPort Encryption Appliance 6.2.x before 6.2.9.1 and 6.5.x before 6.5.2, and the IronPort PostX MAP before 6.2.9.1, allows remote attackers to read arbitrary files via unknown vectors, aka IronPort Bug 65921. Cisco IronPort Encryption Appliance is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information contained in arbitrary files. This issue is being tracked by IronPort bug 65921. The following products are affected. IronPort Encryption Appliance 6.5 (prior to 6.5.2) IronPort Encryption Appliance 6.2 (prior to 6.2.9.1) IronPort PostX MAP (prior to 6.2.9.1). ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20100210-ironport.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco IronPort Encryption Appliance Advisory ID: cisco-sa-20100210-ironport Revision 1.0 For Public Release 2010 February 10 1600 UTC (GMT) +--------------------------------------------------------------------- Summary ======= Cisco IronPort Encryption Appliance devices contain two vulnerabilities that allow remote, unauthenticated access to any file on the device and one vulnerability that allows remote, unauthenticated users to execute arbitrary code with elevated privileges. There are workarounds available to mitigate these vulnerabilities. Cisco has released free software updates that address these vulnerabilities. Note: Customers should contact IronPort support to determine which software fixes are applicable for their environment. Please consult the Obtaining Fixed Software section of this advisory for more information. Products Confirmed Not Vulnerable +-------------------------------- Cisco IronPort C, M, and S-Series appliances are not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Note: IronPort tracks bugs using an internal system that is not available to customers. The IronPort bug tracking identifiers are provided for reference only. The first vulnerability affecting the Cisco IronPort Encryption Appliance administration interface is documented in IronPort bug 65921 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0143. The second vulnerability affecting the WebSafe servlet is documented in IronPort bug 65922 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0144. The vulnerability is documented in IronPort bug 65923 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0145. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss IronPort Bug 65921 - Arbitrary File Access Through Administrative Interface CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed IronPort Bug 65922 - WebSafe DistributorServlet Allows Unauthenticated Arbitrary File Access CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed IronPort Bug 65923 - Default Config Allows Unauthenticated Remote Arbitrary Code CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities may allow a remote, unauthenticated attacker to access arbitrary files or execute arbitrary code with elevated privileges. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. Workarounds =========== It is possible to mitigate the administration interface file access vulnerability (IronPort Bug 65921) by using the IP address restriction feature of the administration interface to limit access to trusted hosts. Access to the administration interface is not restricted by default. To configure access limits, an administrator should navigate to "Configuration -> Web Services -> Admin -> Console Security" area in the Cisco IronPort Encryption Appliance administration interface. To disable the HTTP Invoker, an administrator must delete several files in the PostX application home directory and remove a directive from the web server configuration. The following files must be deleted: jboss/server/postx/deploy/http-invoker.sar jboss/server/postx/deploy/jms/jbossmq-httpil.sar The following directive must be removed from the "jboss/server/postx/conf/jboss-service.xml web" server configuration file. <mbean code="org.jboss.varia.deployment.BeanShellSubDeployer" name="jboss.scripts:service=BSHDeployer"> </mbean> After deleting the files and removing the directive from the configuration file, the PostX application service must be restarted. Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20100210-ironport.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Customers should contact Cisco IronPort technical support at the link below to obtain software fixes. Cisco IronPort technical support will assist customers in determining the correct fixes and installation procedures. Customers should direct all warranty questions to IronPort technical support. Note: Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. http://www.ironport.com/support/contact_support.html Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were discovered and reported to Cisco by Jesse Michael and Alexander Senkevitch of Blue Cross Blue Shield of Illinois. Cisco would like to thank Jesse and Alexander for reporting these vulnerabilities to us and for working with us on a coordinated disclosure. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100210-ironport.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. • cust-security-announce@cisco.com • first-bulletins@lists.first.org • bugtraq@securityfocus.com • vulnwatch@vulnwatch.org • cisco@spot.colorado.edu • cisco-nsp@puck.nether.net • full-disclosure@lists.grok.org.uk • comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ ┌──────────┬─────────────┬──────────────┐ │ Revision │ │ Initial │ │ 1.0 │ 2010-FEB-10 │ public │ │ │ │ release │ └──────────┴─────────────┴──────────────┘ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFLctPY86n/Gc8U/uARAozcAKCZKW3TZKhWHGqRyyPhEz/sFRNGoACbB8rh H9asrIkxuFpOpSgFLdpV7D8= =ahIn -----END PGP SIGNATURE-----
VAR-201002-0650 CVE-2010-0243 Microsoft Office of MSO.DLL Vulnerable to buffer overflow CVSS V2: 9.3
CVSS V3: -
Severity: HIGH
Buffer overflow in MSO.DLL in Microsoft Office XP SP3 and Office 2004 for Mac allows remote attackers to execute arbitrary code via a crafted Office document, aka "MSO.DLL Buffer Overflow.". Microsoft Office is prone to a remote code-execution vulnerability. An attacker could exploit this issue by enticing a victim to open a malicious Office file. Successful exploits would allow the attacker to execute arbitrary code in the context of the currently logged-in user. The vulnerability is caused due to an error when parsing OfficeArtSpgr containers and can be exploited to cause a buffer overflow via a specially crafted Office file. SOLUTION: Apply patches. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Core Security Technologies - CoreLabs Advisory http://www.coresecurity.com/corelabs/ Microsoft Office Excel / Word OfficeArtSpgr Container Pointer Overwrite Vulnerability 1. *Advisory Information* Title: Microsoft Office Excel / Word OfficeArtSpgr Container Pointer Overwrite Vulnerability Advisory Id: CORE-2009-0827 Advisory URL: http://www.coresecurity.com/content/excel-buffer-overflow Date published: 2010-02-09 Date of last update: 2010-02-08 Vendors contacted: Microsoft Release mode: Coordinated release 2. *Vulnerability Information* Class: Buffer overflow [CWE-119] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: No Bugtraq ID: 38073 CVE Name: CVE-2010-0243 3. *Vulnerability Description* A vulnerability exists in MSO.DLL affecting Excel 9 (Office 2000) and Excel 10 (Office XP) in the code responsible for parsing OfficeArtSpgr (recType 0xF003) containers that allows an attacker to cause a class pointer to be interpreted incorrectly, leading to code execution in the context of the currently logged on user. 4. *Vulnerable packages* . *Non-vulnerable packages* . Open XML File Format Converter for Mac . PowerPoint Viewer 2007 Service Pack 1 and PowerPoint Viewer 2007 Service Pack 2 . Visio Viewer 2007 Service Pack 1 and Visio Viewer 2007 Service Pack 2 . Microsoft Works 8.5 . Microsoft Works 9 6. *Vendor Information, Solutions and Workarounds* Microsoft has addressed this vulnerability by issuing an update located at http://www.microsoft.com/technet/security/bulletin/MS10-003.msp 7. *Credits* This vulnerability was discovered and researched by Damian Frizza from Core Security Technologies during Bugweek 2009 [1]. 8. *Technical Description / Proof of Concept Code* 8.1. *Excel / Word - OfficeArtSpgr container - invalid recType value leads to attacker controlled pointer usage [MSRC 9368]* A vulnerability exists in MSO.DLL affecting Excel 9 (Office 2000) and Excel 10 (Office XP) in the code responsible for parsing OfficeArtSpgr (recType 0xF003) containers that allows an attacker to cause a class pointer to be interpreted incorrectly, leading to code execution in the context of the currently logged on user. The precise affected executable version we tested is 'Excel.exe v10.0.6854' and the DLL is 'mso.dll v10.0.6845' Likely attack vectors include: . Targeted attacks involving e-mailed malicious files combined with social engineering to entice the user to open the malicious attachment. Targeted attacks involving malicious files hosted on a remote web site combined with social engineering to entice the user to open the malicious attachment. The root cause description of the vulnerability is that there is no check to make sure that there is a valid group before loading the SPGR from the file. A disassembly of the vulnerable code follows: /----- 30BDE405 CMP ECX,0F003 30BDE40B JB mso.30EFD183 30BDE411 CMP ECX,0F004 30BDE417 JA mso.30BDE4C8 30BDE41D XOR ESI,ESI 30BDE41F LEA EAX,DWORD PTR SS:[EBP-8] 30BDE422 PUSH ESI 30BDE423 PUSH EAX 30BDE424 PUSH EDI 30BDE425 MOV ECX,EBX 30BDE427 CALL mso.30BDEC18 30BDE42C TEST EAX,EAX 30BDE42E JE mso.30EFD21A 30BDE434 MOV EDX,DWORD PTR SS:[EBP-8] 30BDE437 MOV EAX,DWORD PTR DS:[EDX+50] 30BDE43A TEST AL,10 30BDE43C JE mso.30BDE356 30BDE442 TEST AL,4 30BDE444 JE mso.30EFD21A 30BDE44A CMP WORD PTR DS:[EDX+24],SI 30BDE44E JNZ mso.30EFD21A 30BDE454 PUSH 23 30BDE456 LEA EDI,DWORD PTR DS:[EBX+90] 30BDE45C POP ECX 30BDE45D MOV ESI,EDX 30BDE45F LEA EAX,DWORD PTR DS:[EBX+F0] 30BDE465 ADD EDX,58 30BDE468 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] 30BDE46A CMP DWORD PTR DS:[EAX],EDX 30BDE46C MOV DWORD PTR DS:[EBX+CC],EBX 30BDE472 JE mso.30EFD12E 30BDE478 MOV ECX,DWORD PTR DS:[EAX] 30BDE47A MOV DWORD PTR DS:[ECX],EAX ;*Access Violation On Write* registers eax=017f068c ebx=017f059c ecx=0e000e00 edx=017f0870 esi=017f08a4 edi=017f06b8 eip=30dd70cc esp=00137674 ebp=00137714 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 - -----/ 8.2. *Memory Corruption related to Graphic Description [MSRC case 9562]* Core Security Technologies reported a second bug in Excel which resulted non exploitable. In its investigation, MSRC has analyzed BIFF5++, BIFF4, and BIFF2 file formats for exploitability of this vulnerability. MSRC has been unable to reproduce it in such a way that an exploitable condition occurs. 9. *Report Timeline* . 2009-09-04: Core Security Technologies notifies the Microsoft team of the vulnerability #1 and sends a Proof of Concept malformed file. 2009-09-04: Microsoft acknowledges receipt of the vulnerability report, and opens MSRC case 9368 to track this issue. 2009-09-07: Core sends a second Proof of Concept malformed file triggering vulnerability #2 in Excel 2000/2002. 2009-09-08: The Microsoft team acknowledges receipt of the information and estimates that they will have more detailed information in two weeks. They inform us that they will send updated information on the fix release date as the investigation progresses. 2009-09-14: Core acknowledges receipt of the previous mail from the Microsoft team and reminds them that the publication date proposed by Core is November 24th, 2009. 2009-09-14: Core requests Microsoft's analysis of the second reported bug. 2009-09-14: Microsoft confirms that the first bug reported on Excel is exploitable and that they are working on defining a ship date. Microsoft also states that the bug reported as MSRC case 9154 / CORE-2009-0504 is not exploitable and no security bulletin will be issued for that case. 2009-09-16: Core notifies the Microsoft team that there has been a misunderstanding, and that the bug MSRC case 9154 / CORE-2009-0504 was dismissed as not exploitable in July 2009. Core sends again the Proof of Concepts for the two bugs reported as CORE-2009-0827. 2009-09-17: Microsoft requests Core to hold off the publication of the advisory CORE-2009-0827 until Microsoft comes up with a plan to fix the vulnerability. 2009-09-21: Core notifies the Microsoft team that it had made a mistake in the names of the Proof of Concept files that lead to further confusion. Core confirms that two new bugs were reported and that the third non-exploitable bug belongs to another previous case/advisory. The Excel Proof of Concept files are sent again including identifier CORE-2009-0827. 2009-09-22: The Microsoft team acknowledges the clarification sent by Core and estimates that they will have a deeper analysis of the proof of concept #2 sent by Core in a few days. 2009-10-26: Core sends a summary of the status of the reported vulnerabilities, and requests from Microsoft additional information about its technical analysis of the reported bugs (in particular concerning exploitability of the second bug) and about its schedule to produce fixes. 2009-10-27: Microsoft confirms that they have reproduced the reported bugs, and communicates that they will be unable to release updates for these issues until February 9th, 2010. 2009-10-28: Core communicates that it is willing to reschedule the publication of its advisory provided that Microsoft gives technical information that justifies this decision. 2009-11-02: Microsoft explains that in general both the product team (in this case within Office) as well as MSRC Engineering team look for potential variant bugs for each vulnerability that is reported to them. This is followed by the development of a fix, and the testing of the fix. Microsoft states that it will be able to share additional technical information (requested by Core) about 3-4 weeks before release. 2009-11-02: Core confirms that it will reschedule publication of its advisory to February 9th, 2010, and that it looks forward to receiving technical information about the vulnerabilities. 2009-11-02: Microsoft acknowledges receipt of the previous communication. 2009-11-03: Core asks whether Microsoft considers the two bugs that have been reported as variants of the same problem, or as different issues. 2009-11-06: Microsoft replies that the vulnerability #2 has been lost in the mix, explains how MSRC triage officers assign MSRC tracking case numbers. The vulnerability #2 is assigned MSRC case 9562. 2009-11-06: Core confirms that it considers the second bug (MSRC 9562) to be a different bug than MSRC 9368. 2009-11-18: Microsoft sends a technical analysis of bug MSRC 9562, indicating that this bug causes Excel to crash safely. 2009-12-02: Microsoft sends technical information about bug MSRC 9368, including the root cause of the problem and the list of affected versions. 2009-12-16: Microsoft sends further analysis of bug MSRC 9562, which has been analyzed in conjunction with the reported bug MSRC case 9326 in Virtual PC. MSRC indicates that it has been unable to reproduce an exploitable condition using the Excel bug (MSRC 9562). 2009-12-22: Core acknowledges receipt of the analysis of bug MSRC 9562, and agrees with the technical analysis. 2009-12-18: Microsoft sends a spreadsheet summarising Core cases, which indicates that fixes are confirmed to be released on March 9th 2010. 2009-12-21: Core acknowledges receipt of the technical information, and asks Microsoft whether the release of a fixed version has moved to March 9th 2010. 2009-12-21: Microsoft replies that the ship date for the vulnerability MSRC 9368 in MSO.dll is still February 9th 2010 (the spreadsheet contained a clerical error). 2010-02-01: Core requests MSRC the list of non vulnerable versions of Excel / Office, and a statement for the "vendor information" section of the advisory. 2010-02-03: Microsoft sends the CVE identifier for the vulnerability, and the list of affected and non affected software. 2010-02-09: The advisory CORE-2009-0827 is published. 10. *References* [1] About Core Security's Bugweek http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=project&name=Bugweek [2] Microsoft Security Bulletin MS10-003 http://www.microsoft.com/technet/security/bulletin/MS10-003.msp 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2010 Core Security Technologies and (c) 2010 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktxq9cACgkQyNibggitWa2ZfgCgsgImwlV9D+uNQnuzgmWefT8U BngAn06q1Ub1HhaqeKBigZaI3SCCPFg3 =Cmi1 -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA10-040A Microsoft Updates for Multiple Vulnerabilities Original release date: Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows and Windows Server * Microsoft Internet Explorer * Microsoft Office Overview Microsoft has released updates to address vulnerabilities in Microsoft Windows, Windows Server, Internet Explorer, and Microsoft Office. Description Microsoft has released multiple security bulletins for critical vulnerabilities in Microsoft Windows, Windows Server, Internet Explorer, and Microsoft Office. II. III. The security bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. Administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). IV. References * Microsoft Security Bulletin Summary for February 2010 - <http://www.microsoft.com/technet/security/bulletin/MS10-feb.mspx> * Microsoft Windows Server Update Services - <http://technet.microsoft.com/en-us/wsus/default.aspx> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA10-040A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA10-040A Feedback VU#799780" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2010 by US-CERT, a government organization
VAR-201002-0160 CVE-2010-0563 IBM WebSphere Application Server of Single Sign-on Vulnerabilities that capture important information on functions CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
The Single Sign-on (SSO) functionality in IBM WebSphere Application Server (WAS) 7.0.0.0 through 7.0.0.8 does not recognize the Requires SSL configuration option, which might allow remote attackers to obtain sensitive information by sniffing network sessions that were expected to be encrypted. Based on the Java and Servlet engines, the IBM Websphere Application Server supports a variety of HTTP services to help users with everything from development and release to maintaining interactive, dynamic websites. IBM WebSphere Application Server (WAS) is prone to a security-bypass vulnerability. Successful exploits may allow attackers to bypass certain security restrictions, which may lead to other attacks. This issue affects WAS 7.0 through 7.0.0.8
VAR-201002-0744 CVE-2010-0563 IBM WebSphere Application Server of Single Sign-on Vulnerabilities that capture important information on functions CVSS V2: 5.0
CVSS V3: -
Severity: MEDIUM
The Single Sign-on (SSO) functionality in IBM WebSphere Application Server (WAS) 7.0.0.0 through 7.0.0.8 does not recognize the Requires SSL configuration option, which might allow remote attackers to obtain sensitive information by sniffing network sessions that were expected to be encrypted. Based on the Java and Servlet engines, the IBM Websphere Application Server supports a variety of HTTP services to help users with everything from development and release to maintaining interactive, dynamic websites. IBM WebSphere Application Server (WAS) is prone to a security-bypass vulnerability. Successful exploits may allow attackers to bypass certain security restrictions, which may lead to other attacks. This issue affects WAS 7.0 through 7.0.0.8. SOLUTION: Apply Interim Fix APAR PM00610 (please see the vendor's advisory for more information). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: IBM (PM00610): http://www-01.ibm.com/support/docview.wss?uid=swg21417839 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-201002-0299 CVE-2003-1582 Microsoft Internet Information Services Security hole CVSS V2: 2.6
CVSS V3: -
Severity: LOW
Microsoft Internet Information Services (IIS) 6.0, when DNS resolution is enabled for client IP addresses, allows remote attackers to inject arbitrary text into log files via an HTTP request in conjunction with a crafted DNS response, as demonstrated by injecting XSS sequences, related to an "Inverse Lookup Log Corruption (ILLC)" issue. IIS is prone to a cross-site scripting vulnerability
VAR-201002-0187 CVE-2010-0607 Sterlite SAM300 AX Router of Forms/status_statistics_1 Vulnerable to cross-site scripting CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
Cross-site scripting (XSS) vulnerability in Forms/status_statistics_1 in the Sterlite SAM300 AX Router allows remote attackers to inject arbitrary web script or HTML via the Stat_Radio parameter. An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks
VAR-201002-0312 No CVE Ipswitch IMail Server Local Privilege Escalation Vulnerability CVSS V2: -
CVSS V3: -
Severity: -
Ipswitch IMail Server is a mail server bundled in the Ipswitch collaboration component. By default, IMail allows the Internet Guest account to access the following registry keys and their subkeys and values with Full Control privileges: HKEY_LOCAL_MACHINE\\SOFTWARE\\Ipswitch\\IMail. In addition, the password decryption algorithm implemented in IMail's IMailsec.dll library is reversible. Local users can find the Password string under HKEY_LOCAL_MACHINE\\SOFTWARE\\Ipswitch\\IMail\\Domains\\[domain name]\\Users and then crack the encrypted password. Ipswitch IMail Server is prone to multiple local privilege-escalation vulnerabilities. Local attackers may exploit these issues to gain elevated privileges, which may lead to a complete compromise of an affected computer. IMail Server 11.01 is affected; other versions may also be vulnerable
VAR-201002-0342 No CVE uplusware UplusFtp Multiple Remote Buffer Overflow Vulnerabilities CVSS V2: -
CVSS V3: -
Severity: -
UplusFtp (formerly Easy Ftp Server) is prone to multiple remote buffer-overflow vulnerabilities. Attackers can exploit these issues to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. UplusFtp 1.7.0.12 is vulnerable; prior versions, including Easy Ftp Server, may also be affected.
VAR-201002-0765 CVE-2010-0607 Sterlite SAM300 AX Router of Forms/status_statistics_1 Vulnerable to cross-site scripting CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
Cross-site scripting (XSS) vulnerability in Forms/status_statistics_1 in the Sterlite SAM300 AX Router allows remote attackers to inject arbitrary web script or HTML via the Stat_Radio parameter. An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Input passed via e.g. the "Stat_Radio" parameter to Forms/status_statistics_1 is not properly sanitised before being returned to the user. Note: This can be used to change certain router settings (e.g. the DNS server), which can be leveraged to conduct further attacks. SOLUTION: Do not browse untrusted sites or follow untrusted links while being logged-in to the administration interface. PROVIDED AND/OR DISCOVERED BY: Karn Ganeshen CHANGELOG: 2010-02-11: Added note to "Description" section. ORIGINAL ADVISORY: http://archives.neohapsis.com/archives/fulldisclosure/2010-02/0075.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-201002-0327 No CVE Novell NetStorage xsrvd Long Pathname Remote Code Execution Vulnerability CVSS V2: 10.0
CVSS V3: -
Severity: HIGH
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell NetStorage. Authentication is not required to exploit this vulnerability.The specific flaws exists within the xsrvd process during the wide character conversion of requested file paths. In conjunction with a long username value the file path conversion will result in a heap overflow corrupting a chunk that will be immediately freed. This can be leveraged by remote attackers to compromise the NetStorage server. Novell NetStorage is prone to a heap-based buffer-overflow vulnerability. This issue affects NetStorage and the following: - NetWare 6.5 Support Pack 8 - Open Enterprise Server 2 (OES 2) Linux Support Pack 1 - Open Enterprise Server 2 (OES 2) Linux Support Pack 2. ZDI-10-021: Novell NetStorage xsrvd Long Pathname Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-10-021 February 23, 2010 -- Affected Vendors: Novell -- Affected Products: Novell NetStorage -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 9290. Authentication is not required to exploit this vulnerability. -- Vendor Response: Novell has issued an update to correct this vulnerability. More details can be found at: http://www.novell.com/support/viewContent.do?externalId=7005282 -- Disclosure Timeline: 2009-10-21 - Vulnerability reported to vendor 2010-02-23 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * 1c239c43f521145fa8385d64a9c32243 -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/