VARIoT IoT vulnerabilities database

VAR-201002-0210 | CVE-2010-0641 | CCS of webline/html/admin/wcs/LoginPage.jhtml Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in webline/html/admin/wcs/LoginPage.jhtml in Cisco Collaboration Server (CCS) 5 allows remote attackers to inject arbitrary web script or HTML via the dest parameter.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Cisco Collaboration Server 5 is vulnerable; other versions may be affected as well.
NOTE: The vendor has discontinued this product
VAR-201002-0211 | CVE-2010-0642 | CCS In JHTML Vulnerability to read file source code |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Cisco Collaboration Server (CCS) 5 allows remote attackers to read the source code of JHTML files via URL encoded characters in the filename extension, as demonstrated by (1) changing .jhtml to %2Ejhtml, (2) changing .jhtml to .jhtm%6C, (3) appending %00 after .jhtml, and (4) appending %c0%80 after .jhtml, related to the (a) doc/docindex.jhtml, (b) browserId/wizardForm.jhtml, (c) webline/html/forms/callback.jhtml, (d) webline/html/forms/callbackICM.jhtml, (e) webline/html/agent/AgentFrame.jhtml, (f) webline/html/agent/default/badlogin.jhtml, (g) callme/callForm.jhtml, (h) webline/html/multichatui/nowDefunctWindow.jhtml, (i) browserId/wizard.jhtml, (j) admin/CiscoAdmin.jhtml, (k) msccallme/mscCallForm.jhtml, and (l) webline/html/admin/wcs/LoginPage.jhtml components. Cisco Collaboration Server (CCS) Is flawed in the processing related to the following components, JHTML A vulnerability exists that allows the source code of a file to be read. Cisco Collaboration Server is prone to multiple vulnerabilities that may allow remote attackers to obtain sourcecode, which may aid them in further attacks.
Cisco Collaboration Server 5 is vulnerable; other versions may be affected as well.
NOTE: The vendor has discontinued this product. A remote attacker can read the source code of JHTML script files by adding encoded URLs to the file name extensions of multiple scripts
VAR-201002-0067 | CVE-2010-0144 | Cisco IronPort Encryption Appliance Etc. WebSafe DistributorServlet Vulnerable to reading arbitrary files |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the WebSafe DistributorServlet in the embedded HTTPS server on the Cisco IronPort Encryption Appliance 6.2.x before 6.2.9.1 and 6.5.x before 6.5.2, and the IronPort PostX MAP before 6.2.9.1, allows remote attackers to read arbitrary files via unknown vectors, aka IronPort Bug 65922
VAR-201002-0338 | No CVE | SAP J2EE Engine Core Unspecified Phishing Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
SAP J2EE Engine Core is prone to a vulnerability that can aid in phishing attacks.
Successful exploits may allow attackers to redirect victims to a malicious website, which may lead to other attacks.
Versions prior to the following are vulnerable:
J2EE Engine Core 6.40 SP26
J2EE Engine Core 7.00 SP22
J2EE Engine Core 7.01 SP07
J2EE Engine Core 7.02 SP03
Additional products that include the J2EE Engine Core may also be vulnerable.
VAR-201002-0329 | No CVE | SAP WebDynpro Runtime Unspecified HTML Injection Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
SAP WebDynpro Runtime included in SAP NetWeaver is prone to an HTML-injection vulnerability because the application fails to sanitize user-supplied input.
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
VAR-201002-0756 | CVE-2010-0144 | Cisco IronPort Encryption Appliance Etc. WebSafe DistributorServlet Vulnerable to reading arbitrary files |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the WebSafe DistributorServlet in the embedded HTTPS server on the Cisco IronPort Encryption Appliance 6.2.x before 6.2.9.1 and 6.5.x before 6.5.2, and the IronPort PostX MAP before 6.2.9.1, allows remote attackers to read arbitrary files via unknown vectors, aka IronPort Bug 65922.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20100210-ironport.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Multiple Vulnerabilities in Cisco IronPort
Encryption Appliance
Advisory ID: cisco-sa-20100210-ironport
Revision 1.0
For Public Release 2010 February 10 1600 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
Cisco IronPort Encryption Appliance devices contain two
vulnerabilities that allow remote, unauthenticated access to any file
on the device and one vulnerability that allows remote,
unauthenticated users to execute arbitrary code with elevated
privileges. There are workarounds available to mitigate these
vulnerabilities.
Cisco has released free software updates that address these
vulnerabilities. This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20100210-ironport.shtml
Affected Products
=================
Vulnerable Products
+------------------
The following Cisco IronPort Encryption Appliance versions are
affected by these vulnerabilities:
• Cisco IronPort Encryption Appliance 6.5 versions prior to 6.5.2
• Cisco IronPort Encryption Appliance 6.2 versions prior to 6.2.9.1
• Cisco IronPort PostX MAP versions prior to 6.2.9.1
The version of software that is running on a Cisco IronPort
Encryption Appliance is located on the "About" page of the Cisco
IronPort Encryption Appliance administration interface.
Note: Customers should contact IronPort support to determine which
software fixes are applicable for their environment. Please consult
the Obtaining Fixed Software section of this advisory for more
information.
Products Confirmed Not Vulnerable
+--------------------------------
Cisco IronPort C, M, and S-Series appliances are not affected by
these vulnerabilities. No other Cisco products are currently known to
be affected by these vulnerabilities.
Details
=======
Note: IronPort tracks bugs using an internal system that is not
available to customers. The IronPort bug tracking identifiers are
provided for reference only. The first vulnerability affecting the Cisco IronPort
Encryption Appliance administration interface is documented in
IronPort bug 65921 and has been assigned Common Vulnerabilities and
Exposures (CVE) identifier CVE-2010-0143. The second vulnerability
affecting the WebSafe servlet is documented in IronPort bug 65922 and
has been assigned Common Vulnerabilities and Exposures (CVE)
identifier CVE-2010-0144. The vulnerability is documented in
IronPort bug 65923 and has been assigned Common Vulnerabilities and
Exposures (CVE) identifier CVE-2010-0145.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
IronPort Bug 65921 - Arbitrary File Access Through Administrative Interface
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
IronPort Bug 65922 - WebSafe DistributorServlet Allows Unauthenticated Arbitrary File Access
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
IronPort Bug 65923 - Default Config Allows Unauthenticated Remote Arbitrary Code
CVSS Base Score - 10
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of these vulnerabilities may allow a remote,
unauthenticated attacker to access arbitrary files or execute
arbitrary code with elevated privileges.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
Workarounds
===========
It is possible to mitigate the administration interface file access
vulnerability (IronPort Bug 65921) by using the IP address
restriction feature of the administration interface to limit access
to trusted hosts. Access to the administration interface is not
restricted by default. To configure access limits, an administrator
should navigate to "Configuration -> Web Services -> Admin -> Console
Security" area in the Cisco IronPort Encryption Appliance
administration interface. To disable the HTTP
Invoker, an administrator must delete several files in the PostX
application home directory and remove a directive from the web server
configuration. The following files must be deleted:
jboss/server/postx/deploy/http-invoker.sar
jboss/server/postx/deploy/jms/jbossmq-httpil.sar
The following directive must be removed from the
"jboss/server/postx/conf/jboss-service.xml web" server configuration
file.
<mbean code="org.jboss.varia.deployment.BeanShellSubDeployer"
name="jboss.scripts:service=BSHDeployer">
</mbean>
After deleting the files and removing the directive from the
configuration file, the PostX application service must be restarted.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20100210-ironport.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. The affected products in this advisory are directly
supported by Cisco IronPort. Customers should contact Cisco IronPort
technical support at the link below to obtain software fixes. Cisco
IronPort technical support will assist customers in determining the
correct fixes and installation procedures. Customers should direct
all warranty questions to IronPort technical support.
Note: Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
http://www.ironport.com/support/contact_support.html
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered and reported to Cisco by Jesse
Michael and Alexander Senkevitch of Blue Cross Blue Shield of
Illinois. Cisco would like to thank Jesse and Alexander for reporting
these vulnerabilities to us and for working with us on a coordinated
disclosure.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20100210-ironport.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
• cust-security-announce@cisco.com
• first-bulletins@lists.first.org
• bugtraq@securityfocus.com
• vulnwatch@vulnwatch.org
• cisco@spot.colorado.edu
• cisco-nsp@puck.nether.net
• full-disclosure@lists.grok.org.uk
• comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
┌──────────┬─────────────┬──────────────┐
│ Revision │ │ Initial │
│ 1.0 │ 2010-FEB-10 │ public │
│ │ │ release │
└──────────┴─────────────┴──────────────┘
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
iD8DBQFLctPY86n/Gc8U/uARAozcAKCZKW3TZKhWHGqRyyPhEz/sFRNGoACbB8rh
H9asrIkxuFpOpSgFLdpV7D8=
=ahIn
-----END PGP SIGNATURE-----
VAR-201002-0066 | CVE-2010-0143 | Cisco IronPort Encryption Appliance Vulnerability to read arbitrary files in management interfaces such as |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the administrative interface in the embedded HTTPS server on the Cisco IronPort Encryption Appliance 6.2.x before 6.2.9.1 and 6.5.x before 6.5.2, and the IronPort PostX MAP before 6.2.9.1, allows remote attackers to read arbitrary files via unknown vectors, aka IronPort Bug 65921. Cisco IronPort Encryption Appliance is prone to an information-disclosure vulnerability.
Attackers can exploit this issue to obtain sensitive information contained in arbitrary files.
This issue is being tracked by IronPort bug 65921.
The following products are affected.
IronPort Encryption Appliance 6.5 (prior to 6.5.2)
IronPort Encryption Appliance 6.2 (prior to 6.2.9.1)
IronPort PostX MAP (prior to 6.2.9.1). A remote attacker reads arbitrary files through unknown vectors
VAR-201002-0068 | CVE-2010-0145 | Cisco IronPort Encryption Appliance Etc. HTTPS Vulnerability in arbitrary code execution on server |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the embedded HTTPS server on the Cisco IronPort Encryption Appliance 6.2.x before 6.2.9.1 and 6.5.x before 6.5.2, and the IronPort PostX MAP before 6.2.9.1, allows remote attackers to execute arbitrary code via unknown vectors, aka IronPort Bug 65923. Cisco IronPort Encryption Appliance is prone to a remote code-execution vulnerability.
This vulnerability is documented by IronPort bug 65923.
An attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successful exploits will completely compromise affected computers. Failed exploit attempts will result in a denial-of-service condition
VAR-201002-0325 | No CVE | RSLinx EDS File Remote Stack Buffer Overflow Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
RSLinx is prone to a remote stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input.
Successful exploits may allow remote attackers to execute arbitrary code in the context of the application. Failed exploit attempts will likely cause denial-of-service conditions.
RSLinx Lite 2.31.00 is vulnerable; other versions may also be affected.
VAR-201002-0755 | CVE-2010-0145 | Cisco IronPort Encryption Appliance Etc. HTTPS Vulnerability in arbitrary code execution on server |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the embedded HTTPS server on the Cisco IronPort Encryption Appliance 6.2.x before 6.2.9.1 and 6.5.x before 6.5.2, and the IronPort PostX MAP before 6.2.9.1, allows remote attackers to execute arbitrary code via unknown vectors, aka IronPort Bug 65923. Cisco IronPort Encryption Appliance is prone to a remote code-execution vulnerability.
This vulnerability is documented by IronPort bug 65923.
An attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successful exploits will completely compromise affected computers. Failed exploit attempts will result in a denial-of-service condition.
2) An error in the IronPort Encryption Appliance WebSafe servlet can
be exploited to disclose arbitrary files.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20100210-ironport.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. There are workarounds available to mitigate these
vulnerabilities.
Cisco has released free software updates that address these
vulnerabilities.
Note: Customers should contact IronPort support to determine which
software fixes are applicable for their environment. Please consult
the Obtaining Fixed Software section of this advisory for more
information.
Products Confirmed Not Vulnerable
+--------------------------------
Cisco IronPort C, M, and S-Series appliances are not affected by
these vulnerabilities. No other Cisco products are currently known to
be affected by these vulnerabilities.
Details
=======
Note: IronPort tracks bugs using an internal system that is not
available to customers. The IronPort bug tracking identifiers are
provided for reference only. The first vulnerability affecting the Cisco IronPort
Encryption Appliance administration interface is documented in
IronPort bug 65921 and has been assigned Common Vulnerabilities and
Exposures (CVE) identifier CVE-2010-0143. The second vulnerability
affecting the WebSafe servlet is documented in IronPort bug 65922 and
has been assigned Common Vulnerabilities and Exposures (CVE)
identifier CVE-2010-0144.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
IronPort Bug 65921 - Arbitrary File Access Through Administrative Interface
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
IronPort Bug 65922 - WebSafe DistributorServlet Allows Unauthenticated Arbitrary File Access
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
IronPort Bug 65923 - Default Config Allows Unauthenticated Remote Arbitrary Code
CVSS Base Score - 10
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of these vulnerabilities may allow a remote,
unauthenticated attacker to access arbitrary files or execute
arbitrary code with elevated privileges.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
Workarounds
===========
It is possible to mitigate the administration interface file access
vulnerability (IronPort Bug 65921) by using the IP address
restriction feature of the administration interface to limit access
to trusted hosts. Access to the administration interface is not
restricted by default. To configure access limits, an administrator
should navigate to "Configuration -> Web Services -> Admin -> Console
Security" area in the Cisco IronPort Encryption Appliance
administration interface. To disable the HTTP
Invoker, an administrator must delete several files in the PostX
application home directory and remove a directive from the web server
configuration. The following files must be deleted:
jboss/server/postx/deploy/http-invoker.sar
jboss/server/postx/deploy/jms/jbossmq-httpil.sar
The following directive must be removed from the
"jboss/server/postx/conf/jboss-service.xml web" server configuration
file.
<mbean code="org.jboss.varia.deployment.BeanShellSubDeployer"
name="jboss.scripts:service=BSHDeployer">
</mbean>
After deleting the files and removing the directive from the
configuration file, the PostX application service must be restarted.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20100210-ironport.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. The affected products in this advisory are directly
supported by Cisco IronPort. Customers should contact Cisco IronPort
technical support at the link below to obtain software fixes. Cisco
IronPort technical support will assist customers in determining the
correct fixes and installation procedures. Customers should direct
all warranty questions to IronPort technical support.
Note: Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
http://www.ironport.com/support/contact_support.html
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered and reported to Cisco by Jesse
Michael and Alexander Senkevitch of Blue Cross Blue Shield of
Illinois. Cisco would like to thank Jesse and Alexander for reporting
these vulnerabilities to us and for working with us on a coordinated
disclosure.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20100210-ironport.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
• cust-security-announce@cisco.com
• first-bulletins@lists.first.org
• bugtraq@securityfocus.com
• vulnwatch@vulnwatch.org
• cisco@spot.colorado.edu
• cisco-nsp@puck.nether.net
• full-disclosure@lists.grok.org.uk
• comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
┌──────────┬─────────────┬──────────────┐
│ Revision │ │ Initial │
│ 1.0 │ 2010-FEB-10 │ public │
│ │ │ release │
└──────────┴─────────────┴──────────────┘
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
iD8DBQFLctPY86n/Gc8U/uARAozcAKCZKW3TZKhWHGqRyyPhEz/sFRNGoACbB8rh
H9asrIkxuFpOpSgFLdpV7D8=
=ahIn
-----END PGP SIGNATURE-----
VAR-201002-0754 | CVE-2010-0143 | Cisco IronPort Encryption Appliance Vulnerability to read arbitrary files in management interfaces such as |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the administrative interface in the embedded HTTPS server on the Cisco IronPort Encryption Appliance 6.2.x before 6.2.9.1 and 6.5.x before 6.5.2, and the IronPort PostX MAP before 6.2.9.1, allows remote attackers to read arbitrary files via unknown vectors, aka IronPort Bug 65921. Cisco IronPort Encryption Appliance is prone to an information-disclosure vulnerability.
Attackers can exploit this issue to obtain sensitive information contained in arbitrary files.
This issue is being tracked by IronPort bug 65921.
The following products are affected.
IronPort Encryption Appliance 6.5 (prior to 6.5.2)
IronPort Encryption Appliance 6.2 (prior to 6.2.9.1)
IronPort PostX MAP (prior to 6.2.9.1).
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20100210-ironport.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Multiple Vulnerabilities in Cisco IronPort
Encryption Appliance
Advisory ID: cisco-sa-20100210-ironport
Revision 1.0
For Public Release 2010 February 10 1600 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
Cisco IronPort Encryption Appliance devices contain two
vulnerabilities that allow remote, unauthenticated access to any file
on the device and one vulnerability that allows remote,
unauthenticated users to execute arbitrary code with elevated
privileges. There are workarounds available to mitigate these
vulnerabilities.
Cisco has released free software updates that address these
vulnerabilities.
Note: Customers should contact IronPort support to determine which
software fixes are applicable for their environment. Please consult
the Obtaining Fixed Software section of this advisory for more
information.
Products Confirmed Not Vulnerable
+--------------------------------
Cisco IronPort C, M, and S-Series appliances are not affected by
these vulnerabilities. No other Cisco products are currently known to
be affected by these vulnerabilities.
Details
=======
Note: IronPort tracks bugs using an internal system that is not
available to customers. The IronPort bug tracking identifiers are
provided for reference only. The first vulnerability affecting the Cisco IronPort
Encryption Appliance administration interface is documented in
IronPort bug 65921 and has been assigned Common Vulnerabilities and
Exposures (CVE) identifier CVE-2010-0143. The second vulnerability
affecting the WebSafe servlet is documented in IronPort bug 65922 and
has been assigned Common Vulnerabilities and Exposures (CVE)
identifier CVE-2010-0144. The vulnerability is documented in
IronPort bug 65923 and has been assigned Common Vulnerabilities and
Exposures (CVE) identifier CVE-2010-0145.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
IronPort Bug 65921 - Arbitrary File Access Through Administrative Interface
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
IronPort Bug 65922 - WebSafe DistributorServlet Allows Unauthenticated Arbitrary File Access
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
IronPort Bug 65923 - Default Config Allows Unauthenticated Remote Arbitrary Code
CVSS Base Score - 10
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of these vulnerabilities may allow a remote,
unauthenticated attacker to access arbitrary files or execute
arbitrary code with elevated privileges.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
Workarounds
===========
It is possible to mitigate the administration interface file access
vulnerability (IronPort Bug 65921) by using the IP address
restriction feature of the administration interface to limit access
to trusted hosts. Access to the administration interface is not
restricted by default. To configure access limits, an administrator
should navigate to "Configuration -> Web Services -> Admin -> Console
Security" area in the Cisco IronPort Encryption Appliance
administration interface. To disable the HTTP
Invoker, an administrator must delete several files in the PostX
application home directory and remove a directive from the web server
configuration. The following files must be deleted:
jboss/server/postx/deploy/http-invoker.sar
jboss/server/postx/deploy/jms/jbossmq-httpil.sar
The following directive must be removed from the
"jboss/server/postx/conf/jboss-service.xml web" server configuration
file.
<mbean code="org.jboss.varia.deployment.BeanShellSubDeployer"
name="jboss.scripts:service=BSHDeployer">
</mbean>
After deleting the files and removing the directive from the
configuration file, the PostX application service must be restarted.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20100210-ironport.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Customers should contact Cisco IronPort
technical support at the link below to obtain software fixes. Cisco
IronPort technical support will assist customers in determining the
correct fixes and installation procedures. Customers should direct
all warranty questions to IronPort technical support.
Note: Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
http://www.ironport.com/support/contact_support.html
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered and reported to Cisco by Jesse
Michael and Alexander Senkevitch of Blue Cross Blue Shield of
Illinois. Cisco would like to thank Jesse and Alexander for reporting
these vulnerabilities to us and for working with us on a coordinated
disclosure.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20100210-ironport.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
• cust-security-announce@cisco.com
• first-bulletins@lists.first.org
• bugtraq@securityfocus.com
• vulnwatch@vulnwatch.org
• cisco@spot.colorado.edu
• cisco-nsp@puck.nether.net
• full-disclosure@lists.grok.org.uk
• comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
┌──────────┬─────────────┬──────────────┐
│ Revision │ │ Initial │
│ 1.0 │ 2010-FEB-10 │ public │
│ │ │ release │
└──────────┴─────────────┴──────────────┘
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
iD8DBQFLctPY86n/Gc8U/uARAozcAKCZKW3TZKhWHGqRyyPhEz/sFRNGoACbB8rh
H9asrIkxuFpOpSgFLdpV7D8=
=ahIn
-----END PGP SIGNATURE-----
VAR-201002-0650 | CVE-2010-0243 | Microsoft Office of MSO.DLL Vulnerable to buffer overflow |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Buffer overflow in MSO.DLL in Microsoft Office XP SP3 and Office 2004 for Mac allows remote attackers to execute arbitrary code via a crafted Office document, aka "MSO.DLL Buffer Overflow.". Microsoft Office is prone to a remote code-execution vulnerability.
An attacker could exploit this issue by enticing a victim to open a malicious Office file.
Successful exploits would allow the attacker to execute arbitrary code in the context of the currently logged-in user.
The vulnerability is caused due to an error when parsing
OfficeArtSpgr containers and can be exploited to cause a buffer
overflow via a specially crafted Office file.
SOLUTION:
Apply patches.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Microsoft Office Excel / Word OfficeArtSpgr Container Pointer Overwrite
Vulnerability
1. *Advisory Information*
Title: Microsoft Office Excel / Word OfficeArtSpgr Container Pointer
Overwrite Vulnerability
Advisory Id: CORE-2009-0827
Advisory URL: http://www.coresecurity.com/content/excel-buffer-overflow
Date published: 2010-02-09
Date of last update: 2010-02-08
Vendors contacted: Microsoft
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Buffer overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 38073
CVE Name: CVE-2010-0243
3. *Vulnerability Description*
A vulnerability exists in MSO.DLL affecting Excel 9 (Office 2000) and
Excel 10 (Office XP) in the code responsible for parsing OfficeArtSpgr
(recType 0xF003) containers that allows an attacker to cause a class
pointer to be interpreted incorrectly, leading to code execution in the
context of the currently logged on user.
4. *Vulnerable packages*
. *Non-vulnerable packages*
. Open XML File Format Converter for Mac
. PowerPoint Viewer 2007 Service Pack 1 and PowerPoint Viewer 2007
Service Pack 2
. Visio Viewer 2007 Service Pack 1 and Visio Viewer 2007 Service Pack 2
. Microsoft Works 8.5
. Microsoft Works 9
6. *Vendor Information, Solutions and Workarounds*
Microsoft has addressed this vulnerability by issuing an update located
at http://www.microsoft.com/technet/security/bulletin/MS10-003.msp
7. *Credits*
This vulnerability was discovered and researched by Damian Frizza from
Core Security Technologies during Bugweek 2009 [1].
8. *Technical Description / Proof of Concept Code*
8.1. *Excel / Word - OfficeArtSpgr container - invalid recType value
leads to attacker controlled pointer usage [MSRC 9368]*
A vulnerability exists in MSO.DLL affecting Excel 9 (Office 2000) and
Excel 10 (Office XP) in the code responsible for parsing OfficeArtSpgr
(recType 0xF003) containers that allows an attacker to cause a class
pointer to be interpreted incorrectly, leading to code execution in the
context of the currently logged on user.
The precise affected executable version we tested is 'Excel.exe
v10.0.6854' and the DLL is 'mso.dll v10.0.6845'
Likely attack vectors include:
. Targeted attacks involving e-mailed malicious files combined with
social engineering to entice the user to open the malicious attachment. Targeted attacks involving malicious files hosted on a remote web
site combined with social engineering to entice the user to open the
malicious attachment.
The root cause description of the vulnerability is that there is no
check to make sure that there is a valid group before loading the SPGR
from the file.
A disassembly of the vulnerable code follows:
/-----
30BDE405 CMP ECX,0F003
30BDE40B JB mso.30EFD183
30BDE411 CMP ECX,0F004
30BDE417 JA mso.30BDE4C8
30BDE41D XOR ESI,ESI
30BDE41F LEA EAX,DWORD PTR SS:[EBP-8]
30BDE422 PUSH ESI
30BDE423 PUSH EAX
30BDE424 PUSH EDI
30BDE425 MOV ECX,EBX
30BDE427 CALL mso.30BDEC18
30BDE42C TEST EAX,EAX
30BDE42E JE mso.30EFD21A
30BDE434 MOV EDX,DWORD PTR SS:[EBP-8]
30BDE437 MOV EAX,DWORD PTR DS:[EDX+50]
30BDE43A TEST AL,10
30BDE43C JE mso.30BDE356
30BDE442 TEST AL,4
30BDE444 JE mso.30EFD21A
30BDE44A CMP WORD PTR DS:[EDX+24],SI
30BDE44E JNZ mso.30EFD21A
30BDE454 PUSH 23
30BDE456 LEA EDI,DWORD PTR DS:[EBX+90]
30BDE45C POP ECX
30BDE45D MOV ESI,EDX
30BDE45F LEA EAX,DWORD PTR DS:[EBX+F0]
30BDE465 ADD EDX,58
30BDE468 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
30BDE46A CMP DWORD PTR DS:[EAX],EDX
30BDE46C MOV DWORD PTR DS:[EBX+CC],EBX
30BDE472 JE mso.30EFD12E
30BDE478 MOV ECX,DWORD PTR DS:[EAX]
30BDE47A MOV DWORD PTR DS:[ECX],EAX ;*Access Violation On Write*
registers
eax=017f068c ebx=017f059c ecx=0e000e00 edx=017f0870 esi=017f08a4
edi=017f06b8
eip=30dd70cc esp=00137674 ebp=00137714 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
- -----/
8.2. *Memory Corruption related to Graphic Description [MSRC case 9562]*
Core Security Technologies reported a second bug in Excel which resulted
non exploitable. In its investigation, MSRC has analyzed BIFF5++, BIFF4,
and BIFF2 file formats for exploitability of this vulnerability. MSRC
has been unable to reproduce it in such a way that an exploitable
condition occurs.
9. *Report Timeline*
. 2009-09-04:
Core Security Technologies notifies the Microsoft team of the
vulnerability #1 and sends a Proof of Concept malformed file. 2009-09-04:
Microsoft acknowledges receipt of the vulnerability report, and opens
MSRC case 9368 to track this issue. 2009-09-07:
Core sends a second Proof of Concept malformed file triggering
vulnerability #2 in Excel 2000/2002. 2009-09-08:
The Microsoft team acknowledges receipt of the information and estimates
that they will have more detailed information in two weeks. They
inform us that they will send updated information on the fix release
date as the investigation progresses. 2009-09-14:
Core acknowledges receipt of the previous mail from the Microsoft team
and reminds them that the publication date proposed by Core is November
24th, 2009. 2009-09-14:
Core requests Microsoft's analysis of the second reported bug. 2009-09-14:
Microsoft confirms that the first bug reported on Excel is exploitable
and that they are working on defining a ship date. Microsoft also states
that the bug reported as MSRC case 9154 / CORE-2009-0504 is not
exploitable and no security bulletin will be issued for that case. 2009-09-16:
Core notifies the Microsoft team that there has been a misunderstanding,
and that the bug MSRC case 9154 / CORE-2009-0504 was dismissed as not
exploitable in July 2009. Core sends again the Proof of Concepts for the
two bugs reported as CORE-2009-0827. 2009-09-17:
Microsoft requests Core to hold off the publication of the advisory
CORE-2009-0827 until Microsoft comes up with a plan to fix the
vulnerability. 2009-09-21:
Core notifies the Microsoft team that it had made a mistake in the names
of the Proof of Concept files that lead to further confusion. Core
confirms that two new bugs were reported and that the third
non-exploitable bug belongs to another previous case/advisory. The Excel
Proof of Concept files are sent again including identifier CORE-2009-0827. 2009-09-22:
The Microsoft team acknowledges the clarification sent by Core and
estimates that they will have a deeper analysis of the proof of concept
#2 sent by Core in a few days. 2009-10-26:
Core sends a summary of the status of the reported vulnerabilities, and
requests from Microsoft additional information about its technical
analysis of the reported bugs (in particular concerning exploitability
of the second bug) and about its schedule to produce fixes. 2009-10-27:
Microsoft confirms that they have reproduced the reported bugs, and
communicates that they will be unable to release updates for these
issues until February 9th, 2010. 2009-10-28:
Core communicates that it is willing to reschedule the publication of
its advisory provided that Microsoft gives technical information that
justifies this decision. 2009-11-02:
Microsoft explains that in general both the product team (in this case
within Office) as well as MSRC Engineering team look for potential
variant bugs for each vulnerability that is reported to them. This is
followed by the development of a fix, and the testing of the fix.
Microsoft states that it will be able to share additional technical
information (requested by Core) about 3-4 weeks before release. 2009-11-02:
Core confirms that it will reschedule publication of its advisory to
February 9th, 2010, and that it looks forward to receiving technical
information about the vulnerabilities. 2009-11-02:
Microsoft acknowledges receipt of the previous communication. 2009-11-03:
Core asks whether Microsoft considers the two bugs that have been
reported as variants of the same problem, or as different issues. 2009-11-06:
Microsoft replies that the vulnerability #2 has been lost in the mix,
explains how MSRC triage officers assign MSRC tracking case numbers. The
vulnerability #2 is assigned MSRC case 9562. 2009-11-06:
Core confirms that it considers the second bug (MSRC 9562) to be a
different bug than MSRC 9368. 2009-11-18:
Microsoft sends a technical analysis of bug MSRC 9562, indicating that
this bug causes Excel to crash safely. 2009-12-02:
Microsoft sends technical information about bug MSRC 9368, including the
root cause of the problem and the list of affected versions. 2009-12-16:
Microsoft sends further analysis of bug MSRC 9562, which has been
analyzed in conjunction with the reported bug MSRC case 9326 in Virtual
PC. MSRC indicates that it has been unable to reproduce an exploitable
condition using the Excel bug (MSRC 9562). 2009-12-22:
Core acknowledges receipt of the analysis of bug MSRC 9562, and agrees
with the technical analysis. 2009-12-18:
Microsoft sends a spreadsheet summarising Core cases, which indicates
that fixes are confirmed to be released on March 9th 2010. 2009-12-21:
Core acknowledges receipt of the technical information, and asks
Microsoft whether the release of a fixed version has moved to March 9th
2010. 2009-12-21:
Microsoft replies that the ship date for the vulnerability MSRC 9368 in
MSO.dll is still February 9th 2010 (the spreadsheet contained a clerical
error). 2010-02-01:
Core requests MSRC the list of non vulnerable versions of Excel /
Office, and a statement for the "vendor information" section of the
advisory. 2010-02-03:
Microsoft sends the CVE identifier for the vulnerability, and the list
of affected and non affected software. 2010-02-09:
The advisory CORE-2009-0827 is published.
10. *References*
[1] About Core Security's Bugweek
http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=project&name=Bugweek
[2] Microsoft Security Bulletin MS10-003
http://www.microsoft.com/technet/security/bulletin/MS10-003.msp
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.
12. *About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright (c) 2010 Core Security
Technologies and (c) 2010 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAktxq9cACgkQyNibggitWa2ZfgCgsgImwlV9D+uNQnuzgmWefT8U
BngAn06q1Ub1HhaqeKBigZaI3SCCPFg3
=Cmi1
-----END PGP SIGNATURE-----
.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA10-040A
Microsoft Updates for Multiple Vulnerabilities
Original release date:
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Windows and Windows Server
* Microsoft Internet Explorer
* Microsoft Office
Overview
Microsoft has released updates to address vulnerabilities in
Microsoft Windows, Windows Server, Internet Explorer, and Microsoft
Office. Description
Microsoft has released multiple security bulletins for critical
vulnerabilities in Microsoft Windows, Windows Server, Internet
Explorer, and Microsoft Office.
II.
III. The security
bulletin describes any known issues related to the updates.
Administrators are encouraged to note these issues and test for any
potentially adverse effects. Administrators should consider using
an automated update distribution system such as Windows Server
Update Services (WSUS).
IV. References
* Microsoft Security Bulletin Summary for February 2010 -
<http://www.microsoft.com/technet/security/bulletin/MS10-feb.mspx>
* Microsoft Windows Server Update Services -
<http://technet.microsoft.com/en-us/wsus/default.aspx>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA10-040A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA10-040A Feedback VU#799780" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2010 by US-CERT, a government organization
VAR-201002-0160 | CVE-2010-0563 | IBM WebSphere Application Server of Single Sign-on Vulnerabilities that capture important information on functions |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Single Sign-on (SSO) functionality in IBM WebSphere Application Server (WAS) 7.0.0.0 through 7.0.0.8 does not recognize the Requires SSL configuration option, which might allow remote attackers to obtain sensitive information by sniffing network sessions that were expected to be encrypted. Based on the Java and Servlet engines, the IBM Websphere Application Server supports a variety of HTTP services to help users with everything from development and release to maintaining interactive, dynamic websites. IBM WebSphere Application Server (WAS) is prone to a security-bypass vulnerability.
Successful exploits may allow attackers to bypass certain security restrictions, which may lead to other attacks.
This issue affects WAS 7.0 through 7.0.0.8
VAR-201002-0744 | CVE-2010-0563 | IBM WebSphere Application Server of Single Sign-on Vulnerabilities that capture important information on functions |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Single Sign-on (SSO) functionality in IBM WebSphere Application Server (WAS) 7.0.0.0 through 7.0.0.8 does not recognize the Requires SSL configuration option, which might allow remote attackers to obtain sensitive information by sniffing network sessions that were expected to be encrypted. Based on the Java and Servlet engines, the IBM Websphere Application Server supports a variety of HTTP services to help users with everything from development and release to maintaining interactive, dynamic websites. IBM WebSphere Application Server (WAS) is prone to a security-bypass vulnerability.
Successful exploits may allow attackers to bypass certain security restrictions, which may lead to other attacks.
This issue affects WAS 7.0 through 7.0.0.8.
SOLUTION:
Apply Interim Fix APAR PM00610 (please see the vendor's advisory for
more information).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
IBM (PM00610):
http://www-01.ibm.com/support/docview.wss?uid=swg21417839
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201002-0299 | CVE-2003-1582 | Microsoft Internet Information Services Security hole |
CVSS V2: 2.6 CVSS V3: - Severity: LOW |
Microsoft Internet Information Services (IIS) 6.0, when DNS resolution is enabled for client IP addresses, allows remote attackers to inject arbitrary text into log files via an HTTP request in conjunction with a crafted DNS response, as demonstrated by injecting XSS sequences, related to an "Inverse Lookup Log Corruption (ILLC)" issue. IIS is prone to a cross-site scripting vulnerability
VAR-201002-0187 | CVE-2010-0607 | Sterlite SAM300 AX Router of Forms/status_statistics_1 Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in Forms/status_statistics_1 in the Sterlite SAM300 AX Router allows remote attackers to inject arbitrary web script or HTML via the Stat_Radio parameter.
An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks
VAR-201002-0312 | No CVE | Ipswitch IMail Server Local Privilege Escalation Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Ipswitch IMail Server is a mail server bundled in the Ipswitch collaboration component. By default, IMail allows the Internet Guest account to access the following registry keys and their subkeys and values with Full Control privileges: HKEY_LOCAL_MACHINE\\SOFTWARE\\Ipswitch\\IMail. In addition, the password decryption algorithm implemented in IMail's IMailsec.dll library is reversible. Local users can find the Password string under HKEY_LOCAL_MACHINE\\SOFTWARE\\Ipswitch\\IMail\\Domains\\[domain name]\\Users and then crack the encrypted password. Ipswitch IMail Server is prone to multiple local privilege-escalation vulnerabilities.
Local attackers may exploit these issues to gain elevated privileges, which may lead to a complete compromise of an affected computer.
IMail Server 11.01 is affected; other versions may also be vulnerable
VAR-201002-0342 | No CVE | uplusware UplusFtp Multiple Remote Buffer Overflow Vulnerabilities |
CVSS V2: - CVSS V3: - Severity: - |
UplusFtp (formerly Easy Ftp Server) is prone to multiple remote buffer-overflow vulnerabilities.
Attackers can exploit these issues to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
UplusFtp 1.7.0.12 is vulnerable; prior versions, including Easy Ftp Server, may also be affected.
VAR-201002-0765 | CVE-2010-0607 | Sterlite SAM300 AX Router of Forms/status_statistics_1 Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in Forms/status_statistics_1 in the Sterlite SAM300 AX Router allows remote attackers to inject arbitrary web script or HTML via the Stat_Radio parameter.
An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Input passed via e.g. the "Stat_Radio" parameter to
Forms/status_statistics_1 is not properly sanitised before being
returned to the user.
Note: This can be used to change certain router settings (e.g. the
DNS server), which can be leveraged to conduct further attacks.
SOLUTION:
Do not browse untrusted sites or follow untrusted links while being
logged-in to the administration interface.
PROVIDED AND/OR DISCOVERED BY:
Karn Ganeshen
CHANGELOG:
2010-02-11: Added note to "Description" section.
ORIGINAL ADVISORY:
http://archives.neohapsis.com/archives/fulldisclosure/2010-02/0075.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-201002-0327 | No CVE | Novell NetStorage xsrvd Long Pathname Remote Code Execution Vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell NetStorage. Authentication is not required to exploit this vulnerability.The specific flaws exists within the xsrvd process during the wide character conversion of requested file paths. In conjunction with a long username value the file path conversion will result in a heap overflow corrupting a chunk that will be immediately freed. This can be leveraged by remote attackers to compromise the NetStorage server. Novell NetStorage is prone to a heap-based buffer-overflow vulnerability.
This issue affects NetStorage and the following:
- NetWare 6.5 Support Pack 8
- Open Enterprise Server 2 (OES 2) Linux Support Pack 1
- Open Enterprise Server 2 (OES 2) Linux Support Pack 2. ZDI-10-021: Novell NetStorage xsrvd Long Pathname Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-10-021
February 23, 2010
-- Affected Vendors:
Novell
-- Affected Products:
Novell NetStorage
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 9290. Authentication is not
required to exploit this vulnerability.
-- Vendor Response:
Novell has issued an update to correct this vulnerability. More
details can be found at:
http://www.novell.com/support/viewContent.do?externalId=7005282
-- Disclosure Timeline:
2009-10-21 - Vulnerability reported to vendor
2010-02-23 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* 1c239c43f521145fa8385d64a9c32243
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/