VARIoT IoT vulnerabilities database
| VAR-201106-0229 | CVE-2011-2395 | Cisco IOS In Router Advertisement Guarding Vulnerabilities that bypass functions |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Neighbor Discovery (ND) protocol implementation in Cisco IOS on unspecified switches allows remote attackers to bypass the Router Advertisement Guarding functionality via a fragmented IPv6 packet in which the Router Advertisement (RA) message is contained in the second fragment, as demonstrated by (1) a packet in which the first fragment contains a long Destination Options extension header or (2) a packet in which the first fragment contains an ICMPv6 Echo Request message. IOS is prone to a security bypass vulnerability. Cisco IOS is an operating system developed by Cisco in the United States for its network equipment
| VAR-201106-0325 | No CVE | Veri-NAC URI Processing Directory Traversal Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Veri-NAC is a network control access device. The input passed to the WEB interface via the URL lacks filtering before use, and the attacker submits a request containing a directory traversal sequence to obtain arbitrary file content. In addition, its Active Directory authentication information is stored in clear text. Veri-NAC is prone to a directory-traversal vulnerability.
Exploiting the issues can allow an attacker to obtain sensitive information that could aid in further attacks.
Veri-NAC firmware version prior to 8.0.10 are vulnerable. ----------------------------------------------------------------------
Join Secunia @ FIRST Conference, 12-17 June, Hilton Vienna, Austria
See to the presentation "The Dynamics and Threats of End-Point Software Portfolios" by Secunia's Research Analyst Director, Stefan Frei.
Read more:
http://conference.first.org/
----------------------------------------------------------------------
TITLE:
Black Box Veri-NAC Directory Traversal Vulnerability
SECUNIA ADVISORY ID:
SA44757
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/44757/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=44757
RELEASE DATE:
2011-06-08
DISCUSS ADVISORY:
http://secunia.com/advisories/44757/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/44757/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=44757
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in Black Box Veri-NAC, which can be
exploited by malicious people to disclose sensitive information.
Certain input passed to the web interface via the URL is not properly
verified before being used. This can be exploited to disclose the
contents of arbitrary files via directory traversal sequences.
SOLUTION:
Update to version 8.0.10. Please contact the vendor for more
information.
PROVIDED AND/OR DISCOVERED BY:
Mikael Simovits, Techworld.
ORIGINAL ADVISORY:
http://techworld.idg.se/2.2524/1.387616/blackbox-veri-nac---produkten-som-forstor-din-it-sakerhet/
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201106-0323 | No CVE | Tele Data's Contact Management Server Directory Traversal Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Tele Data's Contact Management Server is a specially crafted HTTP server that provides contact management services. Tele Data's Contact Management Server does not properly handle directory traversal character sequences, and remote attackers can exploit the vulnerability to view system file content with WEB permissions.
Exploiting this issue will allow an attacker to view arbitrary local files within the context of the webserver. Information harvested may aid in launching further attacks
| VAR-201106-0026 | CVE-2011-2107 |
Adobe Flash Player Vulnerable to cross-site scripting
Related entries in the VARIoT exploits database: VAR-E-201106-0678 |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in Adobe Flash Player before 10.3.181.22 on Windows, Mac OS X, Linux, and Solaris, and 10.3.185.22 and earlier on Android, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to a "universal cross-site scripting vulnerability.".
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
The following versions are vulnerable:
Adobe Flash Player 10.3.181.16 and prior versions for Windows, Macintosh, Linux and Solaris operating systems
Adobe Flash Player 10.3.185.22 and prior versions for Android
UPDATE (June 7, 2011): The vendor indicates there may be an impact related to the 'Authplay.dll' component of Adobe Reader and Acrobat X 10.0.3, Reader 9.x and 10.x, and Acrobat 9.x and 10.x. We will update this BID when additional details emerge. The product enables viewing of applications, content and video across screens and browsers. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: flash-plugin security update
Advisory ID: RHSA-2011:0850-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-0850.html
Issue date: 2011-06-06
CVE Names: CVE-2011-2107
=====================================================================
1. Summary:
An updated Adobe Flash Player package that fixes one security issue is now
available for Red Hat Enterprise Linux 5 and 6 Supplementary.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS)
base scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 5) - i386, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. This
vulnerability is detailed on the Adobe security page APSB11-13, listed in
the References section. (CVE-2011-2107)
All users of Adobe Flash Player should install this updated package, which
upgrades Flash Player to version 10.3.181.22
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259
5. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 5):
i386:
flash-plugin-10.3.181.22-1.el5.i386.rpm
x86_64:
flash-plugin-10.3.181.22-1.el5.i386.rpm
Red Hat Enterprise Linux Server Supplementary (v. 5):
i386:
flash-plugin-10.3.181.22-1.el5.i386.rpm
x86_64:
flash-plugin-10.3.181.22-1.el5.i386.rpm
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
flash-plugin-10.3.181.22-1.el6.i686.rpm
x86_64:
flash-plugin-10.3.181.22-1.el6.i686.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
flash-plugin-10.3.181.22-1.el6.i686.rpm
x86_64:
flash-plugin-10.3.181.22-1.el6.i686.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
flash-plugin-10.3.181.22-1.el6.i686.rpm
x86_64:
flash-plugin-10.3.181.22-1.el6.i686.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2011-2107.html
https://access.redhat.com/security/updates/classification/#important
http://www.adobe.com/support/security/bulletins/apsb11-13.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFN7OqAXlSAg2UNWIIRApgjAKCldmXlUbDzD/uUwi8XnweoaBZ00gCeIzcZ
1XCuXnfYCW/M6oYmVu+sw+U=
=AUfZ
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201110-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Adobe Flash Player: Multiple vulnerabilities
Date: October 13, 2011
Bugs: #354207, #359019, #363179, #367031, #370215, #372899,
#378637, #384017
ID: 201110-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities in Adobe Flash Player might allow remote
attackers to execute arbitrary code or cause a Denial of Service.
Background
==========
The Adobe Flash Player is a renderer for the SWF file format, which is
commonly used to provide interactive websites.
Impact
======
By enticing a user to open a specially crafted SWF file a remote
attacker could cause a Denial of Service or the execution of arbitrary
code with the privileges of the user running the application.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Adobe Flash Player users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=www-plugins/adobe-flash-10.3.183.10"
References
==========
[ 1 ] APSA11-01
http://www.adobe.com/support/security/advisories/apsa11-01.html
[ 2 ] APSA11-02
http://www.adobe.com/support/security/advisories/apsa11-02.html
[ 3 ] APSB11-02
http://www.adobe.com/support/security/bulletins/apsb11-02.html
[ 4 ] APSB11-12
http://www.adobe.com/support/security/bulletins/apsb11-12.html
[ 5 ] APSB11-13
http://www.adobe.com/support/security/bulletins/apsb11-13.html
[ 6 ] APSB11-21
https://www.adobe.com/support/security/bulletins/apsb11-21.html
[ 7 ] APSB11-26
https://www.adobe.com/support/security/bulletins/apsb11-26.html
[ 8 ] CVE-2011-0558
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0558
[ 9 ] CVE-2011-0559
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0559
[ 10 ] CVE-2011-0560
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0560
[ 11 ] CVE-2011-0561
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0561
[ 12 ] CVE-2011-0571
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0571
[ 13 ] CVE-2011-0572
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0572
[ 14 ] CVE-2011-0573
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0573
[ 15 ] CVE-2011-0574
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0574
[ 16 ] CVE-2011-0575
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0575
[ 17 ] CVE-2011-0577
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0577
[ 18 ] CVE-2011-0578
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0578
[ 19 ] CVE-2011-0579
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0579
[ 20 ] CVE-2011-0589
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0589
[ 21 ] CVE-2011-0607
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0607
[ 22 ] CVE-2011-0608
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0608
[ 23 ] CVE-2011-0609
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0609
[ 24 ] CVE-2011-0611
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0611
[ 25 ] CVE-2011-0618
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0618
[ 26 ] CVE-2011-0619
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0619
[ 27 ] CVE-2011-0620
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0620
[ 28 ] CVE-2011-0621
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0621
[ 29 ] CVE-2011-0622
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0622
[ 30 ] CVE-2011-0623
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0623
[ 31 ] CVE-2011-0624
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0624
[ 32 ] CVE-2011-0625
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0625
[ 33 ] CVE-2011-0626
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0626
[ 34 ] CVE-2011-0627
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0627
[ 35 ] CVE-2011-0628
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0628
[ 36 ] CVE-2011-2107
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2107
[ 37 ] CVE-2011-2110
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2110
[ 38 ] CVE-2011-2125
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2135
[ 39 ] CVE-2011-2130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2130
[ 40 ] CVE-2011-2134
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2134
[ 41 ] CVE-2011-2136
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2136
[ 42 ] CVE-2011-2137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2137
[ 43 ] CVE-2011-2138
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2138
[ 44 ] CVE-2011-2139
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2139
[ 45 ] CVE-2011-2140
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2140
[ 46 ] CVE-2011-2414
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2414
[ 47 ] CVE-2011-2415
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2415
[ 48 ] CVE-2011-2416
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2416
[ 49 ] CVE-2011-2417
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2417
[ 50 ] CVE-2011-2424
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2424
[ 51 ] CVE-2011-2425
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2425
[ 52 ] CVE-2011-2426
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2426
[ 53 ] CVE-2011-2427
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2427
[ 54 ] CVE-2011-2428
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2428
[ 55 ] CVE-2011-2429
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2429
[ 56 ] CVE-2011-2430
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2430
[ 57 ] CVE-2011-2444
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2444
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201110-11.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201106-0322 | No CVE | Golden FTP PASS Command Stack Buffer Overflow Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Golden FTP Server is a Windows platform FTP server. A stack buffer overflow vulnerability exists in the GoldenFTP PASS command because of a security vulnerability in the Golden FTP service that allows a malicious user to trigger a buffer overflow using the PASS command. This vulnerability can be exploited by remote attackers to cause sensitive information to leak.
| VAR-201106-0233 | CVE-2011-2530 | RSLinx Classic EDS Hardware Installation Tool Remote Buffer Overflow Vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Buffer overflow in RSEds.dll in RSHWare.exe in the EDS Hardware Installation Tool 1.0.5.1 and earlier in Rockwell Automation RSLinx Classic before 2.58 allows user-assisted remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a malformed .eds file. RSLinx Classic connects RSLogix and RSNetWorx products to Rockwell Automation networks and devices, and is also an OPC server. Execute arbitrary code. RSLinx Classic is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input. Failed exploit attempts will likely cause denial-of-service conditions.
RSLinx Classic 1.0.5.1 is vulnerable; other versions may also be affected
| VAR-201106-0317 | No CVE | MODACOM URoad-5000 Security Bypass Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
The MODACOM URoad-5000 is a portable WiMAX/WiFi router. The MODACOM URoad-5000 device uses the modified RaLink SDK version to access standard web interfaces via HTTP. The WEB management interface can be accessed by admin:admin via a standard username/password, which can be changed later. But there is another engineer:engineer pair can also be changed by the WEB interface. MODACOM URoad-5000 is prone to a security-bypass vulnerability and a remote command-execution vulnerability.
An attacker can exploit these issues to bypass certain security restrictions and execute arbitrary commands on the affected device.
MODACOM URoad-5000 firmware version 1450 is vulnerable; other versions may also be affected
| VAR-201106-0192 | CVE-2011-1783 | Apache Subversion Used in Apache HTTP Server Service disruption in (DoS) Vulnerabilities |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion 1.5.x and 1.6.x before 1.6.17, when the SVNPathAuthz short_circuit option is enabled, allows remote attackers to cause a denial of service (infinite loop and memory consumption) in opportunistic circumstances by requesting data. Apache Subversion is prone to multiple vulnerabilities, including two denial-of-service issues and an information-disclosure issue.
Attackers can exploit these issues to crash the application, exhaust all memory resources, or obtain potentially sensitive information.
Versions prior to Subversion 1.6.17 are vulnerable. The server is fast, reliable and extensible through a simple API.
The mod_dav_svn Apache HTTPD server module may in certain cenarios
enter a logic loop which does not exit and which allocates emory in
each iteration, ultimately exhausting all the available emory on the
server which can lead to a DoS (Denial Of Service) (CVE-2011-1783).
The mod_dav_svn Apache HTTPD server module may leak to remote users
the file contents of files configured to be unreadable by those users
(CVE-2011-1921).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFN6cg2mqjQ0CJFipgRAqj2AKCRyKt813e0OmWSTU5bL58KCmUwowCfT6RY
DDOtowgSctAg4EX+tLXIvRQ=
=zsmM
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2012-02-01-1 OS X Lion v10.7.3 and Security Update 2012-001
OS X Lion v10.7.3 and Security Update 2012-001 is now available and
addresses the following:
Address Book
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: An attacker in a privileged network position may intercept
CardDAV data
Description: Address Book supports Secure Sockets Layer (SSL) for
accessing CardDAV. A downgrade issue caused Address Book to attempt
an unencrypted connection if an encrypted connection failed. An
attacker in a privileged network position could abuse this behavior
to intercept CardDAV data. This issue is addressed by not downgrading
to an unencrypted connection without user approval.
CVE-ID
CVE-2011-3444 : Bernard Desruisseaux of Oracle Corporation
Apache
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Multiple vulnerabilities in Apache
Description: Apache is updated to version 2.2.21 to address several
vulnerabilities, the most serious of which may lead to a denial of
service. Further information is available via the Apache web site at
http://httpd.apache.org/
CVE-ID
CVE-2011-3348
Apache
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of SSL
3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode.
Apache disabled the 'empty fragment' countermeasure which prevented
these attacks. This issue is addressed by providing a configuration
parameter to control the countermeasure and enabling it by default.
CVE-ID
CVE-2011-3389
CFNetwork
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An issue existed in CFNetwork's handling of malformed
URLs. When accessing a maliciously crafted URL, CFNetwork could send
the request to an incorrect origin server. This issue does not affect
systems prior to OS X Lion.
CVE-ID
CVE-2011-3246 : Erling Ellingsen of Facebook
CFNetwork
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An issue existed in CFNetwork's handling of malformed
URLs. When accessing a maliciously crafted URL, CFNetwork could send
unexpected request headers. This issue does not affect systems prior
to OS X Lion.
CVE-ID
CVE-2011-3447 : Erling Ellingsen of Facebook
ColorSync
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing a maliciously crafted image with an embedded
ColorSync profile may lead to an unexpected application termination
or arbitrary code execution
Description: An integer overflow existed in the handling of images
with an embedded ColorSync profile, which may lead to a heap buffer
overflow. This issue does not affect OS X Lion systems.
CVE-ID
CVE-2011-0200 : binaryproof working with TippingPoint's Zero Day
Initiative
CoreAudio
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Playing maliciously crafted audio content may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of AAC
encoded audio streams. This issue does not affect OS X Lion systems.
CVE-ID
CVE-2011-3252 : Luigi Auriemma working with TippingPoint's Zero Day
Initiative
CoreMedia
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A heap buffer overflow existed in CoreMedia's handling
of H.264 encoded movie files.
CVE-ID
CVE-2011-3448 : Scott Stender of iSEC Partners
CoreText
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing or downloading a document containing a maliciously
crafted embedded font may lead to an unexpected application
termination or arbitrary code execution
Description: A use after free issue existed in the handling of font
files.
CVE-ID
CVE-2011-3449 : Will Dormann of the CERT/CC
CoreUI
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: Visiting a malicious website may lead to an unexpected
application termination or arbitrary code execution
Description: An unbounded stack allocation issue existed in the
handling of long URLs. This issue does not affect systems prior to OS
X Lion.
CVE-ID
CVE-2011-3450 : Ben Syverson
curl
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: A remote server may be able to impersonate clients via
GSSAPI requests
Description: When doing GSSAPI authentication, libcurl
unconditionally performs credential delegation. This issue is
addressed by disabling GSSAPI credential delegation.
CVE-ID
CVE-2011-2192
Data Security
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: An attacker with a privileged network position may intercept
user credentials or other sensitive information
Description: Two certificate authorities in the list of trusted root
certificates have independently issued intermediate certificates to
DigiCert Malaysia. DigiCert Malaysia has issued certificates with
weak keys that it is unable to revoke. An attacker with a privileged
network position could intercept user credentials or other sensitive
information intended for a site with a certificate issued by DigiCert
Malaysia. This issue is addressed by configuring default system trust
settings so that DigiCert Malaysia's certificates are not trusted. We
would like to acknowledge Bruce Morton of Entrust, Inc. for reporting
this issue.
dovecot
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of SSL
3.0 and TLS 1.0 when a cipher suite uses a block cipher in CBC mode.
Dovecot disabled the 'empty fragment' countermeasure which prevented
these attacks. This issue is addressed by enabling the
countermeasure.
CVE-ID
CVE-2011-3389 : Apple
filecmds
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Decompressing a maliciously crafted compressed file may lead
to an unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the 'uncompress' command
line tool.
CVE-ID
CVE-2011-2895
ImageIO
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in ImageIO's handling of
CCITT Group 4 encoded TIFF files. This issue does not affect OS X
Lion systems.
CVE-ID
CVE-2011-0241 : Cyril CATTIAUX of Tessi Technologies
ImageIO
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted TIFF file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in libtiff's handling of
ThunderScan encoded TIFF images. This issue is address by updating
libtiff to version 3.9.5.
CVE-ID
CVE-2011-1167
ImageIO
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Multiple vulnerabilities in libpng 1.5.4
Description: libpng is updated to version 1.5.5 to address multiple
vulnerabilities, the most serious of which may lead to arbitrary code
execution. Further information is available via the libpng website at
http://www.libpng.org/pub/png/libpng.html
CVE-ID
CVE-2011-3328
Internet Sharing
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: A Wi-Fi network created by Internet Sharing may lose
security settings after a system update
Description: After updating to a version of OS X Lion prior to
10.7.3, the Wi-Fi configuration used by Internet Sharing may revert
to factory defaults, which disables the WEP password. This issue only
affects systems with Internet Sharing enabled and sharing the
connection to Wi-Fi. This issue is addressed by preserving the Wi-Fi
configuration during a system update.
CVE-ID
CVE-2011-3452 : an anonymous researcher
Libinfo
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: Visiting a maliciously crafted website may lead to the
disclosure of sensitive information
Description: An issue existed in Libinfo's handling of hostname
lookup requests. Libinfo could return incorrect results for a
maliciously crafted hostname. This issue does not affect systems
prior to OS X Lion.
CVE-ID
CVE-2011-3441 : Erling Ellingsen of Facebook
libresolv
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Applications that use OS X's libresolv library may be
vulnerable to an unexpected application termination or arbitrary code
execution
Description: An integer overflow existed in the parsing of DNS
resource records, which may lead to heap memory corruption.
CVE-ID
CVE-2011-3453 : Ilja van Sprundel of IOActive
libsecurity
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Some EV certificates may be trusted even if the
corresponding root has been marked as untrusted
Description: The certificate code trusted a root certificate to sign
EV certificates if it was on the list of known EV issuers, even if
the user had marked it as 'Never Trust' in Keychain. The root would
not be trusted to sign non-EV certificates.
CVE-ID
CVE-2011-3422 : Alastair Houghton
OpenGL
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Applications that use OS X's OpenGL implementation may be
vulnerable to an unexpected application termination or arbitrary code
execution
Description: Multiple memory corruption issues existed in the
handling of GLSL compilation.
CVE-ID
CVE-2011-3457 : Chris Evans of the Google Chrome Security Team, and
Marc Schoenefeld of the Red Hat Security Response Team
PHP
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Multiple vulnerabilities in PHP 5.3.6
Description: PHP is updated to version 5.3.8 to address several
vulnerabilities, the most serious of which may lead to arbitrary code
execution. Further information is available via the PHP web site at
http://www.php.net
CVE-ID
CVE-2011-1148
CVE-2011-1657
CVE-2011-1938
CVE-2011-2202
CVE-2011-2483
CVE-2011-3182
CVE-2011-3189
CVE-2011-3267
CVE-2011-3268
PHP
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in FreeType's
handling of Type 1 fonts. This issue is addressed by updating
FreeType to version 2.4.7. Further information is available via the
FreeType site at http://www.freetype.org/
CVE-ID
CVE-2011-3256 : Apple
PHP
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Multiple vulnerabilities in libpng 1.5.4
Description: libpng is updated to version 1.5.5 to address multiple
vulnerabilities, the most serious of which may lead to arbitrary code
execution. Further information is available via the libpng website at
http://www.libpng.org/pub/png/libpng.html
CVE-ID
CVE-2011-3328
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Opening a maliciously crafted MP4 encoded file may lead to
an unexpected application termination or arbitrary code execution
Description: An uninitialized memory access issue existed in the
handling of MP4 encoded files.
CVE-ID
CVE-2011-3458 : Luigi Auriemma and pa_kt both working with
TippingPoint's Zero Day Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A signedness issue existed in the handling of font
tables embedded in QuickTime movie files.
CVE-ID
CVE-2011-3248 : Luigi Auriemma working with TippingPoint's Zero Day
Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: An off by one buffer overflow existed in the handling
of rdrf atoms in QuickTime movie files.
CVE-ID
CVE-2011-3459 : Luigi Auriemma working with TippingPoint's Zero Day
Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted JPEG2000 image file may lead
to an unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of JPEG2000
files.
CVE-ID
CVE-2011-3250 : Luigi Auriemma working with TippingPoint's Zero Day
Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Processing a maliciously crafted PNG image may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of PNG files.
CVE-ID
CVE-2011-3460 : Luigi Auriemma working with TippingPoint's Zero Day
Initiative
QuickTime
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: A buffer overflow existed in the handling of FLC
encoded movie files
CVE-ID
CVE-2011-3249 : Matt 'j00ru' Jurczyk working with TippingPoint's Zero
Day Initiative
SquirrelMail
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Multiple vulnerabilities in SquirrelMail
Description: SquirrelMail is updated to version 1.4.22 to address
several vulnerabilities, the most serious of which is a cross-site
scripting issue. This issue does not affect OS X Lion systems.
Further information is available via the SquirrelMail web site at
http://www.SquirrelMail.org/
CVE-ID
CVE-2010-1637
CVE-2010-2813
CVE-2010-4554
CVE-2010-4555
CVE-2011-2023
Subversion
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Accessing a Subversion repository may lead to the disclosure
of sensitive information
Description: Subversion is updated to version 1.6.17 to address
multiple vulnerabilities, the most serious of which may lead to the
disclosure of sensitive information. Further information is available
via the Subversion web site at http://subversion.tigris.org/
CVE-ID
CVE-2011-1752
CVE-2011-1783
CVE-2011-1921
Time Machine
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: A remote attacker may access new backups created by the
user's system
Description: The user may designate a remote AFP volume or Time
Capsule to be used for Time Machine backups. Time Machine did not
verify that the same device was being used for subsequent backup
operations. An attacker who is able to spoof the remote volume could
gain access to new backups created by the user's system. This issue
is addressed by verifying the unique identifier associated with a
disk for backup operations.
CVE-ID
CVE-2011-3462 : Michael Roitzsch of the Technische Universitat
Dresden
Tomcat
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8
Impact: Multiple vulnerabilities in Tomcat 6.0.32
Description: Tomcat is updated to version 6.0.33 to address multiple
vulnerabilities, the most serious of which may lead to the disclosure
of sensitive information. Tomcat is only provided on Mac OS X Server
systems. This issue does not affect OS X Lion systems. Further
information is available via the Tomcat site at
http://tomcat.apache.org/
CVE-ID
CVE-2011-2204
WebDAV Sharing
Available for: OS X Lion Server v10.7 to v10.7.2
Impact: Local users may obtain system privileges
Description: An issue existed in WebDAV Sharing's handling of user
authentication. A user with a valid account on the server or one of
its bound directories could cause the execution of arbitrary code
with system privileges. This issue does not affect systems prior to
OS X Lion.
CVE-ID
CVE-2011-3463 : Gordon Davisson of Crywolf
Webmail
Available for: OS X Lion v10.7 to v10.7.2,
OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted e-mail message may lead to the
disclosure of message content
Description: A cross-site scripting vulnerability existed in the
handling of mail messages. This issue is addressed by updating
Roundcube Webmail to version 0.6. This issue does not affect systems
prior to OS X Lion. Further information is available via the
Roundcube site at http://trac.roundcube.net/
CVE-ID
CVE-2011-2937
X11
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7 to v10.7.2, OS X Lion Server v10.7 to v10.7.2
Impact: Viewing a maliciously crafted PDF file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in FreeType's
handling of Type 1 fonts. This issue is addressed by updating
FreeType to version 2.4.7. Further information is available via the
FreeType site at http://www.freetype.org/
CVE-ID
CVE-2011-3256 : Apple
OS X Lion v10.7.3 and Security Update 2012-001 may be obtained from
the Software Update pane in System Preferences, or Apple's Software
Downloads web site:
http://www.apple.com/support/downloads/
The Software Update utility will present the update that applies
to your system configuration. Only one is needed, either
Security Update 2021-001 or OS X v10.7.3.
For OS X Lion v10.7.2
The download file is named: MacOSXUpd10.7.3.dmg
Its SHA-1 digest is: 7102fe8f9f47286c45dfa35f6e84e7f730493a7c
For OS X Lion v10.7 and v10.7.1
The download file is named: MacOSXUpdCombo10.7.3.dmg
Its SHA-1 digest is: 07dfce300f6801eb63d9ac13e0bec84e1862a16c
For OS X Lion Server v10.7.2
The download file is named: MacOSXServerUpd10.7.3.dmg
Its SHA-1 digest is: 55a9571635d4ec088c142d68132d0d69fcb8867d
For OS X Lion Server v10.7 and v10.7.1
The download file is named: MacOSXServerUpdCombo10.7.3.dmg
Its SHA-1 digest is: 2c87824f09734499ea166ea0617a3ac21ecf832b
For Mac OS X v10.6.8
The download file is named: SecUpd2012-001Snow.dmg
Its SHA-1 digest is: 40875ee8cb609bbaefc8f421a9c34cc353db42b8
For Mac OS X Server v10.6.8
The download file is named: SecUpdSrvr2012-001.dmg
Its SHA-1 digest is: 53b3ca5548001a9920aeabed4a034c6e4657fe20
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
iQEcBAEBAgAGBQJPKYxNAAoJEGnF2JsdZQeeLiIIAMLhH2ipDFrhCsw/n4VDeF1V
P6jSkGXC9tBBVMvw1Xq4c2ok4SI34bDfMlURAVR+dde/h6nIZR24aLQVoDLjJuIp
RrO2dm1nQeozLJSx2NbxhVh54BucJdKp4xS1GkDNxkqcdh04RE9hRURXdKagnfGy
9P8QQPOQmKAiWos/LYhCPDInMfrpVNvEVwP8MCDP15g6hylN4De/Oyt7ZshPshSf
MnAFObfBTGX5KioVqTyfdlBkKUfdXHJux61QEFHn8eadX6+/6IuKbUvK9B0icc8E
pvbjOxQatFRps0KNWeIsKQc5i6iQoJhocAiIy6Y6LCuZQuSXCImY2RWXkVYzbWo=
=c1eU
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Join Secunia @ FIRST Conference, 12-17 June, Hilton Vienna, Austria
See to the presentation "The Dynamics and Threats of End-Point Software Portfolios" by Secunia's Research Analyst Director, Stefan Frei.
Read more:
http://conference.first.org/
----------------------------------------------------------------------
TITLE:
Apache Subversion mod_dav_svn Two Denial of Service Vulnerabilities
SECUNIA ADVISORY ID:
SA44681
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/44681/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=44681
RELEASE DATE:
2011-06-02
DISCUSS ADVISORY:
http://secunia.com/advisories/44681/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/44681/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=44681
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Two vulnerabilities have been reported in Apache Subversion, which
can be exploited by malicious people to cause a DoS (Denial of
Service).
PROVIDED AND/OR DISCOVERED BY:
1) Reported by the vendor
2) The vendor credits Ivan Zhakov, VisualSVN.
ORIGINAL ADVISORY:
http://subversion.apache.org/security/CVE-2011-1752-advisory.txt
http://subversion.apache.org/security/CVE-2011-1783-advisory.txt
http://subversion.apache.org/security/CVE-2011-1921-advisory.txt
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201309-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Low
Title: Subversion: Multiple vulnerabilities
Date: September 23, 2013
Bugs: #350166, #356741, #369065, #463728, #463860, #472202, #482166
ID: 201309-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Subversion, allowing
attackers to cause a Denial of Service, escalate privileges, or obtain
sensitive information.
Background
==========
Subversion is a versioning system designed to be a replacement for CVS.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-vcs/subversion < 1.7.13 >= 1.7.13
Description
===========
Multiple vulnerabilities have been discovered in Subversion. Please
review the CVE identifiers referenced below for details. A local attacker could escalate his privileges
to the user running svnserve.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Subversion users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-vcs/subversion-1.7.13"
References
==========
[ 1 ] CVE-2010-4539
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4539
[ 2 ] CVE-2010-4644
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4644
[ 3 ] CVE-2011-0715
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0715
[ 4 ] CVE-2011-1752
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1752
[ 5 ] CVE-2011-1783
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1783
[ 6 ] CVE-2011-1921
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1921
[ 7 ] CVE-2013-1845
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1845
[ 8 ] CVE-2013-1846
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1846
[ 9 ] CVE-2013-1847
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1847
[ 10 ] CVE-2013-1849
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1849
[ 11 ] CVE-2013-1884
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1884
[ 12 ] CVE-2013-1968
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1968
[ 13 ] CVE-2013-2088
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2088
[ 14 ] CVE-2013-2112
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2112
[ 15 ] CVE-2013-4131
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4131
[ 16 ] CVE-2013-4277
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4277
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201309-11.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2013 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: subversion security update
Advisory ID: RHSA-2011:0862-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2011-0862.html
Issue date: 2011-06-08
CVE Names: CVE-2011-1752 CVE-2011-1783 CVE-2011-1921
=====================================================================
1. Summary:
Updated subversion packages that fix three security issues are now
available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, noarch, x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch, x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, noarch, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, noarch, x86_64
3. Description:
Subversion (SVN) is a concurrent version control system which enables one
or more users to collaborate in developing and maintaining a hierarchy of
files and directories while keeping a history of all changes. The
mod_dav_svn module is used with the Apache HTTP Server to allow access to
Subversion repositories via HTTP.
An infinite loop flaw was found in the way the mod_dav_svn module processed
certain data sets. If the SVNPathAuthz directive was set to
"short_circuit", and path-based access control for files and directories
was enabled, a malicious, remote user could use this flaw to cause the
httpd process serving the request to consume an excessive amount of system
memory. (CVE-2011-1783)
A NULL pointer dereference flaw was found in the way the mod_dav_svn module
processed requests submitted against the URL of a baselined resource. A
malicious, remote user could use this flaw to cause the httpd process
serving the request to crash. (CVE-2011-1752)
An information disclosure flaw was found in the way the mod_dav_svn
module processed certain URLs when path-based access control for files and
directories was enabled. A malicious, remote user could possibly use this
flaw to access certain files in a repository that would otherwise not be
accessible to them. Note: This vulnerability cannot be triggered if the
SVNPathAuthz directive is set to "short_circuit". Upstream acknowledges Joe Schaefer of the Apache Software
Foundation as the original reporter of CVE-2011-1752; Ivan Zhakov of
VisualSVN as the original reporter of CVE-2011-1783; and Kamesh
Jayachandran of CollabNet, Inc. as the original reporter of CVE-2011-1921.
All Subversion users should upgrade to these updated packages, which
contain backported patches to correct these issues. After installing the
updated packages, you must restart the httpd daemon, if you are using
mod_dav_svn, for the update to take effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
709111 - CVE-2011-1752 subversion (mod_dav_svn): DoS (crash) via request to deliver baselined WebDAV resources
709112 - CVE-2011-1783 subversion (mod_dav_svn): DoS (excessive memory use) when configured to provide path-based access control
709114 - CVE-2011-1921 subversion (mod_dav_svn): File contents disclosure of files configured to be unreadable by those users
6. Package List:
RHEL Desktop Workstation (v. 5 client):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/subversion-1.6.11-7.el5_6.4.src.rpm
i386:
mod_dav_svn-1.6.11-7.el5_6.4.i386.rpm
subversion-1.6.11-7.el5_6.4.i386.rpm
subversion-debuginfo-1.6.11-7.el5_6.4.i386.rpm
subversion-devel-1.6.11-7.el5_6.4.i386.rpm
subversion-javahl-1.6.11-7.el5_6.4.i386.rpm
subversion-perl-1.6.11-7.el5_6.4.i386.rpm
subversion-ruby-1.6.11-7.el5_6.4.i386.rpm
x86_64:
mod_dav_svn-1.6.11-7.el5_6.4.x86_64.rpm
subversion-1.6.11-7.el5_6.4.i386.rpm
subversion-1.6.11-7.el5_6.4.x86_64.rpm
subversion-debuginfo-1.6.11-7.el5_6.4.i386.rpm
subversion-debuginfo-1.6.11-7.el5_6.4.x86_64.rpm
subversion-devel-1.6.11-7.el5_6.4.i386.rpm
subversion-devel-1.6.11-7.el5_6.4.x86_64.rpm
subversion-javahl-1.6.11-7.el5_6.4.x86_64.rpm
subversion-perl-1.6.11-7.el5_6.4.x86_64.rpm
subversion-ruby-1.6.11-7.el5_6.4.x86_64.rpm
Red Hat Enterprise Linux (v. 5 server):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/subversion-1.6.11-7.el5_6.4.src.rpm
i386:
mod_dav_svn-1.6.11-7.el5_6.4.i386.rpm
subversion-1.6.11-7.el5_6.4.i386.rpm
subversion-debuginfo-1.6.11-7.el5_6.4.i386.rpm
subversion-devel-1.6.11-7.el5_6.4.i386.rpm
subversion-javahl-1.6.11-7.el5_6.4.i386.rpm
subversion-perl-1.6.11-7.el5_6.4.i386.rpm
subversion-ruby-1.6.11-7.el5_6.4.i386.rpm
ia64:
mod_dav_svn-1.6.11-7.el5_6.4.ia64.rpm
subversion-1.6.11-7.el5_6.4.ia64.rpm
subversion-debuginfo-1.6.11-7.el5_6.4.ia64.rpm
subversion-devel-1.6.11-7.el5_6.4.ia64.rpm
subversion-javahl-1.6.11-7.el5_6.4.ia64.rpm
subversion-perl-1.6.11-7.el5_6.4.ia64.rpm
subversion-ruby-1.6.11-7.el5_6.4.ia64.rpm
ppc:
mod_dav_svn-1.6.11-7.el5_6.4.ppc.rpm
subversion-1.6.11-7.el5_6.4.ppc.rpm
subversion-1.6.11-7.el5_6.4.ppc64.rpm
subversion-debuginfo-1.6.11-7.el5_6.4.ppc.rpm
subversion-debuginfo-1.6.11-7.el5_6.4.ppc64.rpm
subversion-devel-1.6.11-7.el5_6.4.ppc.rpm
subversion-devel-1.6.11-7.el5_6.4.ppc64.rpm
subversion-javahl-1.6.11-7.el5_6.4.ppc.rpm
subversion-perl-1.6.11-7.el5_6.4.ppc.rpm
subversion-ruby-1.6.11-7.el5_6.4.ppc.rpm
s390x:
mod_dav_svn-1.6.11-7.el5_6.4.s390x.rpm
subversion-1.6.11-7.el5_6.4.s390.rpm
subversion-1.6.11-7.el5_6.4.s390x.rpm
subversion-debuginfo-1.6.11-7.el5_6.4.s390.rpm
subversion-debuginfo-1.6.11-7.el5_6.4.s390x.rpm
subversion-devel-1.6.11-7.el5_6.4.s390.rpm
subversion-devel-1.6.11-7.el5_6.4.s390x.rpm
subversion-javahl-1.6.11-7.el5_6.4.s390x.rpm
subversion-perl-1.6.11-7.el5_6.4.s390x.rpm
subversion-ruby-1.6.11-7.el5_6.4.s390x.rpm
x86_64:
mod_dav_svn-1.6.11-7.el5_6.4.x86_64.rpm
subversion-1.6.11-7.el5_6.4.i386.rpm
subversion-1.6.11-7.el5_6.4.x86_64.rpm
subversion-debuginfo-1.6.11-7.el5_6.4.i386.rpm
subversion-debuginfo-1.6.11-7.el5_6.4.x86_64.rpm
subversion-devel-1.6.11-7.el5_6.4.i386.rpm
subversion-devel-1.6.11-7.el5_6.4.x86_64.rpm
subversion-javahl-1.6.11-7.el5_6.4.x86_64.rpm
subversion-perl-1.6.11-7.el5_6.4.x86_64.rpm
subversion-ruby-1.6.11-7.el5_6.4.x86_64.rpm
Red Hat Enterprise Linux Desktop Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/subversion-1.6.11-2.el6_1.4.src.rpm
i386:
mod_dav_svn-1.6.11-2.el6_1.4.i686.rpm
subversion-1.6.11-2.el6_1.4.i686.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.i686.rpm
subversion-devel-1.6.11-2.el6_1.4.i686.rpm
subversion-gnome-1.6.11-2.el6_1.4.i686.rpm
subversion-javahl-1.6.11-2.el6_1.4.i686.rpm
subversion-kde-1.6.11-2.el6_1.4.i686.rpm
subversion-perl-1.6.11-2.el6_1.4.i686.rpm
subversion-ruby-1.6.11-2.el6_1.4.i686.rpm
noarch:
subversion-svn2cl-1.6.11-2.el6_1.4.noarch.rpm
x86_64:
mod_dav_svn-1.6.11-2.el6_1.4.x86_64.rpm
subversion-1.6.11-2.el6_1.4.i686.rpm
subversion-1.6.11-2.el6_1.4.x86_64.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.i686.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.x86_64.rpm
subversion-devel-1.6.11-2.el6_1.4.i686.rpm
subversion-devel-1.6.11-2.el6_1.4.x86_64.rpm
subversion-gnome-1.6.11-2.el6_1.4.i686.rpm
subversion-gnome-1.6.11-2.el6_1.4.x86_64.rpm
subversion-javahl-1.6.11-2.el6_1.4.i686.rpm
subversion-javahl-1.6.11-2.el6_1.4.x86_64.rpm
subversion-kde-1.6.11-2.el6_1.4.i686.rpm
subversion-kde-1.6.11-2.el6_1.4.x86_64.rpm
subversion-perl-1.6.11-2.el6_1.4.i686.rpm
subversion-perl-1.6.11-2.el6_1.4.x86_64.rpm
subversion-ruby-1.6.11-2.el6_1.4.i686.rpm
subversion-ruby-1.6.11-2.el6_1.4.x86_64.rpm
Red Hat Enterprise Linux HPC Node Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/subversion-1.6.11-2.el6_1.4.src.rpm
noarch:
subversion-svn2cl-1.6.11-2.el6_1.4.noarch.rpm
x86_64:
mod_dav_svn-1.6.11-2.el6_1.4.x86_64.rpm
subversion-1.6.11-2.el6_1.4.i686.rpm
subversion-1.6.11-2.el6_1.4.x86_64.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.i686.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.x86_64.rpm
subversion-devel-1.6.11-2.el6_1.4.i686.rpm
subversion-devel-1.6.11-2.el6_1.4.x86_64.rpm
subversion-gnome-1.6.11-2.el6_1.4.i686.rpm
subversion-gnome-1.6.11-2.el6_1.4.x86_64.rpm
subversion-javahl-1.6.11-2.el6_1.4.i686.rpm
subversion-javahl-1.6.11-2.el6_1.4.x86_64.rpm
subversion-kde-1.6.11-2.el6_1.4.i686.rpm
subversion-kde-1.6.11-2.el6_1.4.x86_64.rpm
subversion-perl-1.6.11-2.el6_1.4.i686.rpm
subversion-perl-1.6.11-2.el6_1.4.x86_64.rpm
subversion-ruby-1.6.11-2.el6_1.4.i686.rpm
subversion-ruby-1.6.11-2.el6_1.4.x86_64.rpm
Red Hat Enterprise Linux Server (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/subversion-1.6.11-2.el6_1.4.src.rpm
i386:
mod_dav_svn-1.6.11-2.el6_1.4.i686.rpm
subversion-1.6.11-2.el6_1.4.i686.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.i686.rpm
subversion-javahl-1.6.11-2.el6_1.4.i686.rpm
ppc64:
mod_dav_svn-1.6.11-2.el6_1.4.ppc64.rpm
subversion-1.6.11-2.el6_1.4.ppc.rpm
subversion-1.6.11-2.el6_1.4.ppc64.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.ppc.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.ppc64.rpm
s390x:
mod_dav_svn-1.6.11-2.el6_1.4.s390x.rpm
subversion-1.6.11-2.el6_1.4.s390.rpm
subversion-1.6.11-2.el6_1.4.s390x.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.s390.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.s390x.rpm
x86_64:
mod_dav_svn-1.6.11-2.el6_1.4.x86_64.rpm
subversion-1.6.11-2.el6_1.4.i686.rpm
subversion-1.6.11-2.el6_1.4.x86_64.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.i686.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.x86_64.rpm
subversion-javahl-1.6.11-2.el6_1.4.i686.rpm
subversion-javahl-1.6.11-2.el6_1.4.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/subversion-1.6.11-2.el6_1.4.src.rpm
i386:
subversion-debuginfo-1.6.11-2.el6_1.4.i686.rpm
subversion-devel-1.6.11-2.el6_1.4.i686.rpm
subversion-gnome-1.6.11-2.el6_1.4.i686.rpm
subversion-kde-1.6.11-2.el6_1.4.i686.rpm
subversion-perl-1.6.11-2.el6_1.4.i686.rpm
subversion-ruby-1.6.11-2.el6_1.4.i686.rpm
noarch:
subversion-svn2cl-1.6.11-2.el6_1.4.noarch.rpm
ppc64:
subversion-debuginfo-1.6.11-2.el6_1.4.ppc.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.ppc64.rpm
subversion-devel-1.6.11-2.el6_1.4.ppc.rpm
subversion-devel-1.6.11-2.el6_1.4.ppc64.rpm
subversion-gnome-1.6.11-2.el6_1.4.ppc.rpm
subversion-gnome-1.6.11-2.el6_1.4.ppc64.rpm
subversion-javahl-1.6.11-2.el6_1.4.ppc.rpm
subversion-javahl-1.6.11-2.el6_1.4.ppc64.rpm
subversion-kde-1.6.11-2.el6_1.4.ppc.rpm
subversion-kde-1.6.11-2.el6_1.4.ppc64.rpm
subversion-perl-1.6.11-2.el6_1.4.ppc.rpm
subversion-perl-1.6.11-2.el6_1.4.ppc64.rpm
subversion-ruby-1.6.11-2.el6_1.4.ppc.rpm
subversion-ruby-1.6.11-2.el6_1.4.ppc64.rpm
s390x:
subversion-debuginfo-1.6.11-2.el6_1.4.s390.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.s390x.rpm
subversion-devel-1.6.11-2.el6_1.4.s390.rpm
subversion-devel-1.6.11-2.el6_1.4.s390x.rpm
subversion-gnome-1.6.11-2.el6_1.4.s390.rpm
subversion-gnome-1.6.11-2.el6_1.4.s390x.rpm
subversion-javahl-1.6.11-2.el6_1.4.s390.rpm
subversion-javahl-1.6.11-2.el6_1.4.s390x.rpm
subversion-kde-1.6.11-2.el6_1.4.s390.rpm
subversion-kde-1.6.11-2.el6_1.4.s390x.rpm
subversion-perl-1.6.11-2.el6_1.4.s390.rpm
subversion-perl-1.6.11-2.el6_1.4.s390x.rpm
subversion-ruby-1.6.11-2.el6_1.4.s390.rpm
subversion-ruby-1.6.11-2.el6_1.4.s390x.rpm
x86_64:
subversion-debuginfo-1.6.11-2.el6_1.4.i686.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.x86_64.rpm
subversion-devel-1.6.11-2.el6_1.4.i686.rpm
subversion-devel-1.6.11-2.el6_1.4.x86_64.rpm
subversion-gnome-1.6.11-2.el6_1.4.i686.rpm
subversion-gnome-1.6.11-2.el6_1.4.x86_64.rpm
subversion-kde-1.6.11-2.el6_1.4.i686.rpm
subversion-kde-1.6.11-2.el6_1.4.x86_64.rpm
subversion-perl-1.6.11-2.el6_1.4.i686.rpm
subversion-perl-1.6.11-2.el6_1.4.x86_64.rpm
subversion-ruby-1.6.11-2.el6_1.4.i686.rpm
subversion-ruby-1.6.11-2.el6_1.4.x86_64.rpm
Red Hat Enterprise Linux Workstation (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/subversion-1.6.11-2.el6_1.4.src.rpm
i386:
mod_dav_svn-1.6.11-2.el6_1.4.i686.rpm
subversion-1.6.11-2.el6_1.4.i686.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.i686.rpm
subversion-javahl-1.6.11-2.el6_1.4.i686.rpm
x86_64:
mod_dav_svn-1.6.11-2.el6_1.4.x86_64.rpm
subversion-1.6.11-2.el6_1.4.i686.rpm
subversion-1.6.11-2.el6_1.4.x86_64.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.i686.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.x86_64.rpm
subversion-javahl-1.6.11-2.el6_1.4.i686.rpm
subversion-javahl-1.6.11-2.el6_1.4.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 6):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/subversion-1.6.11-2.el6_1.4.src.rpm
i386:
subversion-debuginfo-1.6.11-2.el6_1.4.i686.rpm
subversion-devel-1.6.11-2.el6_1.4.i686.rpm
subversion-gnome-1.6.11-2.el6_1.4.i686.rpm
subversion-kde-1.6.11-2.el6_1.4.i686.rpm
subversion-perl-1.6.11-2.el6_1.4.i686.rpm
subversion-ruby-1.6.11-2.el6_1.4.i686.rpm
noarch:
subversion-svn2cl-1.6.11-2.el6_1.4.noarch.rpm
x86_64:
subversion-debuginfo-1.6.11-2.el6_1.4.i686.rpm
subversion-debuginfo-1.6.11-2.el6_1.4.x86_64.rpm
subversion-devel-1.6.11-2.el6_1.4.i686.rpm
subversion-devel-1.6.11-2.el6_1.4.x86_64.rpm
subversion-gnome-1.6.11-2.el6_1.4.i686.rpm
subversion-gnome-1.6.11-2.el6_1.4.x86_64.rpm
subversion-kde-1.6.11-2.el6_1.4.i686.rpm
subversion-kde-1.6.11-2.el6_1.4.x86_64.rpm
subversion-perl-1.6.11-2.el6_1.4.i686.rpm
subversion-perl-1.6.11-2.el6_1.4.x86_64.rpm
subversion-ruby-1.6.11-2.el6_1.4.i686.rpm
subversion-ruby-1.6.11-2.el6_1.4.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2011-1752.html
https://www.redhat.com/security/data/cve/CVE-2011-1783.html
https://www.redhat.com/security/data/cve/CVE-2011-1921.html
https://access.redhat.com/security/updates/classification/#moderate
http://subversion.apache.org/security/CVE-2011-1783-advisory.txt
http://subversion.apache.org/security/CVE-2011-1752-advisory.txt
http://subversion.apache.org/security/CVE-2011-1921-advisory.txt
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2011 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFN75utXlSAg2UNWIIRAuXgAJ9fhhY1xxC7jRZbLGZA6ENr3dnTBQCgkdf0
J9nA8MJRlM/XVtyj3mbVErg=
=jujC
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
. ==========================================================================
Ubuntu Security Notice USN-1144-1
June 06, 2011
subversion vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS
Summary:
An attacker could send crafted input to the Subversion mod_dav_svn module
for Apache and cause it to crash or gain access to restricted files.
Software Description:
- subversion: Advanced version control system
Details:
Joe Schaefer discovered that the Subversion mod_dav_svn module for Apache
did not properly handle certain baselined WebDAV resource requests. (CVE-2011-1752)
Ivan Zhakov discovered that the Subversion mod_dav_svn module for Apache
did not properly handle certain requests. (CVE-2011-1921)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 11.04:
libapache2-svn 1.6.12dfsg-4ubuntu2.1
Ubuntu 10.10:
libapache2-svn 1.6.12dfsg-1ubuntu1.3
Ubuntu 10.04 LTS:
libapache2-svn 1.6.6dfsg-2ubuntu1.3
After a standard system update you need to restart any applications that
use Subversion, such as Apache when using mod_dav_svn, to make all the
necessary changes
| VAR-201106-0132 | CVE-2011-1753 | Ejabberd XML Parsing Denial of Service Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
expat_erl.c in ejabberd before 2.1.7 and 3.x before 3.0.0-alpha-3, and exmpp before 0.9.7, does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. Ejabberd is an instant messaging server for the Jabber/XMPP protocol. There is an error in processing part of the XML input. ----------------------------------------------------------------------
Alerts when vulnerabilities pose a threat to your infrastructure
The enhanced reporting module of the Secunia Vulnerability Intelligence Manager (VIM) enables you to combine advisory and ticket information, and generate policy compliance statistics. Using your asset list preferences, customised notifications are issued as soon as a new vulnerability is discovered - a valuable tool for documenting mitigation strategies.
Watch our quick solution overview:
http://www.youtube.com/user/Secunia#p/a/u/0/M1Y9sJqR2SY
----------------------------------------------------------------------
TITLE:
ejabberd Nested XML Entities Denial of Service Vulnerability
SECUNIA ADVISORY ID:
SA44807
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/44807/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=44807
RELEASE DATE:
2011-06-01
DISCUSS ADVISORY:
http://secunia.com/advisories/44807/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/44807/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=44807
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in ejabberd, which can be exploited
by malicious people to cause a DoS (Denial of Service).
The vulnerability is reported in version 2.1.6. Other versions may
also be affected.
SOLUTION:
Fixed in the GIT repository.
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
PROVIDED AND/OR DISCOVERED BY:
Debian credits Wouter Coekaerts.
ORIGINAL ADVISORY:
https://git.process-one.net/ejabberd/mainline/commit/bd1df027c622e1f96f9eeaac612a6a956c1ff0b6
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. This fixes a vulnerability,
which can be exploited by malicious people to cause a DoS (Denial of
Service).
For more information:
SA44807
SOLUTION:
Apply updated packages via the apt-get package manager. ----------------------------------------------------------------------
Frost & Sullivan 2011 Report: Secunia Vulnerability Research
\"Frost & Sullivan believes that Secunia continues to be a major player in the vulnerability research market due to its diversity of products that provide best-in-class coverage, quality, and usability.\" This is just one of the key factors that influenced Frost & Sullivan to select Secunia over other companies. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201206-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: ejabberd: Multiple Denial of Service vulnerabilities
Date: June 21, 2012
Bugs: #308047, #370201, #386075
ID: 201206-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in ejabberd, the worst of
which allowing for remote Denial of Service.
Background
==========
ejabberd is the Erlang jabber daemon.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-im/ejabberd < 2.1.9 >= 2.1.9
Description
===========
Multiple vulnerabilities have been discovered in ejabberd. Please
review the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All ejabberd users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-im/ejabberd-2.1.9"
References
==========
[ 1 ] CVE-2010-0305
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0305
[ 2 ] CVE-2011-1753
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1753
[ 3 ] CVE-2011-4320
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4320
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201206-10.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2248-1 security@debian.org
http://www.debian.org/security/ Nico Golde
March 31, 2011 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : ejabberd
Vulnerability : denial of service
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-1753
Wouter Coekaerts discovered that ejabberd, a distributed XMPP/Jabber server
written in Erlang, is vulnerable to the so-called "billion laughs" attack
because it does not prevent entity expansion on received data.
This allows an attacker to perform denial of service attacks against the
service by sending specially crafted XML data to it.
For the oldstable distribution (lenny), this problem has been fixed in
version 2.0.1-6+lenny3.
For the stable distribution (squeeze), this problem has been fixed in
version 2.1.5-3+squeeze1.
For the testing distribution (wheezy), this problem will be fixed soon.
For the unstable distribution (sid), this problem has been fixed in
version 2.1.6-2.1.
We recommend that you upgrade your ejabberd packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk3lVy8ACgkQHYflSXNkfP9+XwCZASQIxH5wedS/Sv5RVbLq72TX
BCQAmwa5smfQdADSxcAw9vRXuTPmuck4
=s7fb
-----END PGP SIGNATURE-----
| VAR-201106-0024 | CVE-2011-1623 | Cisco Media Processing Software Vulnerabilities that gain access |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Cisco Media Processing Software before 1.2 on Media Experience Engine (MXE) 5600 devices has a default root password, which makes it easier for context-dependent attackers to obtain access via (1) the local console, (2) an SSH session, or (3) a TELNET session, aka Bug ID CSCto77737. The Cisco MXE 5600 includes a root account for advanced debugging, but is not required for normal operations. The root account is different from the admin and user accounts. If Telnet is enabled, it can also be accessed via Telnet.
An attacker can exploit this issue to gain unauthorized administrative access to the affected device. Successful exploits will result in the complete compromise of the affected device.
This issue is being tracked by Cisco bug ID CSCto77737. A software upgrade is not
required to resolve this vulnerability. Customers can change the root
account password by issuing a configuration command on affected
engines. The workarounds detailed in this document provide
instructions for changing the root account password. To determine
the software release that is running on a Cisco MXE unit, log in to
the device and issue the show version command-line interface (CLI)
command to display the system banner. The following example shows a
Cisco MXE 5600 device running software version 1.2.0-34.
No other Cisco products are currently known to be affected by this
vulnerability. For instructions on how
to set or change the root password, see the Workarounds section of this
advisory.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCto77737 ("Default Credentials for root Account on MXE 5600")
CVSS Base Score - 10.0
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability may allow an
unauthorized user to modify the software configuration and the
operating system settings or gain complete administrative control of
the device.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance. The passwd command will accept a null or weak password, but
Cisco highly recommends using a long, complex password. To change the
password, users will need the default password. To obtain the default
password, customers must contact the Cisco TAC. Because entitlement
will be verified, please have the product serial number available and
refer to this advisory.
Additional mitigations that can be deployed on Cisco devices within
the network are available in the Cisco Applied Intelligence companion
document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20110601-mxe.shtml
Obtaining Fixed Software
========================
Prior to deploying software, customers should consult their
maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature
sets they have purchased. By installing, downloading, accessing
or otherwise using such software upgrades, customers agree to be
bound by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Cisco will not make free upgrade software available for affected
customers to address this vulnerability. The workaround provided in
this document describes how to change the passwords in current
releases of the software.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was discovered during internal testing.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110601-mxe.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+-----------------------------------------------------------+
| Revision 1.0 | 2011-June-01 | Initial public release |
+-----------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities
in Cisco products, obtaining assistance with security
incidents, and registering to receive security information
from Cisco, is available on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding
Cisco security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
Updated: Jun 01, 2011 Document ID: 112959
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iF4EAREIAAYFAk3mYakACgkQQXnnBKKRMNDuBwD+J7cpkJXFQe5C/IHvYzNejxCB
UKzuwdqr8OD+DczVMcgA/2M/3DlTswtrsh8jTgT8ChkE0TwnNf1uSOcW4g/blNlR
=VGLK
-----END PGP SIGNATURE-----
| VAR-201106-0319 | No CVE | NetGear WNDAP350 Wireless Access Point Information Disclosure Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
The NetGear WNDAP350 is a wireless access device. The NetGear WNDAP350 wireless access point lacks the correct restrictions on access. An attacker can exploit the vulnerability to obtain sensitive information, including plain text management passwords or WPA ciphertext, through the download.php or BackupConfig.php script.
WNDAP350 with firmware 2.0.1 and 2.0.9 are vulnerable; other firmware versions may also be affected
| VAR-201106-0112 | CVE-2011-2040 |
Cisco AnyConnect SSL VPN arbitrary code execution
Related entries in the VARIoT exploits database: VAR-E-201106-0065 |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
The helper application in Cisco AnyConnect Secure Mobility Client (formerly AnyConnect VPN Client) before 2.5.3041, and 3.0.x before 3.0.629, on Linux and Mac OS X downloads a client executable file (vpndownloader.exe) without verifying its authenticity, which allows remote attackers to execute arbitrary code via the url property to a Java applet, aka Bug ID CSCsy05934. The Cisco AnyConnect SSL VPN ActiveX and Java clients contain a vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Cisco AnyConnect Secure Mobility Client is a remote access solution from Cisco that is Cisco's next-generation VPN client. WEB pages that use social engineering spoofing or other vulnerabilities to entice users to access, allowing an attacker to provide arbitrary executable programs for the helper application to download and execute.
This issue is tracked by Cisco Bug IDs CSCsy00904 and CSCsy05934. There are no workarounds for the vulnerabilities
described in this advisory.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20110601-ac.shtml
Affected Products
=================
Vulnerable Products
+------------------
The vulnerabilities described in this document apply to the Cisco
AnyConnect Secure Mobility Client. The affected versions are included
in the following table:
+------------------------------------------------------------+
| Vulnerability | Platform | Affected Versions |
|-------------------+-----------+----------------------------|
| | Microsoft | All versions prior to |
| | Windows | 2.3.185 |
| |-----------+----------------------------|
| Arbitrary Program | | * All versions in major |
| Execution | | releases other than |
| Vulnerability | Linux, | 2.5.x and 3.0.x. |
| | Apple | * 2.5.x releases prior |
| | MacOS X | to 2.5.3041 |
| | | * 3.0.x releases prior |
| | | to 3.0.629 |
|-------------------+-----------+----------------------------|
| | Microsoft | All versions prior to |
| Local Privilege | Windows | 2.3.254 |
|Escalation |-----------+----------------------------|
| Vulnerability | Linux, | |
| | Apple | Not affected |
| | MacOS X | |
+------------------------------------------------------------+
Note: Microsoft Windows Mobile versions are affected by the Arbitrary
Program Execution Vulnerability.
No other Cisco products are currently known to be affected by these
vulnerabilities. After the user logs in, the browser displays a portal
window and when the user clicks the "Start AnyConnect" link, the
process of downloading the Cisco AnyConnect Secure Mobility Client
begins. The helper application is a Java
applet on the Linux and MacOS X platforms, and either a Java applet
on the Windows platform or an ActiveX control if the browser is
capable of utilizing ActiveX controls. The downloaded helper
application is executed in the context of the originating site in the
user's web browser. This
arbitrary executable would be executed with the same operating system
privileges under which the web browser was run. Common
Vulnerabilities and Exposures (CVE) IDs CVE-2011-2039 (for
CSCsy00904) and CVE-2011-2040 (for CSCsy05934) have been assigned for
these vulnerabilities. An attacker may
engineer a web page to supply an affected version of the ActiveX
control or Java applet and still accomplish arbitrary program
execution because of the lack of authenticity validation. When this occurs, an
old version of the ActiveX control will not be instantiated if
one is presented for download. This
action accomplishes the same result as the previous
recommendation -- it deploys new, fixed versions of the ActiveX
control so that old, vulnerable versions of the control are not
instantiated if one is presented for download. This action prevents the
ActiveX control from being instantiated under any scenario.
Instructions for setting the kill bit are beyond the scope of
this document; refer to the Microsoft Support article "How to
stop an ActiveX control from running in Internet Explorer" at
http://support.microsoft.com/kb/240797 and the Microsoft Security
Vulnerability Research & Defense's "Kill-Bit FAQ" blog posts
referenced in the Microsoft Support article for more information. Note that this CLSID
did not change with new versions of the ActiveX control that
implement code signing validation.
Mitigating the risk of old versions of the Java applet can be
accomplished by blacklisting old, vulnerable versions using the Jar
blacklist feature introduced with Java SE 6 Update 14. For
information on the Jar blacklist feature refer to the Java SE 6
Update 14 release notes, available at:
http://www.oracle.com/technetwork/java/javase/6u14-137039.html
The jar files to be blacklisted are identified by the following SHA-1
message digests:
# 2.3.0254, 2.3.1003, 2.3.2016, 2.4.0202, 2.4.1012,
# 2.5.0217, 2.5.1025, 2.5.2001, 2.5.2006, 2.5.2010,
# 2.5.2011, 2.5.2014, 2.5.2017, 2.5.2018, 2.5.2019
SHA1-Digest-Manifest : xmarT5s8kwnKRLxnCOoLUnxnveE=
# 2.2.0133, 2.2.0136, 2.2.0140
SHA1-Digest-Manifest : 2wXAWNws4uNdCioU1eoCOS4+J3o=
# 2.0.0343, 2.1.0148
SHA1-Digest-Manifest : OlNnvozFCxbJZbRfGiLckOE8uFQ=
Local Privilege Escalation Vulnerability
+---------------------------------------
Unprivileged users can elevate their privileges to those of the
LocalSystem account by enabling the Start Before Logon (SBL) feature
and interacting with the Cisco AnyConnect Secure Mobility Client
graphical user interface in the Windows logon screen.
To prevent this issue, fixed versions of the Cisco AnyConnect Secure
Mobility Client limit the amount of interaction that is possible in
the client's graphical user interface when it is displayed on the
Windows logon screen.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCsy00904 & CSCsy05934 - Arbitrary Program Execution Vulnerability
CVSS Base Score - 7.6
Access Vector - Network
Access Complexity - High
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 6.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCta40556 -- AnyConnect: Security issue with SBL on versions
prior to 2.3
CVSS Base Score - 7.2
Access Vector - Local
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 6.0
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Arbitrary Program Execution Vulnerability
+----------------------------------------
Exploitation of this vulnerability may allow an attacker to execute
arbitrary programs on the computer of a Cisco AnyConnect Secure
Mobility Client user with the privileges of the user who is
establishing the VPN connection.
Software Versions and Fixes
===========================
When considering software upgrades, also consult:
http://www.cisco.com/go/psirt
and any subsequent advisories to determine exposure and a complete
upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
+------------------------------------------------------------+
| Vulnerability | Platform | First Fixed |
| | | Release |
|----------------------------+---------------+---------------|
| | Microsoft | 2.3.185 |
| Arbitrary Program | Windows | |
|Execution Vulnerability |---------------+---------------|
| | Linux, Apple | 2.5.3041 and |
| | Mac OS X | 3.0.629 |
|----------------------------+---------------+---------------|
| | Microsoft | 2.3.254 |
| Local Privilege Escalation | Windows | |
|Vulnerability |---------------+---------------|
| | Linux, Apple | Not affected |
| | Mac OS X | |
+------------------------------------------------------------+
Recommended Releases
The following table lists all recommended releases. These recommended
releases contain the fixes for all vulnerabilities in this advisory.
Cisco recommends upgrading to a release that is equal to or later
than these recommended releases.
Workarounds
===========
There are no workarounds for the vulnerabilities that are described
in this advisory.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory. Cisco would like to
thank iDefense for reporting this vulnerability and for working with
us towards a coordinated disclosure of the vulnerability.
The Local Privilege Escalation Vulnerability was reported to Cisco by
a customer.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110601-ac.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-June-01 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iF4EAREIAAYFAk3mbJUACgkQQXnnBKKRMNBBxAD+Oh7XQCOtCDOFCY8K1hWFAV/K
iwgK2hG+GNV39PPndfQA/0Sked3glEypuwev05ULO4ukTAPoDI5CJLnb4W4TKjL8
=pAlh
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Join Secunia @ FIRST Conference, 12-17 June, Hilton Vienna, Austria
See to the presentation "The Dynamics and Threats of End-Point Software Portfolios" by Secunia's Research Analyst Director, Stefan Frei.
Read more:
http://conference.first.org/
----------------------------------------------------------------------
TITLE:
Cisco AnyConnect VPN Client Two Vulnerabilities
SECUNIA ADVISORY ID:
SA44812
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/44812/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=44812
RELEASE DATE:
2011-06-03
DISCUSS ADVISORY:
http://secunia.com/advisories/44812/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/44812/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=44812
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Two vulnerabilities have been reported in Cisco AnyConnect VPN
Client, which can be exploited by malicious people with physical
access to bypass certain security restrictions and by malicious
people to compromise a user's system.
Successful exploitation of this vulnerability requires the Start
Before Logon (SBL) feature to be enabled.
2) An error in the helper application used for remote deployment of
the client (e.g.
SOLUTION:
Update to a fixed version (please see the vendor's advisory for
details).
PROVIDED AND/OR DISCOVERED BY:
1) Reported to the vendor by a customer.
2) The vendor credits Elazar Broad via iDefense.
ORIGINAL ADVISORY:
Cisco (cisco-sa-20110601-ac):
http://www.cisco.com/warp/public/707/cisco-sa-20110601-ac.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201106-0025 | CVE-2011-1602 | Cisco Unified IP Phone 7900 of su Vulnerability gained by utility |
CVSS V2: 6.6 CVSS V3: - Severity: MEDIUM |
The su utility on Cisco Unified IP Phones 7900 devices (aka TNP phones) with software before 9.0.3 allows local users to gain privileges via unspecified vectors, aka Bug ID CSCtf07426. The problem is Bug ID CSCtf07426 It is a problem.Authority may be obtained by local users. The Cisco Unified IP Phone is Cisco's unified IP telephony solution. These three
vulnerabilities are classified as two privilege escalation
vulnerabilities and one signature bypass vulnerability.
Cisco has released free software updates that address these
vulnerabilities. There are no workarounds available to mitigate these
vulnerabilities.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20110601-phone.shtml. The following sections provide the details of each
vulnerability addressed in this security advisory.
These vulnerabilities are documented in Cisco bug IDs CSCtf07426
and CSCtn65815 and have been assigned Common Vulnerabilities and
Exposures (CVE) identifiers CVE-2011-1602 and CVE-2011-1603
respectively.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtf07426 - Privilege Escalation with "su" utility
CVSS Base Score - 6.6
Access Vector - Local
Access Complexity - Medium
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 5.5
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtn65815 - Privilege Escalation in IP Phones
CVSS Base Score - 6.6
Access Vector - Local
Access Complexity - Medium
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 5.5
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtn65962 - Phones Permits the Installation of Unsigned Code
CVSS Base Score - 1.5
Access Vector - Local
Access Complexity - Medium
Authentication - Single
Confidentiality Impact - Partial
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 1.2
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the two privilege escalation
vulnerabilities could allow an authenticated attacker to change phone
configuration and obtain system information.
Successful exploitation of the signature verification bypass
vulnerability that could allow an authenticated attacker to load and
execute a software image without verification of its signature.
Software Versions and Fixes
===========================
When considering software upgrades, also consult:
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
+---------------------------------------+
| | First |
| Vulnerability | Fixed |
| | Release |
|----------------------------+----------|
| CSCtf07426 - Privilege | |
| Escalation with "su" | 9.0.3 |
| utility | |
|----------------------------+----------|
| CSCtn65815 - Privilege | 9.2.1 |
| Escalation in IP Phones | |
|----------------------------+----------|
| CSCtn65962 - Phones | |
| Permits the Installation | 9.2.1 |
| of Unsigned Code | |
+---------------------------------------+
Workarounds
===========
There are no workarounds available to mitigate any of these
vulnerabilities. Note: All of these vulnerabilities require the
attacker to be authenticated.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
These vulnerabilities were discovered and reported to Cisco by Matt
Duggan of Qualcomm.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110601-phone.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-June-01 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFN5k0FQXnnBKKRMNARCCF9AP0ar3AfiP9uA0nW3t6SFYx6XIdGytUG2S/K
1SMd+3y7wgEAhzzCUzc85QKeV/jicP5lXboEspr5eU7MftNMqM1oUNw=
=ZBzs
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Join Secunia @ FIRST Conference, 12-17 June, Hilton Vienna, Austria
See to the presentation "The Dynamics and Threats of End-Point Software Portfolios" by Secunia's Research Analyst Director, Stefan Frei.
Read more:
http://conference.first.org/
----------------------------------------------------------------------
TITLE:
Cisco Unified IP Phone Privilege Escalation and Security Bypass
SECUNIA ADVISORY ID:
SA44814
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/44814/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=44814
RELEASE DATE:
2011-06-03
DISCUSS ADVISORY:
http://secunia.com/advisories/44814/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/44814/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=44814
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some security issues have been reported in Cisco Unified IP Phone
models, which can be exploited by malicious, local users to bypass
certain security restrictions and perform certain actions with
escalated privileges.
3) An error in the device does not properly verify the signature of
the software image before loading the image and can be exploited to
upload an arbitrary software image.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20110601-phone.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201106-0021 | CVE-2011-1637 | Cisco Unified IP Phones 7900 Vulnerabilities that can gain privileges on devices |
CVSS V2: 1.5 CVSS V3: - Severity: LOW |
Cisco Unified IP Phones 7900 devices (aka TNP phones) with software before 9.2.1 do not properly verify signatures for software images, which allows local users to gain privileges via a crafted image, aka Bug ID CSCtn65962. The Cisco Unified IP Phone is Cisco's unified IP telephony solution.
An attacker can exploit this issue to bypass the signature-verification mechanism.
This issue is tracked by Cisco Bug ID CSCtn65962. These three
vulnerabilities are classified as two privilege escalation
vulnerabilities and one signature bypass vulnerability.
Cisco has released free software updates that address these
vulnerabilities. There are no workarounds available to mitigate these
vulnerabilities.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20110601-phone.shtml. The following sections provide the details of each
vulnerability addressed in this security advisory.
These vulnerabilities are documented in Cisco bug IDs CSCtf07426
and CSCtn65815 and have been assigned Common Vulnerabilities and
Exposures (CVE) identifiers CVE-2011-1602 and CVE-2011-1603
respectively.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCtf07426 - Privilege Escalation with "su" utility
CVSS Base Score - 6.6
Access Vector - Local
Access Complexity - Medium
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 5.5
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtn65815 - Privilege Escalation in IP Phones
CVSS Base Score - 6.6
Access Vector - Local
Access Complexity - Medium
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 5.5
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCtn65962 - Phones Permits the Installation of Unsigned Code
CVSS Base Score - 1.5
Access Vector - Local
Access Complexity - Medium
Authentication - Single
Confidentiality Impact - Partial
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 1.2
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the two privilege escalation
vulnerabilities could allow an authenticated attacker to change phone
configuration and obtain system information.
Software Versions and Fixes
===========================
When considering software upgrades, also consult:
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
+---------------------------------------+
| | First |
| Vulnerability | Fixed |
| | Release |
|----------------------------+----------|
| CSCtf07426 - Privilege | |
| Escalation with "su" | 9.0.3 |
| utility | |
|----------------------------+----------|
| CSCtn65815 - Privilege | 9.2.1 |
| Escalation in IP Phones | |
|----------------------------+----------|
| CSCtn65962 - Phones | |
| Permits the Installation | 9.2.1 |
| of Unsigned Code | |
+---------------------------------------+
Workarounds
===========
There are no workarounds available to mitigate any of these
vulnerabilities. Note: All of these vulnerabilities require the
attacker to be authenticated.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
These vulnerabilities were discovered and reported to Cisco by Matt
Duggan of Qualcomm.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110601-phone.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-June-01 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFN5k0FQXnnBKKRMNARCCF9AP0ar3AfiP9uA0nW3t6SFYx6XIdGytUG2S/K
1SMd+3y7wgEAhzzCUzc85QKeV/jicP5lXboEspr5eU7MftNMqM1oUNw=
=ZBzs
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Join Secunia @ FIRST Conference, 12-17 June, Hilton Vienna, Austria
See to the presentation "The Dynamics and Threats of End-Point Software Portfolios" by Secunia's Research Analyst Director, Stefan Frei.
Read more:
http://conference.first.org/
----------------------------------------------------------------------
TITLE:
Cisco Unified IP Phone Privilege Escalation and Security Bypass
SECUNIA ADVISORY ID:
SA44814
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/44814/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=44814
RELEASE DATE:
2011-06-03
DISCUSS ADVISORY:
http://secunia.com/advisories/44814/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/44814/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=44814
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some security issues have been reported in Cisco Unified IP Phone
models, which can be exploited by malicious, local users to bypass
certain security restrictions and perform certain actions with
escalated privileges.
1) An error within the "su" utility can be exploited to change the
phone configuration or gain potentially sensitive information.
2) An unspecified error can be exploited to change the phone
configuration or gain potentially sensitive information.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20110601-phone.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201106-0110 | CVE-2011-2024 | Cisco Network Registrar Vulnerabilities to gain access to |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Cisco Network Registrar before 7.2 has a default administrative password, which makes it easier for remote attackers to obtain access via a TCP session, aka Bug ID CSCsm50627. The problem is Bug ID CSCsm50627 Problem.By a third party, TCP You may gain access through a session. Cisco CNS Network Registrar provides highly scalable and reliable DNS, DHCP and TFTP services.
An attacker can exploit this issue to gain unauthorized administrative access to the affected device. Successful exploits will result in the complete compromise of the affected device.
This issue is being tracked by Cisco bug ID CSCsm50627. During the initial
installation, users are not forced to change this password, allowing
it to persist after the installation.
The upgrade to Software Release 7.2 is not free; however, a
workaround is provided in this document that will prevent
exploitation of the vulnerability.
When performing an upgrade to Software Release 7.2, you must use the
workaround to change the password of the administrative account.
The workaround for this vulnerability is to change the password
associated with the administrative account using the method described
in the "Workarounds" section.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20110601-cnr.shtml
Affected Products
=================
Vulnerable Products
+------------------
This vulnerability affects all releases of Cisco Network Registrar
prior to Software Release 7.2. The vulnerability is present in the
affected releases on all platforms. Alternatively, if using the
command-line interface, execute the following command:
nrcmd> session get version
Products Confirmed Not Vulnerable
+--------------------------------
No other Cisco products are currently known to be affected by this
vulnerability. This vulnerability is
documented in Cisco bug ID CSCsm50627 ( registered customers only)
and has been assigned the Common Vulnerabilities and Exposures (CVE)
identifier CVE-2011-2024.
Additionally, it is a good practice to change passwords periodically.
The interval should comply with an organization's security policy
but, as a guideline, passwords should be changed two to three times a
year. This practice applies equally to all products regardless of
when they are installed and to all users, administrators and
non-administrators.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerability in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at the following link:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCsm50627 - Initially supplied admin password not changed during the installation
CVSS Base Score - 10
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 8.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability may allow an attacker to
make arbitrary changes to the configuration of Cisco Network
Registrar.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
This vulnerability is fixed in Software Release 7.2.
Workarounds
===========
The provided workaround changes the password that is associated with
the administrator's account. To change the password using the web
interface, select Advanced -> Administrators -> Admin from the menu.
Execute the following command to change the administrator's password
using the command-line interface:
admin <admin-name> enterPassword
Additionally, access to Cisco Network Registrar (TCP ports 8080,
8090, 8443, and 8453) and the host on which it is running should be
limited to legitimate IP addresses. Consult the documentation of the
host operating system for further details how to accomplish this
task.
The use of IP addresses as a form of authentication is a
well-established network security practice. For more guidance on the
use of access control lists (ACLs) or the explicit identification of
network management stations in devices and applications, reference
the white paper A Security-Oriented Approach to IP Addressing at the
following link:
http://www.cisco.com/web/about/security/intelligence/security-for-ip-addr.html
Obtaining Fixed Software
========================
Cisco will not make free upgrade software available for affected
customers to address this vulnerability. The workaround provided in
this document describes how to change the passwords in current
releases of the software.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for
additional TAC contact information, including localized telephone numbers,
and instructions and e-mail addresses for use in various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was discovered during an internal review.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20110601-cnr.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2001-06-01 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iFcDBQFN5XmlQXnnBKKRMNARCJ/mAP0VFqUaxecmVxktLg4c8opYzEEj3VL8+PMl
KcRmg+hRDwD/bQYE8gud6mml4vjqdXuSPfS+p36+PLcQv159dlPxUv8=
=wSxT
-----END PGP SIGNATURE-----
| VAR-201106-0113 | CVE-2011-2041 | Cisco AnyConnect Secure Mobility Client Vulnerability gained in |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
The Start Before Logon (SBL) functionality in Cisco AnyConnect Secure Mobility Client (formerly AnyConnect VPN Client) before 2.3.254 on Windows, and on Windows Mobile, allows local users to gain privileges via unspecified user-interface interaction, aka Bug ID CSCta40556. The problem is Bug ID CSCta40556 It is a problem.Authority may be obtained by local users. Cisco AnyConnect Secure Mobility Client is a remote access solution from Cisco that is Cisco's next-generation VPN client. A local elevation of privilege vulnerability exists in the Cisco AnyConnect Secure Mobility Vulnerability. This vulnerability only affects the Windows platform because SBL does not support Linux and MacOS X clients.
Local attackers can exploit this issue to gain elevated privileges. Successful exploits will result in the complete compromise of affected computers.
Versions prior to AnyConnect Secure Mobility Client 2.3.254 are vulnerable. There are no workarounds for the vulnerabilities
described in this advisory. The affected versions are included
in the following table:
+------------------------------------------------------------+
| Vulnerability | Platform | Affected Versions |
|-------------------+-----------+----------------------------|
| | Microsoft | All versions prior to |
| | Windows | 2.3.185 |
| |-----------+----------------------------|
| Arbitrary Program | | * All versions in major |
| Execution | | releases other than |
| Vulnerability | Linux, | 2.5.x and 3.0.x. |
| | Apple | * 2.5.x releases prior |
| | MacOS X | to 2.5.3041 |
| | | * 3.0.x releases prior |
| | | to 3.0.629 |
|-------------------+-----------+----------------------------|
| | Microsoft | All versions prior to |
| Local Privilege | Windows | 2.3.254 |
|Escalation |-----------+----------------------------|
| Vulnerability | Linux, | |
| | Apple | Not affected |
| | MacOS X | |
+------------------------------------------------------------+
Note: Microsoft Windows Mobile versions are affected by the Arbitrary
Program Execution Vulnerability.
No other Cisco products are currently known to be affected by these
vulnerabilities. This action causes the browser to first download a "helper"
application that aids in downloading and executing the actual Cisco
AnyConnect Secure Mobility Client. The helper application is a Java
applet on the Linux and MacOS X platforms, and either a Java applet
on the Windows platform or an ActiveX control if the browser is
capable of utilizing ActiveX controls. The downloaded helper
application is executed in the context of the originating site in the
user's web browser. An attacker could
create a malicious web page that looks like the normal VPN web login
page and entice a user, through social engineering or exploitation of
other vulnerabilities, to visit it. This would allow the attacker to
supply an arbitrary executable that the helper application would
download and execute on the machine of the affected user. This
arbitrary executable would be executed with the same operating system
privileges under which the web browser was run. Common
Vulnerabilities and Exposures (CVE) IDs CVE-2011-2039 (for
CSCsy00904) and CVE-2011-2040 (for CSCsy05934) have been assigned for
these vulnerabilities.
Additional Considerations for the Arbitrary Program Execution
Vulnerability
+------------------------------------------------------------
Note that while new versions of the ActiveX control and Java applet
that are shipped with the Cisco AnyConnect Secure Mobility Client
make use of code signing to validate the authenticity of components
downloaded from the VPN headend, there is still the issue of old
versions that do not validate downloaded components. An attacker may
engineer a web page to supply an affected version of the ActiveX
control or Java applet and still accomplish arbitrary program
execution because of the lack of authenticity validation.
Mitigating the risk of old versions of the ActiveX control can be
accomplished in the following ways:
* Load fixed Cisco AnyConnect Secure Mobility Client versions on
the VPN headend and establish a VPN connection (via web browser
or standalone client). This action will cause the new version of
the Cisco AnyConnect Secure Mobility Client, including a new
version of the ActiveX control to install. When this occurs, an
old version of the ActiveX control will not be instantiated if
one is presented for download. This
action accomplishes the same result as the previous
recommendation -- it deploys new, fixed versions of the ActiveX
control so that old, vulnerable versions of the control are not
instantiated if one is presented for download. This action prevents the
ActiveX control from being instantiated under any scenario.
Instructions for setting the kill bit are beyond the scope of
this document; refer to the Microsoft Support article "How to
stop an ActiveX control from running in Internet Explorer" at
http://support.microsoft.com/kb/240797 and the Microsoft Security
Vulnerability Research & Defense's "Kill-Bit FAQ" blog posts
referenced in the Microsoft Support article for more information. Note that this CLSID
did not change with new versions of the ActiveX control that
implement code signing validation.
Mitigating the risk of old versions of the Java applet can be
accomplished by blacklisting old, vulnerable versions using the Jar
blacklist feature introduced with Java SE 6 Update 14.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCsy00904 & CSCsy05934 - Arbitrary Program Execution Vulnerability
CVSS Base Score - 7.6
Access Vector - Network
Access Complexity - High
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 6.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCta40556 -- AnyConnect: Security issue with SBL on versions
prior to 2.3
CVSS Base Score - 7.2
Access Vector - Local
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 6.0
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Arbitrary Program Execution Vulnerability
+----------------------------------------
Exploitation of this vulnerability may allow an attacker to execute
arbitrary programs on the computer of a Cisco AnyConnect Secure
Mobility Client user with the privileges of the user who is
establishing the VPN connection.
Software Versions and Fixes
===========================
When considering software upgrades, also consult:
http://www.cisco.com/go/psirt
and any subsequent advisories to determine exposure and a complete
upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
+------------------------------------------------------------+
| Vulnerability | Platform | First Fixed |
| | | Release |
|----------------------------+---------------+---------------|
| | Microsoft | 2.3.185 |
| Arbitrary Program | Windows | |
|Execution Vulnerability |---------------+---------------|
| | Linux, Apple | 2.5.3041 and |
| | Mac OS X | 3.0.629 |
|----------------------------+---------------+---------------|
| | Microsoft | 2.3.254 |
| Local Privilege Escalation | Windows | |
|Vulnerability |---------------+---------------|
| | Linux, Apple | Not affected |
| | Mac OS X | |
+------------------------------------------------------------+
Recommended Releases
The following table lists all recommended releases. These recommended
releases contain the fixes for all vulnerabilities in this advisory.
Cisco recommends upgrading to a release that is equal to or later
than these recommended releases.
Workarounds
===========
There are no workarounds for the vulnerabilities that are described
in this advisory.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
The Arbitrary Program Execution Vulnerability was discovered by
Elazar Broad and reported to Cisco by iDefense.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110601-ac.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-June-01 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iF4EAREIAAYFAk3mbJUACgkQQXnnBKKRMNBBxAD+Oh7XQCOtCDOFCY8K1hWFAV/K
iwgK2hG+GNV39PPndfQA/0Sked3glEypuwev05ULO4ukTAPoDI5CJLnb4W4TKjL8
=pAlh
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Join Secunia @ FIRST Conference, 12-17 June, Hilton Vienna, Austria
See to the presentation "The Dynamics and Threats of End-Point Software Portfolios" by Secunia's Research Analyst Director, Stefan Frei.
Read more:
http://conference.first.org/
----------------------------------------------------------------------
TITLE:
Cisco AnyConnect VPN Client Two Vulnerabilities
SECUNIA ADVISORY ID:
SA44812
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/44812/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=44812
RELEASE DATE:
2011-06-03
DISCUSS ADVISORY:
http://secunia.com/advisories/44812/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/44812/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=44812
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Two vulnerabilities have been reported in Cisco AnyConnect VPN
Client, which can be exploited by malicious people with physical
access to bypass certain security restrictions and by malicious
people to compromise a user's system.
Successful exploitation of this vulnerability requires the Start
Before Logon (SBL) feature to be enabled.
2) An error in the helper application used for remote deployment of
the client (e.g.
SOLUTION:
Update to a fixed version (please see the vendor's advisory for
details).
PROVIDED AND/OR DISCOVERED BY:
1) Reported to the vendor by a customer.
2) The vendor credits Elazar Broad via iDefense.
ORIGINAL ADVISORY:
Cisco (cisco-sa-20110601-ac):
http://www.cisco.com/warp/public/707/cisco-sa-20110601-ac.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-201106-0111 | CVE-2011-2039 |
Cisco AnyConnect SSL VPN arbitrary code execution
Related entries in the VARIoT exploits database: VAR-E-201106-0065 |
CVSS V2: 7.6 CVSS V3: - Severity: HIGH |
The helper application in Cisco AnyConnect Secure Mobility Client (formerly AnyConnect VPN Client) before 2.3.185 on Windows, and on Windows Mobile, downloads a client executable file (vpndownloader.exe) without verifying its authenticity, which allows remote attackers to execute arbitrary code via the url property to a certain ActiveX control in vpnweb.ocx, aka Bug ID CSCsy00904. The Cisco AnyConnect SSL VPN ActiveX and Java clients contain a vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Cisco AnyConnect Secure Mobility Client is a remote access solution from Cisco that is Cisco's next-generation VPN client. When the Cisco AnyConnect Secure Mobility Client is deployed from the VPN front end, a WEB browser is used to initialize an SSL connection to the VPN front end. After the user logs in, the browser displays the portal window. When the user clicks \"Start AnyConnect\", the process will start downloading the Cisco AnyConnect Secure Mobility Client. The helper application is a Java Applet on Linux and MacOS X platforms or a Java Applet on a Windows platform or an ActiveX plugin on a browser. The downloaded Helper program is in a web browser. The initial site context is executed. The helper program then downloads the program from the VPN front end and executes it.
An attacker can exploit this issue by using social engineering techniques to coerce unsuspecting users to download and execute arbitrary applications.
This issue is tracked by Cisco Bug IDs CSCsy00904 and CSCsy05934. The control itself is provided by the server upon connecting. For more information, visit the following URL.
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect23/release/notes/anyconnect23rn.html
II.
The vulnerability exists within the ActiveX control with the following
identifiers:
CLSID: 55963676-2F5E-4BAF-AC28-CF26AA587566
ProgId: Cisco.AnyConnect.VPNWeb.1
File: %WINDIR%\system32\vpnweb.ocx
This ActiveX control is not marked as safe for initialization or
scripting within the registry, but it does implement IObjectSafety. When
queried, this control's IObjectSafety interface reports that it is safe
for both scripting and initialization. Once it is
instantiated, it will attempt to download two files from the site
supported in the "url" property. As such, an attacker can craft a page
such that the control will download an executable of their choosing.
One of the files will be executed upon the successful completion of the
download.
III. An
attacker typically accomplishes this via social engineering or injecting
content into compromised, trusted sites.
Additionally, in a default configuration, a targeted user must have this
control already installed or must accept several warning prompts at the
time that the attack is taking place. This control is not on the white
list included with Internet Explorer 7.0. More information can be found
at the following URL.
http://msdn.microsoft.com/en-us/library/bb250471.aspx
IV.
V. WORKAROUND
Setting the kill-bit for this control will prevent it from being loaded
within Internet Explorer. However, doing so will prevent legitimate use
of the control.
VI. For more information, consult their
advisory at the following URL.
http://www.cisco.com/en/US/products/products_security_advisory09186a0080b80123.shtml
VII. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
02/24/2009 Initial Vendor Notification
02/25/2009 Initial Vendor Reply
06/01/2011 Coordinated Public Disclosure
IX.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright © 2011 Verisign
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information. There are no workarounds for the vulnerabilities
described in this advisory.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20110601-ac.shtml
Affected Products
=================
Vulnerable Products
+------------------
The vulnerabilities described in this document apply to the Cisco
AnyConnect Secure Mobility Client. The affected versions are included
in the following table:
+------------------------------------------------------------+
| Vulnerability | Platform | Affected Versions |
|-------------------+-----------+----------------------------|
| | Microsoft | All versions prior to |
| | Windows | 2.3.185 |
| |-----------+----------------------------|
| Arbitrary Program | | * All versions in major |
| Execution | | releases other than |
| Vulnerability | Linux, | 2.5.x and 3.0.x. |
| | Apple | * 2.5.x releases prior |
| | MacOS X | to 2.5.3041 |
| | | * 3.0.x releases prior |
| | | to 3.0.629 |
|-------------------+-----------+----------------------------|
| | Microsoft | All versions prior to |
| Local Privilege | Windows | 2.3.254 |
|Escalation |-----------+----------------------------|
| Vulnerability | Linux, | |
| | Apple | Not affected |
| | MacOS X | |
+------------------------------------------------------------+
Note: Microsoft Windows Mobile versions are affected by the Arbitrary
Program Execution Vulnerability.
No other Cisco products are currently known to be affected by these
vulnerabilities. An attacker could
create a malicious web page that looks like the normal VPN web login
page and entice a user, through social engineering or exploitation of
other vulnerabilities, to visit it. This
arbitrary executable would be executed with the same operating system
privileges under which the web browser was run. Common
Vulnerabilities and Exposures (CVE) IDs CVE-2011-2039 (for
CSCsy00904) and CVE-2011-2040 (for CSCsy05934) have been assigned for
these vulnerabilities. An attacker may
engineer a web page to supply an affected version of the ActiveX
control or Java applet and still accomplish arbitrary program
execution because of the lack of authenticity validation. When this occurs, an
old version of the ActiveX control will not be instantiated if
one is presented for download. This
action accomplishes the same result as the previous
recommendation -- it deploys new, fixed versions of the ActiveX
control so that old, vulnerable versions of the control are not
instantiated if one is presented for download. This action prevents the
ActiveX control from being instantiated under any scenario.
Instructions for setting the kill bit are beyond the scope of
this document; refer to the Microsoft Support article "How to
stop an ActiveX control from running in Internet Explorer" at
http://support.microsoft.com/kb/240797 and the Microsoft Security
Vulnerability Research & Defense's "Kill-Bit FAQ" blog posts
referenced in the Microsoft Support article for more information. Note that this CLSID
did not change with new versions of the ActiveX control that
implement code signing validation.
Mitigating the risk of old versions of the Java applet can be
accomplished by blacklisting old, vulnerable versions using the Jar
blacklist feature introduced with Java SE 6 Update 14. For
information on the Jar blacklist feature refer to the Java SE 6
Update 14 release notes, available at:
http://www.oracle.com/technetwork/java/javase/6u14-137039.html
The jar files to be blacklisted are identified by the following SHA-1
message digests:
# 2.3.0254, 2.3.1003, 2.3.2016, 2.4.0202, 2.4.1012,
# 2.5.0217, 2.5.1025, 2.5.2001, 2.5.2006, 2.5.2010,
# 2.5.2011, 2.5.2014, 2.5.2017, 2.5.2018, 2.5.2019
SHA1-Digest-Manifest : xmarT5s8kwnKRLxnCOoLUnxnveE=
# 2.2.0133, 2.2.0136, 2.2.0140
SHA1-Digest-Manifest : 2wXAWNws4uNdCioU1eoCOS4+J3o=
# 2.0.0343, 2.1.0148
SHA1-Digest-Manifest : OlNnvozFCxbJZbRfGiLckOE8uFQ=
Local Privilege Escalation Vulnerability
+---------------------------------------
Unprivileged users can elevate their privileges to those of the
LocalSystem account by enabling the Start Before Logon (SBL) feature
and interacting with the Cisco AnyConnect Secure Mobility Client
graphical user interface in the Windows logon screen.
To prevent this issue, fixed versions of the Cisco AnyConnect Secure
Mobility Client limit the amount of interaction that is possible in
the client's graphical user interface when it is displayed on the
Windows logon screen.
Vulnerability Scoring Details
+----------------------------
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCsy00904 & CSCsy05934 - Arbitrary Program Execution Vulnerability
CVSS Base Score - 7.6
Access Vector - Network
Access Complexity - High
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 6.3
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* CSCta40556 -- AnyConnect: Security issue with SBL on versions
prior to 2.3
CVSS Base Score - 7.2
Access Vector - Local
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 6.0
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
======
Arbitrary Program Execution Vulnerability
+----------------------------------------
Exploitation of this vulnerability may allow an attacker to execute
arbitrary programs on the computer of a Cisco AnyConnect Secure
Mobility Client user with the privileges of the user who is
establishing the VPN connection.
Software Versions and Fixes
===========================
When considering software upgrades, also consult:
http://www.cisco.com/go/psirt
and any subsequent advisories to determine exposure and a complete
upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
+------------------------------------------------------------+
| Vulnerability | Platform | First Fixed |
| | | Release |
|----------------------------+---------------+---------------|
| | Microsoft | 2.3.185 |
| Arbitrary Program | Windows | |
|Execution Vulnerability |---------------+---------------|
| | Linux, Apple | 2.5.3041 and |
| | Mac OS X | 3.0.629 |
|----------------------------+---------------+---------------|
| | Microsoft | 2.3.254 |
| Local Privilege Escalation | Windows | |
|Vulnerability |---------------+---------------|
| | Linux, Apple | Not affected |
| | Mac OS X | |
+------------------------------------------------------------+
Recommended Releases
The following table lists all recommended releases. These recommended
releases contain the fixes for all vulnerabilities in this advisory.
Cisco recommends upgrading to a release that is equal to or later
than these recommended releases.
Workarounds
===========
There are no workarounds for the vulnerabilities that are described
in this advisory.
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at:
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory. Cisco would like to
thank iDefense for reporting this vulnerability and for working with
us towards a coordinated disclosure of the vulnerability.
The Local Privilege Escalation Vulnerability was reported to Cisco by
a customer.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20110601-ac.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2011-June-01 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
+--------------------------------------------------------------------
Copyright 2010-2011 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iF4EAREIAAYFAk3mbJUACgkQQXnnBKKRMNBBxAD+Oh7XQCOtCDOFCY8K1hWFAV/K
iwgK2hG+GNV39PPndfQA/0Sked3glEypuwev05ULO4ukTAPoDI5CJLnb4W4TKjL8
=pAlh
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Join Secunia @ FIRST Conference, 12-17 June, Hilton Vienna, Austria
See to the presentation "The Dynamics and Threats of End-Point Software Portfolios" by Secunia's Research Analyst Director, Stefan Frei.
Read more:
http://conference.first.org/
----------------------------------------------------------------------
TITLE:
Cisco AnyConnect VPN Client Two Vulnerabilities
SECUNIA ADVISORY ID:
SA44812
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/44812/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=44812
RELEASE DATE:
2011-06-03
DISCUSS ADVISORY:
http://secunia.com/advisories/44812/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/44812/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=44812
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Two vulnerabilities have been reported in Cisco AnyConnect VPN
Client, which can be exploited by malicious people with physical
access to bypass certain security restrictions and by malicious
people to compromise a user's system.
Successful exploitation of this vulnerability requires the Start
Before Logon (SBL) feature to be enabled.
2) An error in the helper application used for remote deployment of
the client (e.g.
SOLUTION:
Update to a fixed version (please see the vendor's advisory for
details).
PROVIDED AND/OR DISCOVERED BY:
1) Reported to the vendor by a customer.
2) The vendor credits Elazar Broad via iDefense.
ORIGINAL ADVISORY:
Cisco (cisco-sa-20110601-ac):
http://www.cisco.com/warp/public/707/cisco-sa-20110601-ac.shtml
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor
| VAR-201106-0316 | No CVE | Belkin F5D7234-4V5 Wireless G Router 'login.stm'Manage Password Disclosure Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
The Belkin F5D7234-4V5 Wireless G Router is a wireless router device. There is a design error in the Belkin F5D7234-4V5 Wireless G Router. The attacker submits a specially crafted request for administrator password information.
Attackers can exploit this issue to gain access to the administrator's password. Successfully exploiting this issue may lead to other attacks
| VAR-201107-0109 | CVE-2011-1797 | Apple Safari Used in WebKit Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
WebKit, as used in Apple Safari before 5.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2011-07-20-1. WebKit is prone to a remote code-execution vulnerability due to memory-corruption.
Attackers can exploit this issue by enticing an unsuspecting user into visiting a malicious webpage. Successful attacks will result in arbitrary code execution; failed attacks may cause denial-of-service conditions.
NOTE: This issue was previously discussed in BID 48808 (Apple Safari Prior to 5.1 and 5.0.6 Multiple Security Vulnerabilities) but has been given its own record to better document it. WebKit is a set of open source web browser engines jointly developed by companies such as KDE, Apple (Apple), and Google (Google), and is currently used by browsers such as Apple Safari and Google Chrome. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2245-1 security@debian.org
http://www.debian.org/security/ Giuseppe Iuculano
May 29, 2011 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : chromium-browser
Vulnerability : several vulnerabilities
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-1292 CVE-2011-1293 CVE-2011-1440 CVE-2011-1444
CVE-2011-1797 CVE-2011-1799
Several vulnerabilities were discovered in the Chromium browser.
CVE-2011-1444
Race condition in the sandbox launcher implementation in Google Chrome on
Linux allows remote attackers to cause a denial of service or possibly have
unspecified other impact via unknown vectors.
For the stable distribution (squeeze), these problems have been fixed in
version 6.0.472.63~r59945-5+squeeze5.
For the testing distribution (wheezy), these problems will be fixed soon.
For the unstable distribution (sid), these problems have been fixed in
version 11.0.696.68~r84545-1.
We recommend that you upgrade your chromium-browser packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk3iJO4ACgkQNxpp46476apuDACfQjllLVOT84OjL86pa8+JhD5j
GWgAmwc7Ei0TYhYaWQZbDmzalYq81pn4
=0RTf
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
The Secunia Vulnerability Intelligence Manager (VIM) enables you to handle vulnerability threats in a simple, cost effective way.
Read more and request a free trial:
http://secunia.com/products/corporate/vim/
----------------------------------------------------------------------
TITLE:
Apple Safari Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA45325
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/45325/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=45325
RELEASE DATE:
2011-07-22
DISCUSS ADVISORY:
http://secunia.com/advisories/45325/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/45325/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=45325
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A weakness and multiple vulnerabilities have been reported in Apple
Safari, which can be exploited by malicious people to disclose
sensitive information, manipulate certain data, conduct cross-site
scripting and spoofing attacks, bypass certain security restrictions,
and compromise a user's system.
1) An error within CFNetwork when handling the "text/plain" content
type can be exploited to execute arbitrary HTML and script code in a
user's browser session in context of an affected site.
2) An error within CFNetwork when using the NTLM authentication
protocol can be exploited to execute arbitrary code by tricking a
user into visiting a specially crafted web page.
3) An error exists within CFNetwork when handling SSL certificates,
which does not properly verify disabled root certificates. This can
lead to certificates signed by the disabled root certificates being
validated.
4) An integer overflow error exists within the ColorSync component.
For more information see vulnerability #5 in:
SA45054
5) An off-by-one error exists within the CoreFoundation framework.
For more information see vulnerability #6 in:
SA45054
6) An integer overflow error exists in CoreGraphics.
For more information see vulnerability #7 in:
SA45054
7) An error exists within ICU (International Components for
Unicode).
For more information see vulnerability #11 in:
SA45054
8) An error exists in ImageIO within the handling of TIFF files when
handling certain uppercase strings.
For more information see vulnerability #9 in:
SA45054
9) An error in ImageIO within the handling of CCITT Group 4 encoded
TIFF image files can be exploited to cause a heap-based buffer
overflow.
10) A use-after-free error within WebKit when handling TIFF images
can result in an invalid pointer being dereferenced when a user views
a specially crafted web page.
11) An error within libxslt can be exploited to disclose certain
addresses from the heap.
For more information see vulnerability #2 in:
SA43832
12) An off-by-one error within libxml when handling certain XML data
can be exploited to cause a heap-based buffer overflow.
13) An error in the "AutoFill web forms" feature can be exploited to
disclose certain information from the user's Address Book by tricking
a user into visiting a specially crafted web page.
14) A cross-origin error when handling certain fonts in Java Applets
can lead to certain text being displayed on other sites.
15) Multiple unspecified errors in the WebKit component can be
exploited to corrupt memory.
16) An error within WebKit when handling libxslt configurations can
be exploited to create arbitrary files.
17) A cross-origin error when handling Web Workers can lead to
certain information being disclosed.
18) A cross-origin error when handling certain URLs containing a
username can be exploited to execute arbitrary HTML and script code
in a user's browser session in the context of an affected site.
19) A cross-origin error when handling DOM nodes can be exploited to
execute arbitrary HTML and script code in a user's browser session in
the context of an affected site.
20) An error within the handling of DOM history objects can be
exploited to display arbitrary content while showing the URL of a
trusted web site in the address bar.
21) An error within the handling of RSS feeds may lead to arbitrary
files from a user's system being sent to a remote server.
22) A weakness in WebKit can lead to remote DNS prefetching
For more information see vulnerability #6 in:
SA42312
23) A use-after-free error within WebKit when processing MathML
markup tags can result in an invalid pointer being dereferenced when
a user views a specially crafted web page.
24) An error within WebKit when parsing a frameset element can be
exploited to cause a heap-based buffer overflow.
25) A use-after-free error within WebKit when handling XHTML tags can
result in an invalid tag pointer being dereferenced when a user views
a specially crafted web page.
26) A use-after-free error within WebKit when handling SVG tags can
result in an invalid pointer being dereferenced when a user views a
specially crafted web page.
The weakness and the vulnerabilities are reported in versions prior
to 5.1 and 5.0.6.
SOLUTION:
Update to version 5.1 or 5.0.6.
PROVIDED AND/OR DISCOVERED BY:
10) Juan Pablo Lopez Yacubian via iDefense
4) binaryproof via ZDI
8) Dominic Chell, NGS Secure
23, 25, 26) wushi, team509 via iDefense
24) Jose A. Vazquez via iDefense
The vendor credits:
1) Hidetake Jo via Microsoft Vulnerability Research (MSVR) and Neal
Poole, Matasano Security
2) Takehiro Takahashi, IBM X-Force Research
3) An anonymous reporter
5) Harry Sintonen
6) Cristian Draghici, Modulo Consulting and Felix Grobert, Google
Security Team
7) David Bienvenu, Mozilla
9) Cyril CATTIAUX, Tessi Technologies
11) Chris Evans, Google Chrome Security Team
12) Billy Rios, Google Security Team
13) Florian Rienhardt of BSI, Alex Lambert, and Jeremiah Grossman
14) Joshua Smith, Kaon Interactive
16) Nicolas Gregoire, Agarri
17) Daniel Divricean, divricean.ro
18) Jobert Abma, Online24
19) Sergey Glazunov
20) Jordi Chancel
21) Jason Hullinger
22) Mike Cardwell, Cardwell IT
The vendor provides a bundled list of credits for vulnerabilities in
#15:
* David Weston, Microsoft and Microsoft Vulnerability Research
(MSVR)
* Yong Li, Research In Motion
* SkyLined, Google Chrome Security Team
* Abhishek Arya (Inferno), Google Chrome Security Team
* Nikita Tarakanov and Alex Bazhanyuk, CISS Research Team
* J23 via ZDI
* Rob King via ZDI
* wushi, team509 via ZDI
* wushi of team509
* Adam Barth, Google Chrome Security Team
* Richard Keen
* An anonymous researcher via ZDI
* Rik Cabanier, Adobe Systems
* Martin Barbella
* Sergey Glazunov
* miaubiz
* Andreas Kling, Nokia
* Marek Majkowski via iDefense
* John Knottenbelt, Google
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4808
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=930
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=931
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=932
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=933
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=934
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-228/
NGS Secure:
http://archives.neohapsis.com/archives/bugtraq/2011-07/0034.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. Using your asset list preferences, customised notifications are issued as soon as a new vulnerability is discovered - a valuable tool for documenting mitigation strategies. This fixes some
vulnerabilities, which can be exploited by malicious people to
compromise a user's system.
For more information:
SA43859
SA44375
SA44591
SOLUTION:
Apply updated packages via the apt-get package manager.
ORIGINAL ADVISORY:
DSA-2245-1:
http://lists.debian.org/debian-security-announce/2011/msg00115.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities
| VAR-201105-0313 | No CVE | Vordel Gateway Directory Traversal Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
The Vordel XML gateway is an XML gateway device. There is a problem with the Vordel XML gateway management interface. A remote attacker can send a URL request for a directory traversal sequence to port 8090, bypassing the WEB ROOT limit, and gain access to passwords and configuration files. Vordel Gateway is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input.
A remote attacker could exploit this vulnerability using directory-traversal strings (such as '../') to gain access to arbitrary files on the targeted system. This may result in the disclosure of sensitive information or lead to a complete compromise of the affected computer.
Vordel Gateway 6.0.3 is vulnerable; other versions may also be affected