VARIoT IoT vulnerabilities database

Multiple buffer overflows in the authentication functionality in the web-server module in Cisco CiscoWorks Common Services before 4.0 allow remote attackers to execute arbitrary code via a session on TCP port (1) 443 or (2) 1741, aka Bug ID CSCti41352. Cisco CiscoWorks Common Services is prone to a buffer-overflow vulnerability because it fails to properly bounds check user-supplied data. An attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successful exploits will completely compromise affected computers. Failed exploit attempts will result in a denial-of-service condition. CiscoWorks Common Services versions prior to 3.0.5, and versions 4.0 and later are not affected. This issue is tracked by Cisco bug id CSCti41352. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta. Join the beta: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: CiscoWorks Common Services Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA42011 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/42011/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=42011 RELEASE DATE: 2010-10-29 DISCUSS ADVISORY: http://secunia.com/advisories/42011/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/42011/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=42011 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in various Cisco products, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an error when processing certain packets and can be exploited to cause a buffer overflow via a specially crafted packet sent to certain TCP ports (e.g. 443 or 1741). Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20101027-cs.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Cisco has released free software updates that address this vulnerability. There are no workarounds that mitigate this vulnerability. Mitigations that limit the attack surface of this vulnerability are available. Administrators can check version details and licensing information about CiscoWorks Common Services by clicking the About button located in the top right corner of the CiscoWorks home page. The following CiscoWorks products with the default Common Services installed are affected by this vulnerability, due to their underlying Common Services version: +-------------------------------------------------------------------+ | | | Common | | Product | Product Version | Services | | | | Version | |-------------------------------+------------------+----------------| | Cisco Unified Operations | 2.0.1 | 3.0.5 | | Manager | | | |-------------------------------+------------------+----------------| | Cisco Unified Operations | 2.0.2 | 3.0.5 | | Manager | | | |-------------------------------+------------------+----------------| | Cisco Unified Operations | 2.0.3 | 3.0.5 | | Manager | | | |-------------------------------+------------------+----------------| | Cisco Unified Service Monitor | 2.0.1 | 3.0.5 | |-------------------------------+------------------+----------------| | CiscoWorks QoS Policy Manager | 4.0, 4.0.1, and | 3.0.5 | | | 4.0.2 | | |-------------------------------+------------------+----------------| | CiscoWorks LAN Management | 2.6 Update | 3.0.5 | | Solution | | | |-------------------------------+------------------+----------------| | CiscoWorks LAN Management | 3.0 | 3.1 | | Solution | | | |-------------------------------+------------------+----------------| | CiscoWorks LAN Management | 3.0 (December | 3.1.1 | | Solution | 2007 Update) | | |-------------------------------+------------------+----------------| | CiscoWorks LAN Management | 3.2 | 3.3.0 | | Solution | | | |-------------------------------+------------------+----------------| | Cisco Security Manager | 3.0.2 | 3.0.5 | |-------------------------------+------------------+----------------| | Cisco Security Manager | 3.1 and 3.1.1 | 3.0.5 | |-------------------------------+------------------+----------------| | Cisco Security Manager | 3.2 | 3.1 | |-------------------------------+------------------+----------------| | Cisco TelePresence Readiness | 1.0 | 3.0.5 | | Assessment Manager | | | +-------------------------------------------------------------------+ Note: CiscoWorks products could be vulnerable if their underlying Common Services versions were upgraded to a vulnerable version. The following CiscoWorks products with the default Common Services installed are not affected by this vulnerability, due to their underlying Common Services version: +-------------------------------------------------------------------+ | Product | Product | Common Services | | | Version | Version | |-----------------------------------+------------+------------------| | CiscoWorks IP Communications | 1.0 | 3.0 SP1 | | Operations Manager | | | |-----------------------------------+------------+------------------| | CiscoWorks IP Communications | 1.0 | 3.0 SP1 | | Service Monitor | | | |-----------------------------------+------------+------------------| | Cisco Unified Operations Manager | 1.1 | 3.0.3 | |-----------------------------------+------------+------------------| | Cisco Unified Operations Manager | 2.0 | 3.0.3 | |-----------------------------------+------------+------------------| | Cisco Unified Service Monitor | 1.1 | 3.0.3 | |-----------------------------------+------------+------------------| | Cisco Unified Service Monitor | 2.0 | 3.0.4 | |-----------------------------------+------------+------------------| | CiscoWorks LAN Management | 2.5, | 3.0.3 | | Solution | 2.5.1, 2.6 | | |-----------------------------------+------------+------------------| | CiscoWorks LAN Management | 4.0 | 4.0 | | Solution | | | |-----------------------------------+------------+------------------| | Cisco Security Manager | 3.0 | 3.0.3 | |-----------------------------------+------------+------------------| | Cisco Security Manager | 3.0.1 | 3.0.4 | +-------------------------------------------------------------------+ No other Cisco products are currently known to be affected by this vulnerability. Details ======= CiscoWorks Common Services is a set of management services that are shared by network management applications in a CiscoWorks solution set. CiscoWorks Common Services provides the foundation for CiscoWorks applications to share a common model for data storage, login, user role definitions, access privileges, security protocols, and navigation. It creates a standard user experience for all management functions. It also provides the common framework for all basic system level operations such as installation, data management (including backup-restoration and importing-exporting), event and message handling, job and process management, and software updates. The vulnerability could be exploited over TCP port 443 or 1741. Note: The default HTTP and HTTPS ports can be reconfigured on the server. The vulnerability affects both CiscoWorks Common Services for Oracle Solaris and Microsoft Windows. This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-3036. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Cisco Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCti41352 - CiscoWorks Common Services Arbitrary Code Execution Vulnerability CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to execute arbitrary code on the CiscoWorks server machine with the privileges of the system administrator. Software Versions and Fixes =========================== Cisco has released free software updates that address this vulnerability. Prior to deploying software updates, customers should consult their maintenance provider or check the software for featureset compatibility and known issues specific to their environment. This vulnerability has been resolved in CiscoWorks Common Services version 4.0 and in the following software patches: cwcs33-sol-CSCti41352.tar - for Oracle Solaris versions cwcs33-win-CSCti41352.zip - for Microsoft Windows versions These CiscoWorks Common Services patches can be downloaded from: http://tools.cisco.com/support/downloads/pub/Redirect.x?mdfid=268439477 and navigating through the tree to "Routing and Switching Management > CiscoWorks LAN Management Solution Products > CiscoWorks Common Services Software > CiscoWorks Common Services Software 3.3" and then the choice of Solaris or Windows, depending on your operating system. When considering software upgrades, also consult: http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Workarounds =========== Filters such as transit access control lists (tACLs) can be used to allow access to the Administration Workstation only from trusted hosts. This mitigation limits the attack surface of the vulnerability. Filters that deny HTTPS packets using TCP port 443 and TCP port 1741 should be deployed throughout the network as part of a tACL policy to protect the network from traffic that enters at ingress access points. This policy should be configured to protect the network device where the filter is applied and other devices that are behind it. Filters for HTTPS packets that use TCP port 443 and TCP port 1741 should also be deployed in front of vulnerable network devices so that only traffic from a trusted client is allowed. Note: Additional information about tACLs is available in "Transit Access Control Lists: Filtering at Your Edge" at the following link: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this Advisory: http://www.cisco.com/warp/public/707/cisco-amb-20101027-cs.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was discovered while handling customer support calls. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20101027-cs.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2010-October-27 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iFcDBQFMyDxIQXnnBKKRMNARCC+eAPwODq6zszCdkojQrJJmnycxMjFmlSHbdDB7 oNcMZgDOJQD+Kst+BQ9Lf1FopOdvkSfZutGixzb1pUhCkqJ0MFRx1e4= =jkSs -----END PGP SIGNATURE-----

The default configuration of Cisco Tandberg C Series Endpoints, and Tandberg E and EX Personal Video units, with software before TC4.0.0 has a blank password for the root account, which makes it easier for remote attackers to obtain access via an unspecified login method. The software version of the Tandberg unit can be determined by logging into the web-based user interface (UI) or using the “xStatus SystemUnit” command. Users can determine the Tandberg software version by entering the IP address of the codec in a web browser, authenticating (if the device is configured for authentication), and then selecting the “system info” menu option. The version number is displayed after the “Software Version” label in the System Info box. Alternatively the software version can be determined from the device's application programmer interface using the “xStatus SystemUnit” command. The software version running on the codec is displayed after the “SystemUnit Software Version” label. The output from “xStatus SystemUnit” will display a result similar to the following:” xStatus SystemUnit * *s SystemUnit ProductType: “Cisco TelePresence Codec” *s SystemUnit ProductId: “Cisco TelePresence Codec C90” *s SystemUnit ProductPlatform: “C90” *s SystemUnit Uptime: 597095 *s SystemUnit Software Application: “Endpoint” *s SystemUnit Software Version: “TC4.0” *s SystemUnit Software Name: “s52000” *s SystemUnit Software ReleaseDate: “2010-11-01” *s SystemUnit Software MaxVideoCalls: 3 *s SystemUnit Software MaxAudioCalls: 4 *s SystemUnit Software ReleaseKey: “true” *s SystemUnit Software OptionKeys NaturalPresenter: “true” *s SystemUnit Software OptionKeys MultiSite: “true” *s SystemUnit Software OptionKeys PremiumResolution: “true” *s SystemUnit Hardware Module SerialNumber: “B1AD25A00003” *s SystemUnit Hardware Module Identifier: “0” *s SystemUnit Hardware MainBoard SerialNumber: “PH0497201” *s SystemUnit Hardware MainBoard Identifier: “101401-3 [04]“ *s SystemUnit Hardware VideoBoard SerialNumber: “PH0497874” *s SystemUnit Hardware VideoBoard Identifier: “101560-1 [02]“ *s SystemUnit Hardware AudioBoard SerialNumber: “N/A” *s SystemUnit Hardware AudioBoard Identifier: ”“ *s SystemUnit Hardware BootSoftware: “U-Boot 2009.03-65” *s SystemUnit State System: Initialized *s SystemUnit State MaxNumberOfCalls: 3 *s SystemUnit State MaxNumberOfActiveCalls: 3 *s SystemUnit State NumberOfActiveCalls: 1 *s SystemUnit State NumberOfSuspendedCalls: 0 *s SystemUnit State NumberOfInProgressCalls: 0 *s SystemUnit State Subsystem Application: Initialized *s SystemUnit ContactInfo: “helpdesk@company.com” ** endA third party who has access to the product may gain administrator privileges. Cisco's multiple TANDBERG products have security vulnerabilities that allow local malicious users to gain control of the product. Determine the version of Tandberg. An attacker can exploit this issue to gain unauthorized root access to the affected devices. Successful exploits will result in the complete compromise of the affected device. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: TANDBERG Products Root Default Password Security Issue SECUNIA ADVISORY ID: SA43158 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43158/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43158 RELEASE DATE: 2011-02-04 DISCUSS ADVISORY: http://secunia.com/advisories/43158/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43158/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43158 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A security issue has been reported in multiple TANDBERG products, which can be exploited by malicious people to compromise a vulnerable system. PROVIDED AND/OR DISCOVERED BY: Reported by xorcist in an article of the 2600 magazine (volume 27, #3). ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20110202-tandberg.shtml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. An attacker could use this account in order to modify the application configuration or operating system settings. Resolving this default password issue does not require a software upgrade and can be changed or disabled by a configuration command for all affected customers. The workaround detailed in this document demonstrates how to disable the root account or change the password. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110202-tandberg.shtml. Details ======= Tandberg devices are part of the Cisco TelePresence Systems that provide Cisco TelePresence endpoints for immersive environments, conference rooms, individual desktops and home offices. These devices contain a root user that is enabled for advanced debugging that is unnecessary during normal operations. The root account is not the same as the admin and user accounts. The default configuration prior to TC 4.0.0 does not set a password for the root user. When a device is upgraded to TC 4.0.0, the root user is disabled. This vulnerability has been assigned the CVE ID CVE-2011-0354. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * Root account enabled by default with no password CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability may allow an unauthorized user to modify the application configuration and the operating system settings or gain complete administrative control of the device. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Workarounds =========== The root user is disabled in the default configuration starting in the TC4.0.0 software version. To disable the root account, an administrator should log in to the applications programmer interface and use the command "systemtools rootsettings off" to temporarily disable the account, or the command "systemtools rootsettings never" to permanently disable the root user. The root user is enabled for advanced debugging. If the root user is needed, the password should be configured when the account is enabled. This can be done through the command "systemtools rootsettings on [password]". To disable the root account, an administrator should log in to the applications programmer interface and use the command "systemtools rootsettings off" to temporarily disable the account, or the command "systemtools rootsettings never" to permanently disable the root user. The root user is enabled for advanced debugging. If the root user is needed, the password should be configured when the account is enabled. This can be done through the command "systemtools rootsettings on [password]". The default configuration of devices running TC4.0.0 does not contain a password for the administrator account. The password for the administrator account should be set with the command "xCommand SystemUnit AdminPassword Set Password: [password]. The password for the root account is the same as the administrator password. The administrator password is set with the command "xCommand SystemUnit AdminPassword Set Password: [password]". Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== This vulnerability has been discussed in the article "Hacking and Securing the Tandberg C20" published in Volume 27, Number 3 of the 2600 Magazine. Status of this Notice: FINAL ============================ This information is Cisco Highly Confidential - Do not redistribute. THIS IS A DRAFT VERSION OF A SECURITY NOTICE THAT CONTAINS UNRELEASED INFORMATION ABOUT CISCO PRODUCTS. DISTRIBUTION WITHIN CISCO IS LIMITED TO PERSONNEL WITH A NEED TO KNOW. THIS DRAFT MAY CONTAIN ERRORS OR OMIT IMPORTANT INFORMATION. THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20110202-tandberg.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2011-Feb-02 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- All contents are Copyright 2011-2007 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Feb 02, 2011 Document ID: 112247 -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iF4EAREIAAYFAk1JjBQACgkQQXnnBKKRMNDwoAD/drZn3b3jiAKxHxsn8YUdNzOu KgtSit4dAjrrKx41AXkA/29dkXOf0nZu4y00cBHOGhKMkyj5DAZrkT6aqyvgnZmA =4vVm -----END PGP SIGNATURE-----

Cross-site scripting (XSS) vulnerability in HP Operations Orchestration before 9.0, when Internet Explorer 6.0 is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. HP Operations Orchestration is an operation and maintenance manual automation platform that automates the transformation and deployment of client devices and data center infrastructure. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Versions prior to HP Operations Orchestration 9.0 are vulnerable. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta. Join the beta: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: HP Operations Orchestration Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA41983 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/41983/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=41983 RELEASE DATE: 2010-10-28 DISCUSS ADVISORY: http://secunia.com/advisories/41983/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/41983/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=41983 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in HP Operations Orchestration, which can be exploited by malicious people to conduct cross-site scripting attacks. Unspecified input is not properly sanitised before being returned to the user. SOLUTION: Upgrade to version 9.0 (contact HP Support for update information). PROVIDED AND/OR DISCOVERED BY: The vendor credits Michael Schratt, WienIT. ORIGINAL ADVISORY: HPSBMA02588 SSRT100001: http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02541822 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Race condition in Apple iOS 4.0 through 4.1 for iPhone 3G and later allows physically proximate attackers to bypass the passcode lock by making a call from the Emergency Call screen, then quickly pressing the Sleep/Wake button. Apple iPhone is prone to a security-bypass vulnerability due to a failure to restrict access to locked devices. An attacker with physical access to a locked device can exploit this issue to bypass the passcode and make calls to numbers in the address book. The following iOS are vulnerable: iOS version 4.2 beta iOS version 4.1 iOS version 4.0

The Netgear CG3000/CG3100 Cable Gateway is a wired gateway device. The Netgear CG3000/CG3100 Cable Gateway has multiple security vulnerabilities that allow an attacker to escalate privileges or perform denial of service. Access rights are handled incorrectly, allowing the logged in user to load the interface of the \"NETGEAR_SE\" user. The device does not verify the SSH passwords for the \"NETGEAR_SE\" and \"MSO\" users, providing a blank password to bypass the authentication access device. There is an error in the print server. Submitting a special message to the TCP 1024 or 9100 port can cause the device to reset.

Microsoft Windows Mobile is prone to a denial-of-service vulnerability because it fails to adequately validate user-supplied input. An attacker can exploit this issue to crash a device running Windows Mobile, denying service to legitimate users. Given the nature of this issue, the attacker may also be able to run arbitrary code, but this has not been confirmed. Windows Mobile versions 6.1 and 6.5 are vulnerable; other versions may also be affected.

The ftp_QUIT function in ftpserver.py in pyftpdlib before 0.5.0 allows remote authenticated users to cause a denial of service (file descriptor exhaustion and daemon outage) by sending a QUIT command during a disallowed data-transfer attempt. Pyftpdlib (Python FTP server library) provides an advanced portable programming interface for implementing asynchronous FTP server functions. An input validation vulnerability exists in the ftp_QUIT function in the ftpserver.py file in versions prior to pyftpdlib 0.5.0

ftpserver.py in pyftpdlib before 0.5.0 does not delay its response after receiving an invalid login attempt, which makes it easier for remote attackers to obtain access via a brute-force attack. Pyftpdlib (Python FTP server library) provides an advanced portable programming interface for implementing asynchronous FTP server functions

Multiple untrusted search path vulnerabilities in Phoenix Project Manager 2.1.0.8 allow local users to gain privileges via a Trojan horse (1) wbtrv32.dll or (2) w3btrv7.dll file in the current working directory, as demonstrated by a directory that contains a .ppx file. NOTE: some of these details are obtained from third party information. Supplementary information : CWE Vulnerability type by CWE-426: Untrusted Search Path ( Unreliable search path ) Has been identified. (1) wbtrv32.dll Or (2) w3btrv7.dll It may be possible to get permission through the file. ---------------------------------------------------------------------- Windows Applications Insecure Library Loading The Official, Verified Secunia List: http://secunia.com/advisories/windows_insecure_library_loading/ The list is continuously updated as we confirm the vulnerability reports so check back regularly too see if any of your apps are affected. ---------------------------------------------------------------------- TITLE: Phoenix Project Manager Insecure Library Loading Vulnerability SECUNIA ADVISORY ID: SA41907 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/41907/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=41907 RELEASE DATE: 2010-10-20 DISCUSS ADVISORY: http://secunia.com/advisories/41907/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/41907/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=41907 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been discovered in Phoenix Project Manager, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to the application loading libraries (e.g. wbtrv32.dll and w3btrv7.dll) in an insecure manner. This can be exploited to load arbitrary libraries by tricking a user into e.g. opening a PPX file located on a remote WebDAV or SMB share. Successful exploitation allows execution of arbitrary code. The vulnerability is confirmed in version 2.1.0.8. Other versions may also be affected. SOLUTION: Do not open untrusted files. PROVIDED AND/OR DISCOVERED BY: anT!-Tr0J4n ORIGINAL ADVISORY: http://packetstormsecurity.org/1010-exploits/phoenix-dllhijack.txt OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Stack-based buffer overflow in a certain ActiveX control in MediaDBPlayback.DLL 2.2.0.5 in the Moxa ActiveX SDK allows remote attackers to execute arbitrary code via a long PlayFileName property value. Moxa is committed to the development and manufacture of information networking products, providing customers with cost-effective and stable serial communication solutions, serial device networking solutions, and industrial Ethernet solutions. Failed exploit attempts will result in a denial-of-service condition. Moxa ActiveX SDK 2.2.0.5 is vulnerable; other versions may also be affected

Symantec Norton AntiVirus 2011 does not properly interact with the processing of hcp:// URLs by the Microsoft Help and Support Center, which makes it easier for remote attackers to execute arbitrary code via malware that is correctly detected by this product, but with a detection approach that occurs too late to stop the code execution. NOTE: the researcher indicates that a vendor response was received, stating that this issue "falls into the work of our Firewall and not our AV (per our methodology of layers of defense).". Symantec Norton Antivirus 2011 is prone to a security-bypass vulnerability that may allow an attacker to bypass virus scans. Successful exploits will allow attackers to bypass virus scanning, possibly allowing malicious files to escape detection

Multiple stack-based buffer overflows in DATAC RealWin 2.0 Build 6.1.8.10 and earlier allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) SCPC_INITIALIZE, (2) SCPC_INITIALIZE_RF, or (3) SCPC_TXTEVENT packet. NOTE: it was later reported that 1.06 is also affected by one of these requests. RealFlex RealWin HMI service (912/tcp) Contains multiple stack buffer overflow vulnerabilities. RealFlex RealWin HMI service (912/tcp) Contains two stack buffer overflow vulnerabilities. The first one is, SCPC_INITIALIZE() and SCPC_INITIALIZE_RF() In the function sprintf() Use, the second is SCPC_TXTEVENT() In the function strcpy() Due to the use of each.RealFlex RealWin HMI Service disruption by a third party with access to the service (DoS) An attacker may be attacked or execute arbitrary code. RealWin is a data acquisition and monitoring control system (SCADA) server product running on the Windows platform. - A boundary error occurred while processing the \"SCPC_INITIALIZE\" and \"SCPC_INITIALIZE_RF\" messages. Sending a specially constructed message to the TCP 912 port triggered a stack-based buffer overflow. - Handling \"SCPC_TXTEVENT\" messages with boundary errors, sending specially constructed messages to the TCP 912 port can trigger a stack-based buffer overflow. Failed exploit attempts will cause a denial-of-service condition. DATAC RealWin versions 2.0 and prior are vulnerable; other versions may also be affected. ---------------------------------------------------------------------- Windows Applications Insecure Library Loading The Official, Verified Secunia List: http://secunia.com/advisories/windows_insecure_library_loading/ The list is continuously updated as we confirm the vulnerability reports so check back regularly too see if any of your apps are affected. ---------------------------------------------------------------------- TITLE: RealWin Packet Processing Buffer Overflow Vulnerabilities SECUNIA ADVISORY ID: SA41849 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/41849/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=41849 RELEASE DATE: 2010-10-18 DISCUSS ADVISORY: http://secunia.com/advisories/41849/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/41849/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=41849 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Luigi Auriemma has discovered two vulnerabilities in RealWin, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system. The vulnerabilities are confirmed in RealWin 2.1 Build 6.1.8.10. SOLUTION: Restrict network access to trusted users only. PROVIDED AND/OR DISCOVERED BY: Luigi Auriemma ORIGINAL ADVISORY: http://aluigi.altervista.org/adv/realwin_1-adv.txt OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in OpenConnect before 2.23 allows remote AnyConnect SSL VPN servers to cause a denial of service (application crash) via a 404 HTTP status code. Openconnect is prone to a denial-of-service vulnerability. OpenConnect is an open client for Cisco AnyConnect VPN. An unspecified vulnerability exists in versions prior to OpenConnect 2.23

Cisco Secure Desktop (CSD), when used in conjunction with an AnyConnect SSL VPN server, does not properly perform verification, which allows local users to bypass intended policy restrictions via a modified executable file. is prone to a local security vulnerability. Cisco Secure Desktop (CSD) is an endpoint security solution that integrates firewall, access control, intrusion prevention, and application control

The Cisco trial client on Linux for Cisco AnyConnect SSL VPN allows local users to overwrite arbitrary files via a symlink attack on unspecified temporary files. Attackers can exploit this issue to overwrite arbitrary files with root privileges. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM) Beta. Join the beta: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Cisco AnyConnect VPN Client Privilege Escalation Vulnerability SECUNIA ADVISORY ID: SA42093 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/42093/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=42093 RELEASE DATE: 2010-11-04 DISCUSS ADVISORY: http://secunia.com/advisories/42093/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/42093/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=42093 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Cisco AnyConnect VPN Client, which can be exploited by malicious, local users to gain escalated privileges. The vulnerability is reported in versions prior to 2.3 running on Linux and Mac. SOLUTION: Update to version 2.3. PROVIDED AND/OR DISCOVERED BY: Reported in the description of the OpenConnect client. ORIGINAL ADVISORY: http://www.infradead.org/openconnect.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The document view window in Accela BizSearch Gateway Option has the following vulnerabilities which allow a remote attacker to: * display a fraudulent web page over a legitimate web page * steal cookies stored in browser * place arbitrary cookies into browserA remote attacker could display a fraudulent web page over a legitimate one, steal cookies stored in browser or place arbitrary cookies into browser.

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of SAP Crystal Reports. Authentication is not required to exploit this vulnerability. The specific flaw exists within the JobServer.exe process which listens by default on several TCP ports above 1024. When parsing a GIOP request, the process trusts a user-supplied 32-bit value and allocates a buffer on the heap. The process then proceeds to copy the string following this value from the packet until it finds a NULL byte. By crafting a specifically sized packet a remote attacker can overflow the buffer and gain code execution under the context of the SYSTEM user. SAP Crystal Reports is a powerful, dynamic, and actionable reporting solution that helps you design, navigate, and visualize report presentations, and deliver reports online or by embedding reports into enterprise applications. Failed exploit attempts will likely crash the application. ---------------------------------------------------------------------- Windows Applications Insecure Library Loading The Official, Verified Secunia List: http://secunia.com/advisories/windows_insecure_library_loading/ The list is continuously updated as we confirm the vulnerability reports so check back regularly too see if any of your apps are affected. ---------------------------------------------------------------------- TITLE: SAP Crystal Reports Two Vulnerabilities SECUNIA ADVISORY ID: SA41683 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/41683/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=41683 RELEASE DATE: 2010-10-16 DISCUSS ADVISORY: http://secunia.com/advisories/41683/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/41683/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=41683 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Two vulnerabilities have been reported in SAP Crystal Reports, which can be exploited by malicious people to compromise a vulnerable system. 1) A boundary error within CMS.exe when parsing GIOP requests can be exploited to cause a heap-based buffer overflow via a specially crafted packet. 2) A boundary error within JobServer.exe when parsing GIOP requests can be exploited to cause a heap-based buffer overflow via a specially crafted packet. SOLUTION: Apply patch. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ORIGINAL ADVISORY: SAP: https://websmp130.sap-ag.de/sap/support/notes/1509604 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-10-195/ http://www.zerodayinitiative.com/advisories/ZDI-10-196/ OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -- Vendor Response: SAP states: A solution was provided via SAP note 1509604 (https://websmp130.sap-ag.de/sap/support/notes/1509604) -- Disclosure Timeline: 2010-07-20 - Vulnerability reported to vendor 2010-10-12 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * AbdulAziz Hariri * Andrea Micalizzi aka rgod -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi

The Limit Mail feature in the Parental Controls functionality in Mail on Apple Mac OS X does not properly enforce the correspondence whitelist, which allows remote attackers to bypass intended access restrictions and conduct e-mail communication by leveraging knowledge of a child's e-mail address and a parent's e-mail address, related to parental notification of unapproved e-mail addresses. Mail is prone to a security bypass vulnerability. Mail (also known as Mail.app or Apple Mail) is an email client in the Mac OS X operating system launched by Apple

Unspecified vulnerability in the FTP Server in Oracle Solaris 8, 9, 10, and 11 Express allows remote attackers to affect availability. NOTE: the previous information was obtained from the January 2011 CPU. Oracle has not commented on claims from a reliable researcher that this is an issue in the glob implementation in libc that allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames. GNU libc is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to make the affected computer unresponsive, denying service to legitimate users. Multiple vendors' implementations are reported to be affected, including: NetBSD OpenBSD FreeBSD Oracle Solaris 10 Additional vendors' implementations may also be affected. ---------------------------------------------------------------------- Get a tax break on purchases of Secunia Solutions! If you are a U.S. company, you may be qualified for a tax break for your software purchases. For more information see vulnerability #2: SA42984 The vulnerability is reported in the following versions R15, R16, R16.1, and R16.2. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: Oracle Solaris Multiple Vulnerabilities SECUNIA ADVISORY ID: SA42984 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/42984/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=42984 RELEASE DATE: 2011-01-19 DISCUSS ADVISORY: http://secunia.com/advisories/42984/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/42984/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=42984 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Solaris, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and gain escalated privileges and by malicious people to disclose system information, cause a DoS (Denial of Service), and compromise a vulnerable system. 1) An unspecified error in the CDE Calendar Manager Service daemon can be exploited to potentially execute arbitrary code via specially crafted RPC packets. 2) An unspecified error in the FTP server can be exploited to cause a DoS. 3) An unspecified error in a Ethernet driver can be exploited to disclose certain system information. 4) An unspecified error in the kernel NFS component can be exploited to cause a DoS. 5) An unspecified error in the kernel can be exploited by local users to cause a DoS. 6) A second unspecified error in the kernel can be exploited by local users to cause a DoS. 7) An unspecified error in the Standard C Library (libc) can be exploited by local users to gain escalated privileges. 8) An unspecified error in the Fault Manager daemon can be exploited by local users to gain escalated privileges. 9) An unspecified error in the XScreenSaver component can be exploited by local users to gain escalated privileges. SOLUTION: Apply patches (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: It is currently unclear who reported these vulnerabilities as the Oracle Critical Patch Update for January 2011 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information. ORIGINAL ADVISORY: http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-13:02.libc Security Advisory The FreeBSD Project Topic: glob(3) related resource exhaustion Category: core Module: libc Announced: 2013-02-19 Affects: All supported versions of FreeBSD. Corrected: 2013-02-05 09:53:32 UTC (stable/7, 7.4-STABLE) 2013-02-19 13:27:20 UTC (releng/7.4, 7.4-RELEASE-p12) 2013-02-05 09:53:32 UTC (stable/8, 8.3-STABLE) 2013-02-19 13:27:20 UTC (releng/8.3, 8.3-RELEASE-p6) 2013-02-05 09:53:32 UTC (stable/9, 9.1-STABLE) 2013-02-19 13:27:20 UTC (releng/9.0, 9.0-RELEASE-p6) 2013-02-19 13:27:20 UTC (releng/9.1, 9.1-RELEASE-p1) CVE Name: CVE-2010-2632 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://security.FreeBSD.org/>. I. Background The glob(3) function is a pathname generator that implements the rules for file name pattern matching used by the shell. II. Problem Description GLOB_LIMIT is supposed to limit the number of paths to prevent against memory or CPU attacks. The implementation however is insufficient. III. Impact An attacker that is able to exploit this vulnerability could cause excessive memory or CPU usage, resulting in a Denial of Service. A common target for a remote attacker could be ftpd(8). IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-13:02/libc.patch # fetch http://security.FreeBSD.org/patches/SA-13:02/libc.patch.asc # gpg --verify libc.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch Recompile the operating system using buildworld and installworld as described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>. Restart all daemons, or reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Restart all daemons, or reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch/path Revision - ------------------------------------------------------------------------- stable/7/ r246357 releng/7.4/ r246989 stable/8/ r246357 releng/8.3/ r246989 stable/9/ r246357 releng/9.0/ r246989 releng/9.1/ r246989 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2632 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-13:02.libc.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (FreeBSD) iEYEARECAAYFAlEjf80ACgkQFdaIBMps37JFUgCfUrw8Ky4U19COja6fna49Calv z/YAn1JSGxzHCo8vLj4XhtXqrQt68or4 =mCPv -----END PGP SIGNATURE----- . MacOSX 10.8.3 ftpd Remote Resource Exhaustion Maksymilian Arciemowicz http://cxsecurity.com/ http://cvemap.org/ Public Date: 01.02.2013 http://cxsecurity.com/cveshow/CVE-2010-2632 http://cxsecurity.com/cveshow/CVE-2011-0418 --- 1. Description --- Old vulnerability in libc allow to denial of service ftpd in MacOSX 10.8.3. Officially Apple has resolved this issue in Jun 2011. Apple use tnftpd as a main ftp server. tnftpd has migrated some functions from libc to own code (including glob(3)). Missing patch for resource exhaustion was added in version 20130322. To this time, we can use CVE-2010-2632 to denial of service the ftp server. The funniest is report http://support.apple.com/kb/ht4723 where CVE-2010-2632 was patched. That true 'libc is patched', but nobody from Apple has verified ftp. I really don't believe in penetrating testing form Apple side. Situation don't seems good. I has asked for open source donations, unfortunately Apple do not financial help vendors, what use their software in own products. Proof of Concept is available since 2010 http://cxsecurity.com/issue/WLB-2011030145 Video demonstrated how to kill Mac Mini in basic version i5 with 10GB RAM in 30 min is available on http://cxsec.org/video/macosx_ftpd_poc/ --- 2. References --- Multiple Vendors libc/glob(3) remote ftpd resource exhaustion http://cxsecurity.com/issue/WLB-2010100135 http://cxsecurity.com/cveshow/CVE-2010-2632 Multiple FTPD Server GLOB_BRACE|GLOB_LIMIT memory exhaustion http://cxsecurity.com/issue/WLB-2011050004 http://cxsecurity.com/cveshow/CVE-2011-0418 More CWE-399 resource exhaustion examples: http://cxsecurity.com/cwe/CWE-399 Last related to http://www.freebsd.org/security/advisories/FreeBSD-SA-13:02.libc.asc --- 3. Contact --- Maksymilian Arciemowicz Best regards, CXSEC TEAM http://cxsecurity.com/

Adobe Reader and Acrobat 8.x before 8.2.5 and 9.x before 9.4 on Mac OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. Adobe Acrobat and Reader are prone to a remote memory-corruption vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application. Adobe Reader and Acrobat versions prior to and including 9.3.4 and 8.2.4 are affected. I. An attacker could exploit these vulnerabilities by convincing a user to open a specially crafted PDF file. The Adobe Reader browser plug-in, which can automatically open PDF documents hosted on a website, is available for multiple web browsers and operating systems. Additional information is available in US-CERT Vulnerability Note VU#491991. II. Impact These vulnerabilities could allow a remote attacker to execute arbitrary code, write arbitrary files or folders to the file system, escalate local privileges, or cause a denial of service on an affected system as the result of a user opening a malicious PDF file. III. Solution Update Adobe has released updates to address this issue. Disable JavaScript in Adobe Reader and Acrobat Disabling JavaScript may prevent some exploits from resulting in code execution. Acrobat JavaScript can be disabled using the Preferences menu (Edit -> Preferences -> JavaScript; uncheck Enable Acrobat JavaScript). Adobe provides a framework to blacklist specific JavaScipt APIs. If JavaScript must be enabled, this feature may be useful when specific APIs are known to be vulnerable or used in attacks. Prevent Internet Explorer from automatically opening PDF files The installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to a safer option that prompts the user by importing the following as a .REG file: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\AcroExch.Document.7] "EditFlags"=hex:00,00,00,00 Disable the display of PDF files in the web browser Preventing PDF files from opening inside a web browser will partially mitigate this vulnerability. If this workaround is applied, it may also mitigate future vulnerabilities. To prevent PDF files from automatically being opened in a web browser, do the following: 1. 2. Open the Edit menu. 3. Choose the Preferences option. 4. Choose the Internet section. 5. Uncheck the "Display PDF in browser" checkbox. Do not access PDF files from untrusted sources Do not open unfamiliar or unexpected PDF files, particularly those hosted on websites or delivered as email attachments. Please see Cyber Security Tip ST04-010. IV. References * Security update available for Adobe Reader and Acrobat - <http://www.adobe.com/support/security/bulletins/apsb10-21.html> * US-CERT Vulnerability Note VU#491991 - <http://www.kb.cert.org/vuls/id/491991> * Adobe Reader and Acrobat JavaScript Blacklist Framework - <http://kb2.adobe.com/cps/504/cpsid_50431.html> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA10-279A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA10-279A Feedback VU#491991" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2010 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History October 06, 2010: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBTKxxvD6pPKYJORa3AQIL3wgAp2tynQw73VA+B70fuEl+os17BeVaP8zn 5aoWS6QBRx+Q8Ijw1wnKT1sF4IWaDWTWqPo0yt6MLx8WwO2ei8WaB+aMOwy9ZBo3 BbCOPSM63/3jBrJuCDs4x2PhZDzg2GJf4Zw8NN2oCSOXMxYGhx16QQzo2lY35CBJ cvCSiLtNQuqpnvNMi2DJhArwxStK9Un2fli7IqwXzC6+RIgrk1l/EAM/6CO2+AwJ Se0bDWBjwR5YverLEXoLuBbF0lHvQ0+V/vT5Q/zBDYUwcWkBL2n7NwdbKI9pYZxL 8Te7YapqAnMNgI1/PnYI/W369Vq3U6QoQVVR9ZoyLGw8x0A57cpU2g== =Rc0h -----END PGP SIGNATURE-----