VARIoT IoT vulnerabilities database
| VAR-200908-0401 | CVE-2009-1726 | Apple Mac OS of ColorSync Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in ColorSync in Apple Mac OS X 10.4.11 and 10.5 before 10.5.8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted image containing an embedded ColorSync profile. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2009-003.
The update addresses new vulnerabilities that affect the CFNetwork, ColorSync, CoreTypes, Dock, Image RAW, ImageIO, launchd, Login Window, MobileMe, Kernel, and XQuery components of Mac OS X. The advisory also contains security updates for seven previously reported issues. A heap overflow exists when handling graphics embedded with ColorSync configuration files, opening malicious graphics may lead to unexpected application termination or arbitrary code execution. ----------------------------------------------------------------------
Secunia CSI integrated with Microsoft WSUS and Microsoft SCCM for 3rd party Patch Management
Free webinars
http://secunia.com/vulnerability_scanning/corporate/webinars/
----------------------------------------------------------------------
TITLE:
Apple Safari Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA40105
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/40105/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=40105
RELEASE DATE:
2010-06-09
DISCUSS ADVISORY:
http://secunia.com/advisories/40105/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/40105/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=40105
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
Some vulnerabilities have been reported in Apple Safari, which can be
exploited by malicious people to bypass certain security restrictions,
disclose sensitive information, conduct spoofing or cross-site
scripting attacks, and potentially compromise a user's system.
1) An error when processing ColorSync profiles embedded in a
specially crafted image can be exploited to potentially execute
arbitrary code.
This is related to vulnerability #2 in:
SA36096
2) The browser follows links containing arbitrary user information
without warning, which can be exploited to facilitate phishing
attacks via specially crafted URLs.
3) A use-after-free error when handling PDF files can be exploited to
potentially execute arbitrary code.
4) An error in WebKit when handling clipboard URLs can be exploited
to disclose sensitive files if a user is tricked into dragging or
pasting links or images to a malicious website.
5) An error in WebKit when a selection from a website is dragged or
pasted into another website can be exploited to potentially execute
arbitrary JavaScript code in the context of the destination website.
6) An error in WebKit when handling UTF-7 encoded text can be
exploited to leave an HTML quoted string unterminated and facilitate
cross-site scripting attacks.
7) An input sanitation error in WebKit when handling Local Storage
and Web SQL databases can be exploited to create database files in
arbitrary directories via directory traversal attacks.
8) A use-after-free error in WebKit when rendering HTML buttons can
be exploited to potentially execute arbitrary code.
9) A use-after-free error in WebKit when handling attribute
manipulations can be exploited to potentially execute arbitrary
code.
10) An error in WebKit when handling HTML document fragments can be
exploited to execute arbitrary JavaScript code in a legitimate
context processing foreign HTML fragments.
11) An error in WebKit when handling keyboard focus can be exploited
to deliver key press events intended for a different frame.
12) An error in WebKit when handling DOM constructor objects can be
exploited to conduct cross-site scripting attacks.
13) A use-after-free error in WebKit when handling the removal of
container elements can be exploited to potentially execute arbitrary
code.
14) A use-after-free error in WebKit when rendering a selection at
the time of a layout change can be exploited to potentially execute
arbitrary code.
15) An error in WebKit when handling ordered list insertions can be
exploited to corrupt memory and potentially execute arbitrary code.
16) An uninitialised memory access error in WebKit when handling
selection changes on form input elements can be exploited to
potentially execute arbitrary code.
17) A use-after-free error in WebKit when handling caption elements
can be exploited to potentially execute arbitrary code.
18) A use-after-free error in WebKit when handling the
":first-letter" pseudo-element in cascading stylesheets can be
exploited to potentially execute arbitrary code.
19) A double-free error in WebKit when handling event listeners in
SVG documents can be exploited to potentially execute arbitrary
code.
20) An uninitialised memory access error in WebKit when handling
"use" elements in SVG documents can be exploited to potentially
execute arbitrary code.
21) A use-after-free error in WebKit when handling SVG documents with
multiple "use" elements can be exploited to potentially execute
arbitrary code.
22) An error in WebKit when handling nested "use" elements in SVG
documents can be exploited to corrupt memory and potentially execute
arbitrary code.
23) A use-after-free error in WebKit when handling CSS run-ins can be
exploited to potentially execute arbitrary code.
24) A use-after-free error in WebKit when handling HTML elements with
custom vertical positioning can be exploited to potentially execute
arbitrary code.
25) An error exists in WebKit when visiting HTTPS websites
redirecting to HTTP websites. This can be exploited to disclose
potentially sensitive information contained in the HTTPS URL by
reading the "Referer" header.
26) An integer truncation error in WebKit when handling TCP requests
can be exploited to pass arbitrary data to arbitrary TCP ports.
27) An error in WebKit when processing connections to IRC ports can
be exploited to send arbitrary data to arbitrary IRC servers.
28) A use-after-free error in WebKit when handling hover events can
be exploited to potentially execute arbitrary code.
29) An error in WebKit can be exploited to read NTLM credentials that
are incorrectly transmitted in plain-text via Man-in-the-Middle (MitM)
attacks.
30) A use-after-free error in WebKit when handling the "removeChild"
DOM method can be exploited to potentially execute arbitrary code.
31) An error in WebKit when handling libxml contexts can be exploited
to potentially execute arbitrary code.
32) An error in WebKit when handling a canvas with an SVG image
pattern can be exploited to load and capture an image from another
website.
33) An error in WebKit when rendering CSS-styled HTML content with
multiple ":after" pseudo-selectors can be exploited to corrupt memory
and potentially execute arbitrary code.
34) An error in WebKit when handling the "src" attribute of a frame
element can be exploited to facilitate cross-site scripting attacks.
35) A use-after-free error in WebKit when handling drag and drop
operations can be exploited to potentially execute arbitrary code.
36) An error in the implementation of the JavaScript "execCommand"
function can be exploited to modify the contents of the clipboard.
37) An error when handling malformed URLs can be exploited to bypass
the same-origin policy and execute arbitrary script code in the
context of a different domain.
38) A use-after-free error in WebKit when handling DOM "Range"
objects can be exploited to potentially execute arbitrary code.
39) A use-after-free error in WebKit when handling the
"Node.normalize()" method can be exploited to potentially execute
arbitrary code.
40) A use-after-free error in WebKit when rendering HTML document
subtrees can be exploited to potentially execute arbitrary code.
41) An error in WebKit when handling HTML content in "textarea"
elements can be exploited to conduct cross-site scripting attacks.
42) An error in WebKit when visiting a website which redirects form
submissions to a redirecting website can be exploited disclose
submitted data.
43) A type checking error in WebKit when handling text nodes can be
exploited to potentially execute arbitrary code.
44) A use-after-free error in WebKit when handling fonts can be
exploited to potentially execute arbitrary code.
45) An error in WebKit when handling HTML tables can be exploited to
trigger an out-of-bounds memory access and potentially execute
arbitrary code.
46) An error in WebKit when handling the CSS ":visited" pseudo-class
can be exploited to disclose visited websites.
PROVIDED AND/OR DISCOVERED BY:
37) Michal Zalewski
The vendor also credits:
1) Chris Evans of the Google Security Team, and Andrzej Dyjak
2) Abhishek Arya of Google
3) Borja Marcos of Sarenet
4) Eric Seidel of Google
5) Paul Stone of Context Information Security
6) Masahiro Yamada
8) Matthieu Bonetti of Vupen
9) Ralf Philipp Weinmann working with TippingPoint's Zero Day
Initiative
10, 41) Eduardo Vela Nava (sirdarckcat) of Google
11) Michal Zalewski of Google
12) Gianni "gf3" Chiappetta of Runlevel6
13, 15, 16, 18, 19, 20, 21, 23, 43) wushi of team509, working with
TippingPoint's Zero Day Initiative
14) wushi and Z of team509, working with TippingPoint's Zero Day
Initiative
17) regenrecht working with iDefense
22, 31) Aki Helin of OUSPG
24) Ojan Vafai of Google
25) Colin Percival of Tarsnap
28) Dave Bowker
30) Mark Dowd of Azimuth Security
32) Chris Evans of Google
33, 45) wushi of team509
34) Sergey Glazunov
35) kuzzcc, and Skylined of Google Chrome Security Team
38) Yaar Schnitman of Google
39) Mark Dowd
40) James Robinson of Google
42) Marc Worrell of WhatWebWhat
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT4196
Michal Zalewski:
http://lcamtuf.blogspot.com/2010/06/safari-tale-of-betrayal-and-revenge.html
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/products/corporate/EVM/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
I.
II. Impact
The impact of these vulnerabilities vary. Potential consequences
include arbitrary code execution, sensitive information disclosure,
denial of service, or privilege escalation.
III. These
and other updates are available via Software Update or via Apple
Downloads.
IV. Please send
email to <cert@cert.org> with "TA09-218A Feedback VU#426517" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
August 06, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSnsainIHljM+H4irAQLe2wgAg9ZJq3PGtU+CYHa6+n9Gli9l/NeIXQBb
JhKvrXwFYp1uCCs5bVlZ/80Wuq6BJgkv1kojnV6zhqZA7VkPQEhjGofvcUs9MsO8
jXQ6JPdZRd6jWmB4pFHPAD5NOpBV2fJN+JQQuep9xwlap/hITfZfj24+nVFciwXo
PdsptiEvpPcfsdan5ScQB+36MC4fRixUAgV+oWHDTgZJEaO1J2/5QiMK7+jWanXH
3jD6FIVdbJQcUmMDGle7RvURSuiX4jFq3D+lweDCtLwX576qx9m6QRbvnxaX8bfU
HFcStLJRmi2kFEMiqga83lIyhSB1g1t+rWy5MBH+xml0MSYO7V7z6w==
=A6S1
-----END PGP SIGNATURE-----
. Some
have an unknown impact and others can be exploited by malicious
people to bypass certain security restrictions, disclose sensitive
information, or compromise a user's system.
For more information:
SA37931
SA40105
4) One unspecified vulnerability with an unknown impact has been
reported in WebKit included in iTunes. No further information is
currently available.
5) Two vulnerabilities in WebKit can be exploited by malicious people
to compromise a user's system.
PROVIDED AND/OR DISCOVERED BY:
1) The vendor credits Chris Evans of the Google Security Team and
Andrzej Dyjak.
2) The vendor credits Kevin Finisterre, digitalmunition.com.
4) Reported by the vendor. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
NOTE: This vulnerability only affects system having a Multi-Touch
trackpad. a specially crafted TIOCGWINSZ "fnctl()" call.
12) An error in launchd when servicing via inetd can be exploited to
cause a service hang by opening an overly large number of
connections.
14) The MobileMe preference pane fails to properly delete all
credentials when signing out. This can be exploited to access
previously signed in systems from the same local user account.
16) A synchronization error when sharing file descriptors over local
sockets can be exploited to cause an unexpected system shutdown. of Johns Hopkins University, HiNRG
The vendor also credits:
2) Kevin Day of Your.Org and Jason Mueller of Indiana University
4) Brian Mastenbrook, and Clint Ruoho of Laconic Security
6) Chris Ries of Carnegie Mellon University Computing Services
7) Lurene Grenier of Sourcefire VRT, and Chris Ries of Carnegie
Mellon University Computing Services
10) Tavis Ormandy of the Google Security Team
13) Alfredo Pesoli of 0xcafebabe.it
15) Ilja van Sprundel from IOActive
16) Bennet Yee of Google Inc.
CHANGELOG:
2009-08-06: Added link to "Original Advisory".
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT3757
Chris Evans:
http://scary.beasts.org/security/CESA-2009-011.html
OTHER REFERENCES:
SA28923:
http://secunia.com/advisories/28923/
SA29410:
http://secunia.com/advisories/29410/
SA36030:
http://secunia.com/advisories/36030/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities
| VAR-200908-0272 | CVE-2009-2194 | Apple Mac OS Service disruption related to file descriptor sharing (DoS) Vulnerabilities |
CVSS V2: 4.9 CVSS V3: - Severity: MEDIUM |
Apple Mac OS X 10.5 before 10.5.8 does not properly share file descriptors over local sockets, which allows local users to cause a denial of service (system crash) by placing file descriptors in messages sent to a socket that has no receiver, related to a "synchronization issue.". Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2009-003.
The update addresses new vulnerabilities that affect the CFNetwork, ColorSync, CoreTypes, Dock, Image RAW, ImageIO, launchd, Login Window, MobileMe, Kernel, and XQuery components of Mac OS X. The advisory also contains security updates for seven previously reported issues.
I.
II. Impact
The impact of these vulnerabilities vary. Potential consequences
include arbitrary code execution, sensitive information disclosure,
denial of service, or privilege escalation.
III. These
and other updates are available via Software Update or via Apple
Downloads.
IV. Please send
email to <cert@cert.org> with "TA09-218A Feedback VU#426517" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
August 06, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSnsainIHljM+H4irAQLe2wgAg9ZJq3PGtU+CYHa6+n9Gli9l/NeIXQBb
JhKvrXwFYp1uCCs5bVlZ/80Wuq6BJgkv1kojnV6zhqZA7VkPQEhjGofvcUs9MsO8
jXQ6JPdZRd6jWmB4pFHPAD5NOpBV2fJN+JQQuep9xwlap/hITfZfj24+nVFciwXo
PdsptiEvpPcfsdan5ScQB+36MC4fRixUAgV+oWHDTgZJEaO1J2/5QiMK7+jWanXH
3jD6FIVdbJQcUmMDGle7RvURSuiX4jFq3D+lweDCtLwX576qx9m6QRbvnxaX8bfU
HFcStLJRmi2kFEMiqga83lIyhSB1g1t+rWy5MBH+xml0MSYO7V7z6w==
=A6S1
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
1) An error in bzip2 can be exploited to terminate an application
using the library via a specially crafted archive.
For more information:
SA29410
2) An error in CFNetwork can be exploited by a malicious website to
control the URL displayed in a certificate warning when Safari
follows a redirect from a trusted website.
3) An error when processing ColorSync profiles embedded in a
specially crafted image can be exploited to cause a heap-based buffer
overflow and potentially execute arbitrary code.
4) An error when handling unsafe content types can be exploited to
execute a malicious JavaScript payload when a specially crafted file
is manually opened.
5) An error when processing four-finger Multi-Touch gestures can be
exploited by a person with physical access to a locked system to
manage applications or use Expose.
NOTE: This vulnerability only affects system having a Multi-Touch
trackpad.
6) An error when processing Canon RAW images can be exploited to
cause a stack-based buffer overflow and potentially execute arbitrary
code.
7) An error in ImageIO when processing OpenEXR images can be
exploited to cause a heap-based buffer overflow and potentially
execute arbitrary code.
8) Multiple errors in ImageIO when processing OpenEXR images can be
exploited to corrupt memory and potentially execute arbitrary code.
For more information:
SA36030
9) A boundary error in ImageIO when processing EXIF metadata can be
exploited to cause a buffer overflow and potentially execute
arbitrary code via a specially crafted image.
10) An error in ImageIO when processing PNG images can be exploited
to dereference an uninitialised pointer and potentially execute
arbitrary code.
11) An error in the "fcntl()" kernel implementation can be exploited
to corrupt kernel memory and execute arbitrary code with system
privileges via e.g. a specially crafted TIOCGWINSZ "fnctl()" call.
12) An error in launchd when servicing via inetd can be exploited to
cause a service hang by opening an overly large number of
connections.
13) A format string error in Login Window when handling application
names can be exploited to potentially execute arbitrary code.
14) The MobileMe preference pane fails to properly delete all
credentials when signing out. This can be exploited to access
previously signed in systems from the same local user account.
15) An error in the kernel when processing AppleTalk response packets
can be exploited to cause a buffer overflow and potentially execute
arbitrary code with system privileges.
17) A boundary error in the PCRE library used by XQuery can be
exploited to cause a buffer overflow and potentially execute
arbitrary code. of Johns Hopkins University, HiNRG
The vendor also credits:
2) Kevin Day of Your.Org and Jason Mueller of Indiana University
4) Brian Mastenbrook, and Clint Ruoho of Laconic Security
6) Chris Ries of Carnegie Mellon University Computing Services
7) Lurene Grenier of Sourcefire VRT, and Chris Ries of Carnegie
Mellon University Computing Services
10) Tavis Ormandy of the Google Security Team
13) Alfredo Pesoli of 0xcafebabe.it
15) Ilja van Sprundel from IOActive
16) Bennet Yee of Google Inc.
CHANGELOG:
2009-08-06: Added link to "Original Advisory".
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT3757
Chris Evans:
http://scary.beasts.org/security/CESA-2009-011.html
OTHER REFERENCES:
SA28923:
http://secunia.com/advisories/28923/
SA29410:
http://secunia.com/advisories/29410/
SA36030:
http://secunia.com/advisories/36030/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200908-0270 | CVE-2009-2192 | Apple Mac OS of MobileMe Vulnerable to session hijacking |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
MobileMe in Apple Mac OS X 10.5 before 10.5.8 does not properly delete credentials upon signout from the preference pane, which makes it easier for attackers to hijack a MobileMe session via unspecified vectors, related to a "logic issue.". Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2009-003.
The update addresses new vulnerabilities that affect the CFNetwork, ColorSync, CoreTypes, Dock, Image RAW, ImageIO, launchd, Login Window, MobileMe, Kernel, and XQuery components of Mac OS X. The advisory also contains security updates for seven previously reported issues.
I.
II. Impact
The impact of these vulnerabilities vary. Potential consequences
include arbitrary code execution, sensitive information disclosure,
denial of service, or privilege escalation.
III. These
and other updates are available via Software Update or via Apple
Downloads.
IV. Please send
email to <cert@cert.org> with "TA09-218A Feedback VU#426517" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
August 06, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSnsainIHljM+H4irAQLe2wgAg9ZJq3PGtU+CYHa6+n9Gli9l/NeIXQBb
JhKvrXwFYp1uCCs5bVlZ/80Wuq6BJgkv1kojnV6zhqZA7VkPQEhjGofvcUs9MsO8
jXQ6JPdZRd6jWmB4pFHPAD5NOpBV2fJN+JQQuep9xwlap/hITfZfj24+nVFciwXo
PdsptiEvpPcfsdan5ScQB+36MC4fRixUAgV+oWHDTgZJEaO1J2/5QiMK7+jWanXH
3jD6FIVdbJQcUmMDGle7RvURSuiX4jFq3D+lweDCtLwX576qx9m6QRbvnxaX8bfU
HFcStLJRmi2kFEMiqga83lIyhSB1g1t+rWy5MBH+xml0MSYO7V7z6w==
=A6S1
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
1) An error in bzip2 can be exploited to terminate an application
using the library via a specially crafted archive.
For more information:
SA29410
2) An error in CFNetwork can be exploited by a malicious website to
control the URL displayed in a certificate warning when Safari
follows a redirect from a trusted website.
3) An error when processing ColorSync profiles embedded in a
specially crafted image can be exploited to cause a heap-based buffer
overflow and potentially execute arbitrary code.
4) An error when handling unsafe content types can be exploited to
execute a malicious JavaScript payload when a specially crafted file
is manually opened.
5) An error when processing four-finger Multi-Touch gestures can be
exploited by a person with physical access to a locked system to
manage applications or use Expose.
NOTE: This vulnerability only affects system having a Multi-Touch
trackpad.
6) An error when processing Canon RAW images can be exploited to
cause a stack-based buffer overflow and potentially execute arbitrary
code.
7) An error in ImageIO when processing OpenEXR images can be
exploited to cause a heap-based buffer overflow and potentially
execute arbitrary code.
8) Multiple errors in ImageIO when processing OpenEXR images can be
exploited to corrupt memory and potentially execute arbitrary code.
For more information:
SA36030
9) A boundary error in ImageIO when processing EXIF metadata can be
exploited to cause a buffer overflow and potentially execute
arbitrary code via a specially crafted image.
10) An error in ImageIO when processing PNG images can be exploited
to dereference an uninitialised pointer and potentially execute
arbitrary code.
11) An error in the "fcntl()" kernel implementation can be exploited
to corrupt kernel memory and execute arbitrary code with system
privileges via e.g. a specially crafted TIOCGWINSZ "fnctl()" call.
12) An error in launchd when servicing via inetd can be exploited to
cause a service hang by opening an overly large number of
connections.
13) A format string error in Login Window when handling application
names can be exploited to potentially execute arbitrary code.
14) The MobileMe preference pane fails to properly delete all
credentials when signing out. This can be exploited to access
previously signed in systems from the same local user account.
15) An error in the kernel when processing AppleTalk response packets
can be exploited to cause a buffer overflow and potentially execute
arbitrary code with system privileges.
16) A synchronization error when sharing file descriptors over local
sockets can be exploited to cause an unexpected system shutdown.
17) A boundary error in the PCRE library used by XQuery can be
exploited to cause a buffer overflow and potentially execute
arbitrary code. of Johns Hopkins University, HiNRG
The vendor also credits:
2) Kevin Day of Your.Org and Jason Mueller of Indiana University
4) Brian Mastenbrook, and Clint Ruoho of Laconic Security
6) Chris Ries of Carnegie Mellon University Computing Services
7) Lurene Grenier of Sourcefire VRT, and Chris Ries of Carnegie
Mellon University Computing Services
10) Tavis Ormandy of the Google Security Team
13) Alfredo Pesoli of 0xcafebabe.it
15) Ilja van Sprundel from IOActive
16) Bennet Yee of Google Inc.
CHANGELOG:
2009-08-06: Added link to "Original Advisory".
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT3757
Chris Evans:
http://scary.beasts.org/security/CESA-2009-011.html
OTHER REFERENCES:
SA28923:
http://secunia.com/advisories/28923/
SA29410:
http://secunia.com/advisories/29410/
SA36030:
http://secunia.com/advisories/36030/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200908-0271 | CVE-2009-2193 | Apple Mac OS of kernel Vulnerable to buffer overflow |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Buffer overflow in the kernel in Apple Mac OS X 10.5 before 10.5.8 allows remote attackers to execute arbitrary code or cause a denial of service (system crash) via a crafted AppleTalk response packet. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2009-003.
The update addresses new vulnerabilities that affect the CFNetwork, ColorSync, CoreTypes, Dock, Image RAW, ImageIO, launchd, Login Window, MobileMe, Kernel, and XQuery components of Mac OS X. The advisory also contains security updates for seven previously reported issues.
I.
II. Impact
The impact of these vulnerabilities vary. Potential consequences
include arbitrary code execution, sensitive information disclosure,
denial of service, or privilege escalation.
III. These
and other updates are available via Software Update or via Apple
Downloads.
IV. Please send
email to <cert@cert.org> with "TA09-218A Feedback VU#426517" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
August 06, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSnsainIHljM+H4irAQLe2wgAg9ZJq3PGtU+CYHa6+n9Gli9l/NeIXQBb
JhKvrXwFYp1uCCs5bVlZ/80Wuq6BJgkv1kojnV6zhqZA7VkPQEhjGofvcUs9MsO8
jXQ6JPdZRd6jWmB4pFHPAD5NOpBV2fJN+JQQuep9xwlap/hITfZfj24+nVFciwXo
PdsptiEvpPcfsdan5ScQB+36MC4fRixUAgV+oWHDTgZJEaO1J2/5QiMK7+jWanXH
3jD6FIVdbJQcUmMDGle7RvURSuiX4jFq3D+lweDCtLwX576qx9m6QRbvnxaX8bfU
HFcStLJRmi2kFEMiqga83lIyhSB1g1t+rWy5MBH+xml0MSYO7V7z6w==
=A6S1
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
1) An error in bzip2 can be exploited to terminate an application
using the library via a specially crafted archive.
For more information:
SA29410
2) An error in CFNetwork can be exploited by a malicious website to
control the URL displayed in a certificate warning when Safari
follows a redirect from a trusted website.
4) An error when handling unsafe content types can be exploited to
execute a malicious JavaScript payload when a specially crafted file
is manually opened.
5) An error when processing four-finger Multi-Touch gestures can be
exploited by a person with physical access to a locked system to
manage applications or use Expose.
NOTE: This vulnerability only affects system having a Multi-Touch
trackpad.
6) An error when processing Canon RAW images can be exploited to
cause a stack-based buffer overflow and potentially execute arbitrary
code.
7) An error in ImageIO when processing OpenEXR images can be
exploited to cause a heap-based buffer overflow and potentially
execute arbitrary code.
8) Multiple errors in ImageIO when processing OpenEXR images can be
exploited to corrupt memory and potentially execute arbitrary code.
10) An error in ImageIO when processing PNG images can be exploited
to dereference an uninitialised pointer and potentially execute
arbitrary code.
11) An error in the "fcntl()" kernel implementation can be exploited
to corrupt kernel memory and execute arbitrary code with system
privileges via e.g. a specially crafted TIOCGWINSZ "fnctl()" call.
12) An error in launchd when servicing via inetd can be exploited to
cause a service hang by opening an overly large number of
connections.
13) A format string error in Login Window when handling application
names can be exploited to potentially execute arbitrary code.
14) The MobileMe preference pane fails to properly delete all
credentials when signing out. This can be exploited to access
previously signed in systems from the same local user account.
16) A synchronization error when sharing file descriptors over local
sockets can be exploited to cause an unexpected system shutdown.
17) A boundary error in the PCRE library used by XQuery can be
exploited to cause a buffer overflow and potentially execute
arbitrary code. of Johns Hopkins University, HiNRG
The vendor also credits:
2) Kevin Day of Your.Org and Jason Mueller of Indiana University
4) Brian Mastenbrook, and Clint Ruoho of Laconic Security
6) Chris Ries of Carnegie Mellon University Computing Services
7) Lurene Grenier of Sourcefire VRT, and Chris Ries of Carnegie
Mellon University Computing Services
10) Tavis Ormandy of the Google Security Team
13) Alfredo Pesoli of 0xcafebabe.it
15) Ilja van Sprundel from IOActive
16) Bennet Yee of Google Inc.
CHANGELOG:
2009-08-06: Added link to "Original Advisory".
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT3757
Chris Evans:
http://scary.beasts.org/security/CESA-2009-011.html
OTHER REFERENCES:
SA28923:
http://secunia.com/advisories/28923/
SA29410:
http://secunia.com/advisories/29410/
SA36030:
http://secunia.com/advisories/36030/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200908-0268 | CVE-2009-2190 | Apple Mac OS of launchd Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
launchd in Apple Mac OS X 10.5 before 10.5.8 allows remote attackers to cause a denial of service (individual service outage) by making many connections to an inetd-based launchd service. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2009-003.
The update addresses new vulnerabilities that affect the CFNetwork, ColorSync, CoreTypes, Dock, Image RAW, ImageIO, launchd, Login Window, MobileMe, Kernel, and XQuery components of Mac OS X. The advisory also contains security updates for seven previously reported issues.
I.
II. Impact
The impact of these vulnerabilities vary. Potential consequences
include arbitrary code execution, sensitive information disclosure,
denial of service, or privilege escalation.
III. These
and other updates are available via Software Update or via Apple
Downloads.
IV. Please send
email to <cert@cert.org> with "TA09-218A Feedback VU#426517" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
August 06, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSnsainIHljM+H4irAQLe2wgAg9ZJq3PGtU+CYHa6+n9Gli9l/NeIXQBb
JhKvrXwFYp1uCCs5bVlZ/80Wuq6BJgkv1kojnV6zhqZA7VkPQEhjGofvcUs9MsO8
jXQ6JPdZRd6jWmB4pFHPAD5NOpBV2fJN+JQQuep9xwlap/hITfZfj24+nVFciwXo
PdsptiEvpPcfsdan5ScQB+36MC4fRixUAgV+oWHDTgZJEaO1J2/5QiMK7+jWanXH
3jD6FIVdbJQcUmMDGle7RvURSuiX4jFq3D+lweDCtLwX576qx9m6QRbvnxaX8bfU
HFcStLJRmi2kFEMiqga83lIyhSB1g1t+rWy5MBH+xml0MSYO7V7z6w==
=A6S1
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
1) An error in bzip2 can be exploited to terminate an application
using the library via a specially crafted archive.
For more information:
SA29410
2) An error in CFNetwork can be exploited by a malicious website to
control the URL displayed in a certificate warning when Safari
follows a redirect from a trusted website.
3) An error when processing ColorSync profiles embedded in a
specially crafted image can be exploited to cause a heap-based buffer
overflow and potentially execute arbitrary code.
4) An error when handling unsafe content types can be exploited to
execute a malicious JavaScript payload when a specially crafted file
is manually opened.
5) An error when processing four-finger Multi-Touch gestures can be
exploited by a person with physical access to a locked system to
manage applications or use Expose.
NOTE: This vulnerability only affects system having a Multi-Touch
trackpad.
6) An error when processing Canon RAW images can be exploited to
cause a stack-based buffer overflow and potentially execute arbitrary
code.
7) An error in ImageIO when processing OpenEXR images can be
exploited to cause a heap-based buffer overflow and potentially
execute arbitrary code.
8) Multiple errors in ImageIO when processing OpenEXR images can be
exploited to corrupt memory and potentially execute arbitrary code.
For more information:
SA36030
9) A boundary error in ImageIO when processing EXIF metadata can be
exploited to cause a buffer overflow and potentially execute
arbitrary code via a specially crafted image.
10) An error in ImageIO when processing PNG images can be exploited
to dereference an uninitialised pointer and potentially execute
arbitrary code.
11) An error in the "fcntl()" kernel implementation can be exploited
to corrupt kernel memory and execute arbitrary code with system
privileges via e.g. a specially crafted TIOCGWINSZ "fnctl()" call.
12) An error in launchd when servicing via inetd can be exploited to
cause a service hang by opening an overly large number of
connections.
13) A format string error in Login Window when handling application
names can be exploited to potentially execute arbitrary code.
14) The MobileMe preference pane fails to properly delete all
credentials when signing out. This can be exploited to access
previously signed in systems from the same local user account.
15) An error in the kernel when processing AppleTalk response packets
can be exploited to cause a buffer overflow and potentially execute
arbitrary code with system privileges.
16) A synchronization error when sharing file descriptors over local
sockets can be exploited to cause an unexpected system shutdown.
17) A boundary error in the PCRE library used by XQuery can be
exploited to cause a buffer overflow and potentially execute
arbitrary code. of Johns Hopkins University, HiNRG
The vendor also credits:
2) Kevin Day of Your.Org and Jason Mueller of Indiana University
4) Brian Mastenbrook, and Clint Ruoho of Laconic Security
6) Chris Ries of Carnegie Mellon University Computing Services
7) Lurene Grenier of Sourcefire VRT, and Chris Ries of Carnegie
Mellon University Computing Services
10) Tavis Ormandy of the Google Security Team
13) Alfredo Pesoli of 0xcafebabe.it
15) Ilja van Sprundel from IOActive
16) Bennet Yee of Google Inc.
CHANGELOG:
2009-08-06: Added link to "Original Advisory".
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT3757
Chris Evans:
http://scary.beasts.org/security/CESA-2009-011.html
OTHER REFERENCES:
SA28923:
http://secunia.com/advisories/28923/
SA29410:
http://secunia.com/advisories/29410/
SA36030:
http://secunia.com/advisories/36030/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200908-0269 | CVE-2009-2191 | Apple Mac OS Arbitrary login window execution vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Format string vulnerability in Login Window in Apple Mac OS X 10.4.11 and 10.5 before 10.5.8 allows attackers to execute arbitrary code or cause a denial of service (application crash) via format string specifiers in an application name. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2009-003.
The update addresses new vulnerabilities that affect the CFNetwork, ColorSync, CoreTypes, Dock, Image RAW, ImageIO, launchd, Login Window, MobileMe, Kernel, and XQuery components of Mac OS X. The advisory also contains security updates for seven previously reported issues.
I.
II. Impact
The impact of these vulnerabilities vary.
III. These
and other updates are available via Software Update or via Apple
Downloads.
IV. Please send
email to <cert@cert.org> with "TA09-218A Feedback VU#426517" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
August 06, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSnsainIHljM+H4irAQLe2wgAg9ZJq3PGtU+CYHa6+n9Gli9l/NeIXQBb
JhKvrXwFYp1uCCs5bVlZ/80Wuq6BJgkv1kojnV6zhqZA7VkPQEhjGofvcUs9MsO8
jXQ6JPdZRd6jWmB4pFHPAD5NOpBV2fJN+JQQuep9xwlap/hITfZfj24+nVFciwXo
PdsptiEvpPcfsdan5ScQB+36MC4fRixUAgV+oWHDTgZJEaO1J2/5QiMK7+jWanXH
3jD6FIVdbJQcUmMDGle7RvURSuiX4jFq3D+lweDCtLwX576qx9m6QRbvnxaX8bfU
HFcStLJRmi2kFEMiqga83lIyhSB1g1t+rWy5MBH+xml0MSYO7V7z6w==
=A6S1
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
1) An error in bzip2 can be exploited to terminate an application
using the library via a specially crafted archive.
For more information:
SA29410
2) An error in CFNetwork can be exploited by a malicious website to
control the URL displayed in a certificate warning when Safari
follows a redirect from a trusted website.
3) An error when processing ColorSync profiles embedded in a
specially crafted image can be exploited to cause a heap-based buffer
overflow and potentially execute arbitrary code.
4) An error when handling unsafe content types can be exploited to
execute a malicious JavaScript payload when a specially crafted file
is manually opened.
5) An error when processing four-finger Multi-Touch gestures can be
exploited by a person with physical access to a locked system to
manage applications or use Expose.
NOTE: This vulnerability only affects system having a Multi-Touch
trackpad.
6) An error when processing Canon RAW images can be exploited to
cause a stack-based buffer overflow and potentially execute arbitrary
code.
8) Multiple errors in ImageIO when processing OpenEXR images can be
exploited to corrupt memory and potentially execute arbitrary code.
For more information:
SA36030
9) A boundary error in ImageIO when processing EXIF metadata can be
exploited to cause a buffer overflow and potentially execute
arbitrary code via a specially crafted image.
10) An error in ImageIO when processing PNG images can be exploited
to dereference an uninitialised pointer and potentially execute
arbitrary code.
11) An error in the "fcntl()" kernel implementation can be exploited
to corrupt kernel memory and execute arbitrary code with system
privileges via e.g. a specially crafted TIOCGWINSZ "fnctl()" call.
12) An error in launchd when servicing via inetd can be exploited to
cause a service hang by opening an overly large number of
connections.
14) The MobileMe preference pane fails to properly delete all
credentials when signing out. This can be exploited to access
previously signed in systems from the same local user account.
15) An error in the kernel when processing AppleTalk response packets
can be exploited to cause a buffer overflow and potentially execute
arbitrary code with system privileges.
16) A synchronization error when sharing file descriptors over local
sockets can be exploited to cause an unexpected system shutdown. of Johns Hopkins University, HiNRG
The vendor also credits:
2) Kevin Day of Your.Org and Jason Mueller of Indiana University
4) Brian Mastenbrook, and Clint Ruoho of Laconic Security
6) Chris Ries of Carnegie Mellon University Computing Services
7) Lurene Grenier of Sourcefire VRT, and Chris Ries of Carnegie
Mellon University Computing Services
10) Tavis Ormandy of the Google Security Team
13) Alfredo Pesoli of 0xcafebabe.it
15) Ilja van Sprundel from IOActive
16) Bennet Yee of Google Inc.
CHANGELOG:
2009-08-06: Added link to "Original Advisory".
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT3757
Chris Evans:
http://scary.beasts.org/security/CESA-2009-011.html
OTHER REFERENCES:
SA28923:
http://secunia.com/advisories/28923/
SA29410:
http://secunia.com/advisories/29410/
SA36030:
http://secunia.com/advisories/36030/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200908-0267 | CVE-2009-2188 | Apple Mac OS of ImageIO and Safari Vulnerable to arbitrary code execution |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Buffer overflow in ImageIO in Apple Mac OS X 10.5 before 10.5.8, and Safari before 4.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via an image with crafted EXIF metadata. Apple's ImageIO component is prone to a buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data.
Successful exploits will allow an attacker to run arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions.
This issue affects Mac OS X 10.5 through 10.5.7, Mac OS X Server 10.5 through 10.5.7, and Apple Safari prior to 4.0.3.
NOTE: This vulnerability was previously documented in BID 35954 (Apple Mac OS X 2009-003 Multiple Security Vulnerabilities) but has been given its own record to better document the issue.
I.
II. Impact
The impact of these vulnerabilities vary. Potential consequences
include arbitrary code execution, sensitive information disclosure,
denial of service, or privilege escalation.
III. These
and other updates are available via Software Update or via Apple
Downloads.
IV. Please send
email to <cert@cert.org> with "TA09-218A Feedback VU#426517" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
August 06, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSnsainIHljM+H4irAQLe2wgAg9ZJq3PGtU+CYHa6+n9Gli9l/NeIXQBb
JhKvrXwFYp1uCCs5bVlZ/80Wuq6BJgkv1kojnV6zhqZA7VkPQEhjGofvcUs9MsO8
jXQ6JPdZRd6jWmB4pFHPAD5NOpBV2fJN+JQQuep9xwlap/hITfZfj24+nVFciwXo
PdsptiEvpPcfsdan5ScQB+36MC4fRixUAgV+oWHDTgZJEaO1J2/5QiMK7+jWanXH
3jD6FIVdbJQcUmMDGle7RvURSuiX4jFq3D+lweDCtLwX576qx9m6QRbvnxaX8bfU
HFcStLJRmi2kFEMiqga83lIyhSB1g1t+rWy5MBH+xml0MSYO7V7z6w==
=A6S1
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
1) An error in bzip2 can be exploited to terminate an application
using the library via a specially crafted archive.
For more information:
SA29410
2) An error in CFNetwork can be exploited by a malicious website to
control the URL displayed in a certificate warning when Safari
follows a redirect from a trusted website.
4) An error when handling unsafe content types can be exploited to
execute a malicious JavaScript payload when a specially crafted file
is manually opened.
5) An error when processing four-finger Multi-Touch gestures can be
exploited by a person with physical access to a locked system to
manage applications or use Expose.
NOTE: This vulnerability only affects system having a Multi-Touch
trackpad.
6) An error when processing Canon RAW images can be exploited to
cause a stack-based buffer overflow and potentially execute arbitrary
code.
7) An error in ImageIO when processing OpenEXR images can be
exploited to cause a heap-based buffer overflow and potentially
execute arbitrary code.
8) Multiple errors in ImageIO when processing OpenEXR images can be
exploited to corrupt memory and potentially execute arbitrary code.
10) An error in ImageIO when processing PNG images can be exploited
to dereference an uninitialised pointer and potentially execute
arbitrary code.
11) An error in the "fcntl()" kernel implementation can be exploited
to corrupt kernel memory and execute arbitrary code with system
privileges via e.g. a specially crafted TIOCGWINSZ "fnctl()" call.
12) An error in launchd when servicing via inetd can be exploited to
cause a service hang by opening an overly large number of
connections.
13) A format string error in Login Window when handling application
names can be exploited to potentially execute arbitrary code.
14) The MobileMe preference pane fails to properly delete all
credentials when signing out. This can be exploited to access
previously signed in systems from the same local user account.
15) An error in the kernel when processing AppleTalk response packets
can be exploited to cause a buffer overflow and potentially execute
arbitrary code with system privileges.
16) A synchronization error when sharing file descriptors over local
sockets can be exploited to cause an unexpected system shutdown.
17) A boundary error in the PCRE library used by XQuery can be
exploited to cause a buffer overflow and potentially execute
arbitrary code.
For more information:
SA28923
SOLUTION:
Update to Mac OS X v10.5.8 or apply Security Update 2009-003. of Johns Hopkins University, HiNRG
The vendor also credits:
2) Kevin Day of Your.Org and Jason Mueller of Indiana University
4) Brian Mastenbrook, and Clint Ruoho of Laconic Security
6) Chris Ries of Carnegie Mellon University Computing Services
7) Lurene Grenier of Sourcefire VRT, and Chris Ries of Carnegie
Mellon University Computing Services
10) Tavis Ormandy of the Google Security Team
13) Alfredo Pesoli of 0xcafebabe.it
15) Ilja van Sprundel from IOActive
16) Bennet Yee of Google Inc.
CHANGELOG:
2009-08-06: Added link to "Original Advisory".
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT3757
Chris Evans:
http://scary.beasts.org/security/CESA-2009-011.html
OTHER REFERENCES:
SA28923:
http://secunia.com/advisories/28923/
SA29410:
http://secunia.com/advisories/29410/
SA36030:
http://secunia.com/advisories/36030/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200908-0247 | CVE-2009-0151 | Apple Mac OS of Dock Vulnerability that can prevent locks in screen savers inside |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
The screen saver in Dock in Apple Mac OS X 10.5 before 10.5.8 does not prevent four-finger Multi-Touch gestures, which allows physically proximate attackers to bypass locking and "manage applications or use Expose" via unspecified vectors. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2009-003.
The update addresses new vulnerabilities that affect the CFNetwork, ColorSync, CoreTypes, Dock, Image RAW, ImageIO, launchd, Login Window, MobileMe, Kernel, and XQuery components of Mac OS X. The advisory also contains security updates for seven previously reported issues.
I.
II. Impact
The impact of these vulnerabilities vary. Potential consequences
include arbitrary code execution, sensitive information disclosure,
denial of service, or privilege escalation.
III. These
and other updates are available via Software Update or via Apple
Downloads.
IV. Please send
email to <cert@cert.org> with "TA09-218A Feedback VU#426517" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
August 06, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSnsainIHljM+H4irAQLe2wgAg9ZJq3PGtU+CYHa6+n9Gli9l/NeIXQBb
JhKvrXwFYp1uCCs5bVlZ/80Wuq6BJgkv1kojnV6zhqZA7VkPQEhjGofvcUs9MsO8
jXQ6JPdZRd6jWmB4pFHPAD5NOpBV2fJN+JQQuep9xwlap/hITfZfj24+nVFciwXo
PdsptiEvpPcfsdan5ScQB+36MC4fRixUAgV+oWHDTgZJEaO1J2/5QiMK7+jWanXH
3jD6FIVdbJQcUmMDGle7RvURSuiX4jFq3D+lweDCtLwX576qx9m6QRbvnxaX8bfU
HFcStLJRmi2kFEMiqga83lIyhSB1g1t+rWy5MBH+xml0MSYO7V7z6w==
=A6S1
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
1) An error in bzip2 can be exploited to terminate an application
using the library via a specially crafted archive.
For more information:
SA29410
2) An error in CFNetwork can be exploited by a malicious website to
control the URL displayed in a certificate warning when Safari
follows a redirect from a trusted website.
3) An error when processing ColorSync profiles embedded in a
specially crafted image can be exploited to cause a heap-based buffer
overflow and potentially execute arbitrary code.
4) An error when handling unsafe content types can be exploited to
execute a malicious JavaScript payload when a specially crafted file
is manually opened.
NOTE: This vulnerability only affects system having a Multi-Touch
trackpad.
6) An error when processing Canon RAW images can be exploited to
cause a stack-based buffer overflow and potentially execute arbitrary
code.
7) An error in ImageIO when processing OpenEXR images can be
exploited to cause a heap-based buffer overflow and potentially
execute arbitrary code.
8) Multiple errors in ImageIO when processing OpenEXR images can be
exploited to corrupt memory and potentially execute arbitrary code.
For more information:
SA36030
9) A boundary error in ImageIO when processing EXIF metadata can be
exploited to cause a buffer overflow and potentially execute
arbitrary code via a specially crafted image.
10) An error in ImageIO when processing PNG images can be exploited
to dereference an uninitialised pointer and potentially execute
arbitrary code.
11) An error in the "fcntl()" kernel implementation can be exploited
to corrupt kernel memory and execute arbitrary code with system
privileges via e.g. a specially crafted TIOCGWINSZ "fnctl()" call.
12) An error in launchd when servicing via inetd can be exploited to
cause a service hang by opening an overly large number of
connections.
13) A format string error in Login Window when handling application
names can be exploited to potentially execute arbitrary code.
14) The MobileMe preference pane fails to properly delete all
credentials when signing out. This can be exploited to access
previously signed in systems from the same local user account.
15) An error in the kernel when processing AppleTalk response packets
can be exploited to cause a buffer overflow and potentially execute
arbitrary code with system privileges.
16) A synchronization error when sharing file descriptors over local
sockets can be exploited to cause an unexpected system shutdown.
17) A boundary error in the PCRE library used by XQuery can be
exploited to cause a buffer overflow and potentially execute
arbitrary code. of Johns Hopkins University, HiNRG
The vendor also credits:
2) Kevin Day of Your.Org and Jason Mueller of Indiana University
4) Brian Mastenbrook, and Clint Ruoho of Laconic Security
6) Chris Ries of Carnegie Mellon University Computing Services
7) Lurene Grenier of Sourcefire VRT, and Chris Ries of Carnegie
Mellon University Computing Services
10) Tavis Ormandy of the Google Security Team
13) Alfredo Pesoli of 0xcafebabe.it
15) Ilja van Sprundel from IOActive
16) Bennet Yee of Google Inc.
CHANGELOG:
2009-08-06: Added link to "Original Advisory".
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT3757
Chris Evans:
http://scary.beasts.org/security/CESA-2009-011.html
OTHER REFERENCES:
SA28923:
http://secunia.com/advisories/28923/
SA29410:
http://secunia.com/advisories/29410/
SA36030:
http://secunia.com/advisories/36030/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200908-0264 | CVE-2009-2198 | Apple GarageBand Information Disclosure Vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Apple GarageBand before 5.1 reconfigures Safari to accept all cookies regardless of domain name, which makes it easier for remote web servers to track users. Apple GarageBand is prone to an information-disclosure vulnerability.
Exploiting the issue may allow an attacker to obtain sensitive information that could aid in tracking a user's web activities.
This issue affects versions prior to GarageBand 5.1 for Mac OS X 10.5.7. Apple GarageBand is a set of music production software from Apple (Apple). ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
Apple GarageBand Web Activity Tracking Disclosure
SECUNIA ADVISORY ID:
SA36114
VERIFY ADVISORY:
http://secunia.com/advisories/36114/
DESCRIPTION:
A security issue has been reported in GarageBand, which can be
exploited by malicious people to gain knowledge of sensitive
information.
The problem is caused due to Safari's preferences being changed to
always accept cookies when opening GarageBand. This could allow third
parties and advertisers to track a user's web activity.
SOLUTION:
Update to version 5.1.
http://support.apple.com/downloads/GarageBand_5_1
NOTE: Users of previous versions should also check that their Safari
preferences are set as desired.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://support.apple.com/kb/HT3732
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200909-0290 | CVE-2009-3455 | Apple Safari In any SSL Vulnerability impersonating a server |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Apple Safari, possibly before 4.0.3, on Mac OS X does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. SSL A vulnerability that impersonates a server exists. The problem is CVE-2009-2408 The problem is related to.By attackers, through a crafted certificate SSL There is a possibility of impersonating a server.
Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks or impersonate trusted servers, which will aid in further attacks.
UPDATE (October 5, 2009): The vendor states that Safari on Mac OS X is not affected by this issue. This vulnerability is related to CVE-2009-2408
| VAR-200907-0748 | CVE-2009-2408 | plural  Mozilla product  any in  SSL Server spoofing vulnerability |
CVSS V2: 6.8 CVSS V3: 5.9 Severity: MEDIUM |
Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. NOTE: this was originally reported for Firefox before 3.5. plural Mozilla product for, X.509 certificate of Common Name (CN) within the domain name in the field. Mozilla Network Security Services (NSS) is a function library (network security service library) of the Mozilla Foundation in the United States. The product provides cross-platform support for SSL, S/MIME and other Internet security standards. There is a mismatch between the NSS library's handling of the domain name in the SSL certificate between the SSL client and the CA that issued the server certificate. If a malicious user requests a certificate from a hostname with an invalid null character, most CAs will issue a certificate as long as the requester has the domain specified after the null character, but most SSL clients (browsers) will ignore this part of the name, Using a null character before the portion of validation allows an attacker to use a fake certificate in a man-in-the-middle attack to establish a false trust relationship.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2009:217-1
http://www.mandriva.com/security/
_______________________________________________________________________
Package : mozilla-thunderbird
Date : August 23, 2009
Affected: 2009.1
_______________________________________________________________________
Problem Description:
A number of security vulnerabilities have been discovered in Mozilla
Thunderbird:
Security issues in thunderbird could lead to a man-in-the-middle
attack via a spoofed X.509 certificate (CVE-2009-2408).
A vulnerability was found in xmltok_impl.c (expat) that with
specially crafted XML could be exploited and lead to a denial of
service attack. Related to CVE-2009-2625.
This update provides the latest version of Thunderbird which are not
vulnerable to these issues.
Update:
The mozilla-thunderbird-moztraybiff packages had the wrong release
which prevented it to be upgraded (#53129). The new packages addresses
this problem.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408
http://www.mozilla.org/security/announce/2009/mfsa2009-42.html
https://bugs.gentoo.org/show_bug.cgi?id=280615
https://qa.mandriva.com/53129
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2009.1:
e1c540f94c8b66fa4495de6015ed85db 2009.1/i586/mozilla-thunderbird-moztraybiff-1.2.4-4.1mdv2009.1.i586.rpm
ab2fa7586f21de2f23216def8c542db6 2009.1/SRPMS/mozilla-thunderbird-moztraybiff-1.2.4-4.1mdv2009.1.src.rpm
Mandriva Linux 2009.1/X86_64:
b9ff59f0c11d63a1234365ea55ed5f46 2009.1/x86_64/mozilla-thunderbird-moztraybiff-1.2.4-4.1mdv2009.1.x86_64.rpm
ab2fa7586f21de2f23216def8c542db6 2009.1/SRPMS/mozilla-thunderbird-moztraybiff-1.2.4-4.1mdv2009.1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFKzcjqmqjQ0CJFipgRArPoAKDTymDqJYIxV5BbT+2AwZppDwJIpACeJ4ht
VW9XZMiWqP+lDv+zVbOlvnY=
=ruxq
-----END PGP SIGNATURE-----
.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
For more information visit:
http://secunia.com/advisories/business_solutions/
Alternatively request a call from a Secunia representative today to
discuss how we can help you with our capabilities contact us at:
sales@secunia.com
----------------------------------------------------------------------
TITLE:
Network Security Services Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA36093
VERIFY ADVISORY:
http://secunia.com/advisories/36093/
DESCRIPTION:
Some vulnerabilities have been reported in Network Security Services,
which can potentially be exploited by malicious people to bypass
certain security restrictions or to compromise a vulnerable system.
1) An error in the regular expression parser when matching common
names in certificates can be exploited to cause a heap-based buffer
overflow, e.g. via a specially crafted certificate signed by a
trusted CA or when a user accepts a specially crafted certificate.
Successful exploitation may allow execution of arbitrary code.
2) An error exists in the parsing of certain certificate fields,
which can be exploited to e.g. get a client to accept a specially
crafted certificate by mistake.
SOLUTION:
Update to version 3.12.3 or later.
PROVIDED AND/OR DISCOVERED BY:
Red Hat credits:
1) Moxie Marlinspike
2) Dan Kaminsky
ORIGINAL ADVISORY:
https://bugzilla.redhat.com/show_bug.cgi?id=512912
https://bugzilla.redhat.com/show_bug.cgi?id=510251
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
This update fixes these vulnerability
| VAR-200907-0062 | CVE-2009-1168 | Cisco IOS In RFC4893 BGP Service disruption related to routing processing (DoS) Vulnerabilities |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
Cisco IOS 12.0(32)S12 through 12.0(32)S13 and 12.0(33)S3 through 12.0(33)S4, 12.0(32)SY8 through 12.0(32)SY9, 12.2(33)SXI1, 12.2XNC before 12.2(33)XNC2, 12.2XND before 12.2(33)XND1, and 12.4(24)T1; and IOS XE 2.3 through 2.3.1t and 2.4 through 2.4.0; when RFC4893 BGP routing is enabled, allows remote attackers to cause a denial of service (memory corruption and device reload) by using an RFC4271 peer to send an update with a long series of AS numbers, aka Bug ID CSCsy86021. Cisco IOS is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to cause an affected device to reload, denying service to legitimate users.
This issue is being tracked by Cisco Bug ID CSCsy86021. May trigger memory corruption and crash showing %%Software-forced reload error. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
1) An unspecified error exists in the processing of BGP update
messages. constructed from more than 1000 autonomous
systems.
SOLUTION:
Update to a fixed version (please see the vendor advisory for
details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Software Border Gateway Protocol
4-Byte Autonomous System Number
Vulnerabilities
Advisory ID: cisco-sa-20090729-bgp
http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtml
Revision: 1.0
=========
For Public Release 2009 July 29 1600 UTC (GMT)
Summary
=======
Recent versions of Cisco IOS Software support RFC4893 ("BGP Support
for Four-octet AS Number Space") and contain two remote denial of
service (DoS) vulnerabilities when handling specific Border Gateway
Protocol (BGP) updates.
These vulnerabilities affect only devices running Cisco IOS Software
with support for four-octet AS number space (here after referred to as
4-byte AS number) and BGP routing configured.
The first vulnerability could cause an affected device to reload when
processing a BGP update that contains autonomous system (AS) path
segments made up of more than one thousand autonomous systems.
Cisco has released free software updates to address these
vulnerabilities.
No workarounds are available for the first vulnerability.
A workaround is available for the second vulnerability.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtml
Affected Products
=================
Vulnerable Products
+------------------
These vulnerabilities affect only devices running Cisco IOS and
Cisco IOS XE Software (here after both referred to as simply Cisco
IOS) with support for RFC4893 and that have been configured for
BGP routing.
The software table in the section "Software Versions and Fixes" of
this advisory indicates all affected Cisco IOS Software versions that
have support for RFC4893 and are affected by this vulnerability.
A Cisco IOS software version that has support for RFC4893 will allow
configuration of AS numbers using 4 Bytes. The following example
identifies a Cisco device that has 4 byte AS number support:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#router bgp ?
<1-65535> Autonomous system number
<1.0-XX.YY> 4 Octets Autonomous system number
Or:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#router bgp ?
<1-4294967295> Autonomous system number
<1.0-XX.YY> Autonomous system number
The following example identifies a Cisco device that has 2 byte AS
number support:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#router bgp ?
<1-65535> Autonomous system number
A router that is running the BGP process will contain a line in the
configuration that defines the autonomous system number (AS number),
which can be seen by issuing the command line interface (CLI) command
"show running-config".
The canonical textual representation of four byte AS Numbers is
standardized by the IETF through RFC5396 (Textual Representation of
Autonomous System (AS) Numbers). Two major ways for textual
representation have been defined as ASDOT and ASPLAIN. Cisco IOS
routers support both textual representations of AS numbers. For
further information about textual representation of four byte AS
numbers in Cisco IOS Software consult the document "Explaining 4-Byte
Autonomous System (AS) ASPLAIN and ASDOT Notation for Cisco IOS" at
the following link:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6554/ps6599/white_paper_c11_516829.html
Cisco IOS Software with support for RFC4893 is affected by both
vulnerabilities if BGP routing is configured using either ASPLAIN or
ASDOT notation.
The following example identifies a Cisco device that is configured
for BGP using ASPLAIN notation:
router bgp 65536
The following example identifies a Cisco device that is configured
for BGP using ASDOT notation:
router bgp 1.0
To determine the Cisco IOS Software release that is running on a
Cisco product, administrators can log in to the device and issue the
show version command to display the system banner. The system banner
confirms that the device is running Cisco IOS Software by displaying
text similar to "Cisco Internetwork Operating System Software" or
"Cisco IOS Software." The image name displays in parentheses,
followed by "Version" and the Cisco IOS Software release name. Other
Cisco devices do not have the show version command or may provide
different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.3(26) with an installed image name of
C2500-IS-L:
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Mon 17-Mar-08 14:39 by dchih
!--- output truncated
The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.4(20)T with an installed image name of
C1841-ADVENTERPRISEK9-M:
Router#show version
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 20:25 by prod_rel_team
!--- output truncated
Additional information about Cisco IOS Software release naming
conventions is available in "White Paper: Cisco IOS Reference Guide"
at the following link: http://www.cisco.com/warp/public/620/1.html
Products Confirmed Not Vulnerable
+--------------------------------
The following Cisco products are confirmed not vulnerable:
* Cisco IOS Software not explicitly mentioned in this Advisory
* Cisco IOS XR Software
* Cisco IOS NX-OS
No other Cisco products are currently known to be affected by this
vulnerability.
Details
=======
RFC4271 has defined an AS number as a two-octet entity in BGP.
RFC4893 has defined an AS number as a four-octet entity in BGP.
The first vulnerability could cause an affected device to reload when
processing a BGP update that contains AS path segments made up of more
than one thousand autonomous systems. If an affected 4-byte AS number
BGP speaker receives a BGP update from a 2-byte AS number BGP speaker
that contains AS path segments made up of more than one thousand
autonomous systems, the device may crash with memory corruption, and
the error "%%Software-forced reload" will be displayed.
The following three conditions are required for successful
exploitation of this vulnerability:
* Affected Cisco IOS Software device is a 4-byte AS number BGP
speaker
* BGP peering neighbor is a 2-byte AS number BGP speaker
* BGP peering neighbor is capable of sending a BGP update with a
series of greater than one thousand AS numbers
Note: Note: Cisco IOS, Cisco IOS XE, Cisco NX-OS and Cisco IOS XR
Software, as a 2 byte AS number BGP speaker send BGP updates with
a maximum of 255 AS numbers. The following three conditions are
required for successful exploitation of this vulnerability:
* Affected Cisco IOS Software device is a 4-byte AS number BGP
speaker
* BGP peering neighbor is a 2-byte AS number BGP speaker
* BGP peering neighbor is capable of sending a non-RFC compliant
crafted BGP update message
This vulnerability is documented in Cisco Bug ID CSCta33973 and has
been assigned Common Vulnerabilities and Exposures (CVE) ID
CVE-2009-2049.
Further information regarding Cisco support for 4-byte AS number is
available in "Cisco IOS BGP 4-Byte ASN Support" at the following
link:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6554/ps6599/data_sheet_C78-521821.html
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsy86021: Cisco IOS Software BGP Long AS-path Vulnerability
CVSS Base Score - 7.1
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact None
Availability Impact Complete
CVSS Temporal Score - 6.7
Exploitability Functional
Remediation Level Official-Fix
Report Confidence Confirmed
CSCta33973: Cisco IOS Software Crafted BGP Update Message Vulnerability
CVSS Base Score - 5.4
Access Vector Network
Access Complexity High
Authentication None
Confidentiality Impact None
Availability Impact Complete
CVSS Temporal Score - 4.5
Exploitability Functional
Remediation Level Official-Fix
Report Confidence Confirmed
Impact
======
Successful exploitation of the vulnerabilities described in this
document may result in a reload of the device. The issue could result
in repeated exploitation to cause an extended DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|----------+--------------------------------------------------------|
| Affected | |Recommended |
|12.0-Based| First Fixed Release | Release |
| Releases | | |
|----------+-------------------------------------------+------------|
|12.0 |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0DA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0DB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0DC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
| |Releases up to and including 12.0(32)S11 | |
| |are not vulnerable; first fixed in | |
|12.0S |12.0(32)S14; | |
| | | |
| |Releases up to and including 12.0(33)S2 are| |
| |not vulnerable; first fixed in 12.0(33)S5 | |
|----------+-------------------------------------------+------------|
|12.0SC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0SL |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0SP |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0ST |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0SX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0SY |Releases up to and including 12.0(32)SY7 |12.0(32)SY10|
| |are not vulnerable; first fixed in | |
| |12.0(32)SY9a. | |
|----------+-------------------------------------------+------------|
|12.0SZ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0T |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0W |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0WC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0WT |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0WX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XF |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XG |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XH |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XI |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XJ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XK |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XL |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XM |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XN |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XQ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XR |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XS |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XT |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XV |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XW |Not Vulnerable | |
|----------+-------------------------------------------+------------|
| Affected | |Recommended |
|12.1-Based| First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.1 based releases |
|-------------------------------------------------------------------|
| Affected | |Recommended |
|12.2-Based| First Fixed Release | Release |
| Releases | | |
|----------+-------------------------------------------+------------|
|12.2 |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2B |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2BC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2BW |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2BX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2BY |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2BZ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2CX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2CY |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2CZ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2DA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2DD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2DX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2EW |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2EWA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2EX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2EY |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2EZ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2FX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2FY |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2FZ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IRA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IRB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IRC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IXA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IXB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IXC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IXD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IXE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IXF |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IXG |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IXH |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2JA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2JK |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2MB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2MC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2S |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SBC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SCA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SCB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SEA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SEB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SEC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SED |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SEE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SEF |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SEG |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SG |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SGA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SL |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SM |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SO |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SQ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SRA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SRB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SRC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SRD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2STE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SU |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SV |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SVA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SVC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SVD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SVE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SW |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SXA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SXB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SXD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SXE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SXF |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SXH |Not Vulnerable | |
|----------+-------------------------------------------+------------|
| |Releases up to and including 12.2(33)SXI | |
|12.2SXI |are not vulnerable; CSCsy86021 first fixed | |
| |in 12.2(33)SXI2; CSCta33973 first fixed in | |
| |12.2(33)SXI3 | |
|----------+-------------------------------------------+------------|
|12.2SY |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SZ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2T |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2TPC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XF |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XG |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XH |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XI |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XJ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XK |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XL |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XM |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XN |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XNA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XNB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XNC |12.2(33)XNC2 | |
|----------+-------------------------------------------+------------|
|12.2XND |12.2(33)XND1; available 25th August 2009 | |
|----------+-------------------------------------------+------------|
|12.2XO |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XQ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XR |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XS |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XT |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XU |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XV |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XW |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YF |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YG |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YH |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YJ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YK |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YL |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YM |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YN |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YO |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YP |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YQ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YR |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YS |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YT |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YU |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YV |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YW |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YY |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YZ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZF |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZG |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZH |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZJ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZL |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZM |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZP |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZU |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZY |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZYA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
| Affected | |Recommended |
|12.3-Based| First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.3 based releases |
|-------------------------------------------------------------------|
| Affected | |Recommended |
|12.4-Based| First Fixed Release | Release |
| Releases | | |
|----------+-------------------------------------------+------------|
|12.4 |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4JA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4JDA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4JDC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4JDD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4JK |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4JL |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4JMA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4JMB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4JX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4MD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4MDA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4MR |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4SW |Not Vulnerable | |
|----------+-------------------------------------------+------------|
| |Releases up to 12.4(24)T are not | |
|12.4T |vulnerable; first fixed in 12.4(24)T2 | |
| |available on 23-Oct-2009 | |
|----------+-------------------------------------------+------------|
|12.4XA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XF |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XG |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XJ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XK |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XL |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XM |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XN |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XP |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XQ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XR |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XT |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XV |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XW |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XY |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XZ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4YA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4YB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4YD |Not Vulnerable | |
+-------------------------------------------------------------------+
Cisco IOS XE Release Table
+-------------------------
+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|----------+--------------------------------------------------------|
| Affected | |
| 2.1 | There are no affected 2.1 based releases |
| Releases | |
|----------+--------------------------------------------------------|
| Affected | |
| 2.2 | There are no affected 2.2 based releases |
| Releases | |
|----------+--------------------------------------------------------|
| Affected | Releases up to and including 2.3.1t are vulnerable; |
| 2.3 | First fixed in 2.3.2 |
| Releases | |
|----------+--------------------------------------------------------+
| Affected | Releases up to and including 2.4.0 are vulnerable; |
| 2.4 | First fixed in 2.4.1, available 25th August 2009 |
| Releases | |
+----------+--------------------------------------------------------+
Workarounds
===========
For the first vulnerability, there are no workarounds on the affected
device. Neighbors could be configured to discard routes that have
more than one thousand AS numbers in the AS-path segments. This
configuration will help prevent the further propagation of BGP
updates with the AS path segments made up of greater than one
thousand AS numbers.
Note: Configuring "bgp maxas-limit [value]" on the affected device
does not mitigate this vulnerability.
For the second vulnerability, configuring "bgp maxas-limit [value]"
on the affected device does mitigate this vulnerability. Cisco is
recommends using a conservative value of 100 to mitigate this
vulnerability.
Consult the document "Protecting Border Gateway Protocol for the
Enterprise" at the following link for additional best practices on
protecting BGP infrastructures:
http://www.cisco.com/web/about/security/intelligence/protecting_bgp.html
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized
telephone numbers, and instructions and e-mail addresses for use
in various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of malicious exploitation of either of
these vulnerabilities, although we are aware of some customers who
have seen the first vulnerability triggered within their
infrastructures. Further investigation of those incidents seems to
indicate that the vulnerability has been accidentally triggered.
These vulnerabilities were discovered via internal product testing.
Status of this Notice: FINAL
============================
This information is Cisco Highly Confidential - Do not redistribute.
THIS IS A DRAFT VERSION OF A SECURITY NOTICE THAT CONTAINS UNRELEASED
INFORMATION ABOUT CISCO PRODUCTS. DISTRIBUTION WITHIN CISCO IS
LIMITED TO PERSONNEL WITH A NEED TO KNOW. THIS DRAFT MAY CONTAIN
ERRORS OR OMIT IMPORTANT INFORMATION.
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+-------------------------------------------------------------------+
| Revision 1.0 | 2009-July-29 1600 | Initial public release |
+-------------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iD8DBQFKcGNc86n/Gc8U/uARAks6AKCCWLTakna/WbNzMuIbeGPJGJHnbQCfbYEi
I6XwyRZTnktw7RSnT6Y/N1E=
=KmUm
-----END PGP SIGNATURE-----
| VAR-200907-0096 | CVE-2009-2049 | Cisco IOS In RFC4893 BGP Service disruption related to routing processing (DoS) Vulnerabilities |
CVSS V2: 5.4 CVSS V3: - Severity: MEDIUM |
Cisco IOS 12.0(32)S12 through 12.0(32)S13 and 12.0(33)S3 through 12.0(33)S4, 12.0(32)SY8 through 12.0(32)SY9, 12.2(33)SXI1 through 12.2(33)SXI2, 12.2XNC before 12.2(33)XNC2, 12.2XND before 12.2(33)XND1, and 12.4(24)T1; and IOS XE 2.3 through 2.3.1t and 2.4 through 2.4.0; when RFC4893 BGP routing is enabled, allows remote attackers to cause a denial of service (device reload) by using an RFC4271 peer to send a malformed update, aka Bug ID CSCta33973. Cisco IOS is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to cause an affected device to reload, denying service to legitimate users.
This issue is being tracked by Cisco Bug ID CSCta33973. May trigger memory corruption and crash with \\%\\%Software-forced reload error. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia.
1) An unspecified error exists in the processing of BGP update
messages. constructed from more than 1000 autonomous
systems.
SOLUTION:
Update to a fixed version (please see the vendor advisory for
details).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Software Border Gateway Protocol
4-Byte Autonomous System Number
Vulnerabilities
Advisory ID: cisco-sa-20090729-bgp
http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtml
Revision: 1.0
=========
For Public Release 2009 July 29 1600 UTC (GMT)
Summary
=======
Recent versions of Cisco IOS Software support RFC4893 ("BGP Support
for Four-octet AS Number Space") and contain two remote denial of
service (DoS) vulnerabilities when handling specific Border Gateway
Protocol (BGP) updates.
These vulnerabilities affect only devices running Cisco IOS Software
with support for four-octet AS number space (here after referred to as
4-byte AS number) and BGP routing configured.
The first vulnerability could cause an affected device to reload when
processing a BGP update that contains autonomous system (AS) path
segments made up of more than one thousand autonomous systems.
Cisco has released free software updates to address these
vulnerabilities.
No workarounds are available for the first vulnerability.
A workaround is available for the second vulnerability.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtml
Affected Products
=================
Vulnerable Products
+------------------
These vulnerabilities affect only devices running Cisco IOS and
Cisco IOS XE Software (here after both referred to as simply Cisco
IOS) with support for RFC4893 and that have been configured for
BGP routing.
The software table in the section "Software Versions and Fixes" of
this advisory indicates all affected Cisco IOS Software versions that
have support for RFC4893 and are affected by this vulnerability.
A Cisco IOS software version that has support for RFC4893 will allow
configuration of AS numbers using 4 Bytes. The following example
identifies a Cisco device that has 4 byte AS number support:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#router bgp ?
<1-65535> Autonomous system number
<1.0-XX.YY> 4 Octets Autonomous system number
Or:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#router bgp ?
<1-4294967295> Autonomous system number
<1.0-XX.YY> Autonomous system number
The following example identifies a Cisco device that has 2 byte AS
number support:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#router bgp ?
<1-65535> Autonomous system number
A router that is running the BGP process will contain a line in the
configuration that defines the autonomous system number (AS number),
which can be seen by issuing the command line interface (CLI) command
"show running-config".
The canonical textual representation of four byte AS Numbers is
standardized by the IETF through RFC5396 (Textual Representation of
Autonomous System (AS) Numbers). Two major ways for textual
representation have been defined as ASDOT and ASPLAIN. Cisco IOS
routers support both textual representations of AS numbers. For
further information about textual representation of four byte AS
numbers in Cisco IOS Software consult the document "Explaining 4-Byte
Autonomous System (AS) ASPLAIN and ASDOT Notation for Cisco IOS" at
the following link:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6554/ps6599/white_paper_c11_516829.html
Cisco IOS Software with support for RFC4893 is affected by both
vulnerabilities if BGP routing is configured using either ASPLAIN or
ASDOT notation.
The following example identifies a Cisco device that is configured
for BGP using ASPLAIN notation:
router bgp 65536
The following example identifies a Cisco device that is configured
for BGP using ASDOT notation:
router bgp 1.0
To determine the Cisco IOS Software release that is running on a
Cisco product, administrators can log in to the device and issue the
show version command to display the system banner. The system banner
confirms that the device is running Cisco IOS Software by displaying
text similar to "Cisco Internetwork Operating System Software" or
"Cisco IOS Software." The image name displays in parentheses,
followed by "Version" and the Cisco IOS Software release name. Other
Cisco devices do not have the show version command or may provide
different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.3(26) with an installed image name of
C2500-IS-L:
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Mon 17-Mar-08 14:39 by dchih
!--- output truncated
The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.4(20)T with an installed image name of
C1841-ADVENTERPRISEK9-M:
Router#show version
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 20:25 by prod_rel_team
!--- output truncated
Additional information about Cisco IOS Software release naming
conventions is available in "White Paper: Cisco IOS Reference Guide"
at the following link: http://www.cisco.com/warp/public/620/1.html
Products Confirmed Not Vulnerable
+--------------------------------
The following Cisco products are confirmed not vulnerable:
* Cisco IOS Software not explicitly mentioned in this Advisory
* Cisco IOS XR Software
* Cisco IOS NX-OS
No other Cisco products are currently known to be affected by this
vulnerability.
Details
=======
RFC4271 has defined an AS number as a two-octet entity in BGP.
RFC4893 has defined an AS number as a four-octet entity in BGP.
The first vulnerability could cause an affected device to reload when
processing a BGP update that contains AS path segments made up of more
than one thousand autonomous systems. If an affected 4-byte AS number
BGP speaker receives a BGP update from a 2-byte AS number BGP speaker
that contains AS path segments made up of more than one thousand
autonomous systems, the device may crash with memory corruption, and
the error "%%Software-forced reload" will be displayed.
The following three conditions are required for successful
exploitation of this vulnerability:
* Affected Cisco IOS Software device is a 4-byte AS number BGP
speaker
* BGP peering neighbor is a 2-byte AS number BGP speaker
* BGP peering neighbor is capable of sending a BGP update with a
series of greater than one thousand AS numbers
Note: Note: Cisco IOS, Cisco IOS XE, Cisco NX-OS and Cisco IOS XR
Software, as a 2 byte AS number BGP speaker send BGP updates with
a maximum of 255 AS numbers. The following three conditions are
required for successful exploitation of this vulnerability:
* Affected Cisco IOS Software device is a 4-byte AS number BGP
speaker
* BGP peering neighbor is a 2-byte AS number BGP speaker
* BGP peering neighbor is capable of sending a non-RFC compliant
crafted BGP update message
This vulnerability is documented in Cisco Bug ID CSCta33973 and has
been assigned Common Vulnerabilities and Exposures (CVE) ID
CVE-2009-2049.
Further information regarding Cisco support for 4-byte AS number is
available in "Cisco IOS BGP 4-Byte ASN Support" at the following
link:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6554/ps6599/data_sheet_C78-521821.html
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsy86021: Cisco IOS Software BGP Long AS-path Vulnerability
CVSS Base Score - 7.1
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact None
Availability Impact Complete
CVSS Temporal Score - 6.7
Exploitability Functional
Remediation Level Official-Fix
Report Confidence Confirmed
CSCta33973: Cisco IOS Software Crafted BGP Update Message Vulnerability
CVSS Base Score - 5.4
Access Vector Network
Access Complexity High
Authentication None
Confidentiality Impact None
Availability Impact Complete
CVSS Temporal Score - 4.5
Exploitability Functional
Remediation Level Official-Fix
Report Confidence Confirmed
Impact
======
Successful exploitation of the vulnerabilities described in this
document may result in a reload of the device. The issue could result
in repeated exploitation to cause an extended DoS condition.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|----------+--------------------------------------------------------|
| Affected | |Recommended |
|12.0-Based| First Fixed Release | Release |
| Releases | | |
|----------+-------------------------------------------+------------|
|12.0 |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0DA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0DB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0DC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
| |Releases up to and including 12.0(32)S11 | |
| |are not vulnerable; first fixed in | |
|12.0S |12.0(32)S14; | |
| | | |
| |Releases up to and including 12.0(33)S2 are| |
| |not vulnerable; first fixed in 12.0(33)S5 | |
|----------+-------------------------------------------+------------|
|12.0SC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0SL |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0SP |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0ST |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0SX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0SY |Releases up to and including 12.0(32)SY7 |12.0(32)SY10|
| |are not vulnerable; first fixed in | |
| |12.0(32)SY9a. | |
|----------+-------------------------------------------+------------|
|12.0SZ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0T |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0W |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0WC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0WT |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0WX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XF |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XG |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XH |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XI |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XJ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XK |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XL |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XM |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XN |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XQ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XR |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XS |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XT |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XV |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.0XW |Not Vulnerable | |
|----------+-------------------------------------------+------------|
| Affected | |Recommended |
|12.1-Based| First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.1 based releases |
|-------------------------------------------------------------------|
| Affected | |Recommended |
|12.2-Based| First Fixed Release | Release |
| Releases | | |
|----------+-------------------------------------------+------------|
|12.2 |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2B |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2BC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2BW |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2BX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2BY |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2BZ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2CX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2CY |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2CZ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2DA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2DD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2DX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2EW |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2EWA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2EX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2EY |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2EZ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2FX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2FY |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2FZ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IRA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IRB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IRC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IXA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IXB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IXC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IXD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IXE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IXF |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IXG |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2IXH |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2JA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2JK |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2MB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2MC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2S |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SBC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SCA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SCB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SEA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SEB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SEC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SED |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SEE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SEF |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SEG |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SG |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SGA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SL |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SM |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SO |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SQ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SRA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SRB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SRC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SRD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2STE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SU |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SV |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SVA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SVC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SVD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SVE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SW |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SXA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SXB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SXD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SXE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SXF |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SXH |Not Vulnerable | |
|----------+-------------------------------------------+------------|
| |Releases up to and including 12.2(33)SXI | |
|12.2SXI |are not vulnerable; CSCsy86021 first fixed | |
| |in 12.2(33)SXI2; CSCta33973 first fixed in | |
| |12.2(33)SXI3 | |
|----------+-------------------------------------------+------------|
|12.2SY |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2SZ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2T |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2TPC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XF |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XG |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XH |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XI |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XJ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XK |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XL |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XM |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XN |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XNA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XNB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XNC |12.2(33)XNC2 | |
|----------+-------------------------------------------+------------|
|12.2XND |12.2(33)XND1; available 25th August 2009 | |
|----------+-------------------------------------------+------------|
|12.2XO |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XQ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XR |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XS |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XT |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XU |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XV |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2XW |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YF |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YG |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YH |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YJ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YK |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YL |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YM |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YN |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YO |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YP |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YQ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YR |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YS |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YT |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YU |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YV |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YW |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YY |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2YZ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZF |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZG |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZH |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZJ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZL |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZM |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZP |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZU |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZY |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.2ZYA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
| Affected | |Recommended |
|12.3-Based| First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.3 based releases |
|-------------------------------------------------------------------|
| Affected | |Recommended |
|12.4-Based| First Fixed Release | Release |
| Releases | | |
|----------+-------------------------------------------+------------|
|12.4 |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4JA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4JDA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4JDC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4JDD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4JK |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4JL |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4JMA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4JMB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4JX |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4MD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4MDA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4MR |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4SW |Not Vulnerable | |
|----------+-------------------------------------------+------------|
| |Releases up to 12.4(24)T are not | |
|12.4T |vulnerable; first fixed in 12.4(24)T2 | |
| |available on 23-Oct-2009 | |
|----------+-------------------------------------------+------------|
|12.4XA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XC |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XD |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XE |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XF |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XG |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XJ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XK |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XL |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XM |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XN |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XP |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XQ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XR |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XT |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XV |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XW |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XY |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4XZ |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4YA |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4YB |Not Vulnerable | |
|----------+-------------------------------------------+------------|
|12.4YD |Not Vulnerable | |
+-------------------------------------------------------------------+
Cisco IOS XE Release Table
+-------------------------
+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|----------+--------------------------------------------------------|
| Affected | |
| 2.1 | There are no affected 2.1 based releases |
| Releases | |
|----------+--------------------------------------------------------|
| Affected | |
| 2.2 | There are no affected 2.2 based releases |
| Releases | |
|----------+--------------------------------------------------------|
| Affected | Releases up to and including 2.3.1t are vulnerable; |
| 2.3 | First fixed in 2.3.2 |
| Releases | |
|----------+--------------------------------------------------------+
| Affected | Releases up to and including 2.4.0 are vulnerable; |
| 2.4 | First fixed in 2.4.1, available 25th August 2009 |
| Releases | |
+----------+--------------------------------------------------------+
Workarounds
===========
For the first vulnerability, there are no workarounds on the affected
device. Neighbors could be configured to discard routes that have
more than one thousand AS numbers in the AS-path segments. This
configuration will help prevent the further propagation of BGP
updates with the AS path segments made up of greater than one
thousand AS numbers.
Note: Configuring "bgp maxas-limit [value]" on the affected device
does not mitigate this vulnerability.
For the second vulnerability, configuring "bgp maxas-limit [value]"
on the affected device does mitigate this vulnerability. Cisco is
recommends using a conservative value of 100 to mitigate this
vulnerability.
Consult the document "Protecting Border Gateway Protocol for the
Enterprise" at the following link for additional best practices on
protecting BGP infrastructures:
http://www.cisco.com/web/about/security/intelligence/protecting_bgp.html
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized
telephone numbers, and instructions and e-mail addresses for use
in various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of malicious exploitation of either of
these vulnerabilities, although we are aware of some customers who
have seen the first vulnerability triggered within their
infrastructures. Further investigation of those incidents seems to
indicate that the vulnerability has been accidentally triggered.
These vulnerabilities were discovered via internal product testing.
Status of this Notice: FINAL
============================
This information is Cisco Highly Confidential - Do not redistribute.
THIS IS A DRAFT VERSION OF A SECURITY NOTICE THAT CONTAINS UNRELEASED
INFORMATION ABOUT CISCO PRODUCTS. DISTRIBUTION WITHIN CISCO IS
LIMITED TO PERSONNEL WITH A NEED TO KNOW. THIS DRAFT MAY CONTAIN
ERRORS OR OMIT IMPORTANT INFORMATION.
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20090729-bgp.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+-------------------------------------------------------------------+
| Revision 1.0 | 2009-July-29 1600 | Initial public release |
+-------------------------------------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iD8DBQFKcGNc86n/Gc8U/uARAks6AKCCWLTakna/WbNzMuIbeGPJGJHnbQCfbYEi
I6XwyRZTnktw7RSnT6Y/N1E=
=KmUm
-----END PGP SIGNATURE-----
| VAR-200907-0059 | CVE-2009-1165 | Cisco Wireless LAN Controller Memory leak vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Memory leak on the Cisco Wireless LAN Controller (WLC) platform 4.x before 4.2.205.0, 5.1 before 5.1.163.0, and 5.0 and 5.2 before 5.2.178.0, as used in Cisco 1500 Series, 2000 Series, 2100 Series, 4100 Series, 4200 Series, and 4400 Series Wireless Services Modules (WiSM), WLC Modules for Integrated Services Routers, and Catalyst 3750G Integrated Wireless LAN Controllers, allows remote attackers to cause a denial of service (memory consumption and device reload) via SSH management connections, aka Bug ID CSCsw40789. plural Cisco Used in products Cisco Wireless LAN Controller Contains a memory leak vulnerability. The problem is Bug ID : CSCsw40789 It is a problem.By a third party SSH Service disruption via management connection (DoS) There is a possibility of being put into a state.
An attacker can exploit this issue to trigger an affected device to crash and reload, denying service to legitimate users.
This issue is being tracked by Cisco BugID CSCsw40789. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers
Advisory ID: cisco-sa-20090727-wlc
http://www.cisco.com/warp/public/707/cisco-sa-20090727-wlc.shtml
Revision 1.0
For Public Release 2009 July 27 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
Multiple vulnerabilities exist in the Cisco Wireless LAN Controller
(WLC) platforms. This security advisory outlines the details of the
following vulnerabilities:
* Malformed HTTP or HTTPS authentication response denial of service
vulnerability
* SSH connections denial of service vulnerability
* Crafted HTTP or HTTPS request denial of service vulnerability
* Crafted HTTP or HTTPS request unauthorized configuration
modification vulnerability
Cisco has released free software updates that address these
vulnerabilities.
* The SSH connections denial of service vulnerability affects
software versions 4.1 and later.
* The crafted HTTP or HTTPS request denial of service vulnerability
affects software versions 4.1 and later.
* The crafted HTTP or HTTPS request unauthorized configuration
modification vulnerability affects software versions 4.1 and
later.
Determination of Software Versions
+---------------------------------
To determine the WLC version that is running in a given environment,
use one of the following methods:
* In the web interface, choose the Monitor tab, click Summary in
the left pane, and note the Software Version field.
Note: Customers who use a WLC Module in an Integrated Services
Router (ISR) will need to issue the service-module
wlan-controller 1/0 session command prior to performing the next
step on the command line. Customers who use a Cisco Catalyst
3750G Switch with an integrated WLC Module will need to issue the
session <Stack-Member-Number> processor 1 session command prior
to performing the next step on the command line.
* From the command-line interface, type show sysinfo and note the
Product Version field, as shown in the following example:
(Cisco Controller) >show sysinfo
Manufacturer's Name.. Cisco Systems Inc.
Product Name......... Cisco Controller
Product Version...... 5.1.151.0
RTOS Version......... Linux-2.6.10_mvl401
Bootloader Version... 4.0.207.0
Build Type........... DATA + WPS
<output suppressed>
Use the show wism module <module number> controller 1 status command
on a Cisco Catalyst 6500 Series/7600 Series Switch if you are using a
WiSM. Note the software version as demonstrated in the following
example, which shows version 5.1.151.0.
Router#show wism module 3 controller 1 status
WiSM Controller 1 in Slot 3
Operational Status of the Controller
: Oper-Up
Service VLAN
: 192
Service Port
: 10
Service Port Mac Address
: 0011.92ff.8742
Service IP Address
: 192.168.10.1
Management IP Address
: 192.168.1.123
Software Version
: 5.1.151.0
Port Channel Number
: 288
Allowed vlan list
: 30,40
Native VLAN ID
: 40
WCP Keep Alive Missed
: 0
Products Confirmed Not Vulnerable
+--------------------------------
The Cisco Wireless Controller 5500 Series is not affected by these
vulnerabilities.
Details
=======
Cisco Wireless LAN Controllers (WLCs) are responsible for system-wide
wireless LAN functions, such as security policies, intrusion
prevention, RF management, quality of service (QoS), and mobility.
These devices communicate with controller-based access points over
any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the
Lightweight Access Point Protocol (LWAPP).
This security advisory describes multiple distinct vulnerabilities in
the WLC family of devices.
* Malformed HTTP or HTTPS authentication response denial of service
vulnerability
An attacker with access to the administrative web interface via
HTTP or HTTPS may cause the device to reload by providing a
malformed response to an authentication request.
Note: The vulnerability can be exploited only via the
administrative web-based interface; Web Authentication features
are not affected.
This vulnerability is documented in Cisco Bug ID CSCsx03715 and
has been assigned Common Vulnerabilities and Exposures (CVE) ID
CVE-2009-1164.
* SSH connections denial of service vulnerability
Affected devices may be susceptible to a memory leak when they
handle SSH management connections.
Note: A three-way handshake is not required to exploit this
vulnerability.
This vulnerability is documented in Cisco Bug ID CSCsw40789 and
has been assigned CVE ID CVE-2009-1165.
Note: The vulnerability can be exploited only via the
administrative web-based interface; Web Authentication features
are not affected.
This vulnerability is documented in Cisco Bug ID CSCsy27708 and
has been assigned CVE ID CVE-2009-1166.
* Crafted HTTP or HTTPS request unauthorized configuration
modification vulnerability
An unauthorized configuration modification vulnerability exists
in all software versions prior to the first fixed release. A
remote, unauthenticated attacker who can submit HTTP or HTTPS
requests to the WLC directly could gain full control of the
affected device.
Note: The vulnerability can be exploited only by submitting such
a request to an IP address that is bound to an administrative
interface or VLAN.
The vulnerability is documented by Cisco Bug ID CSCsy44672 and has
been assigned CVE ID CVE-2009-1167.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsx03715 - Malformed HTTP or HTTPS authentication response denial of service vulnerability
+-----------------------------------------------------
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsw40789 - SSH connections denial of service vulnerability
+-----------------------------------------------------
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsy27708 - Crafted HTTP or HTTPS request denial of service vulnerability
+-----------------------------------------------------
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsy44672 - Crafted HTTP or HTTPS request unauthorized configuration modification vulnerability
+-----------------------------------------------------
CVSS Base Score - 10
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
=====
Successful exploitation of the denial of service (DoS)
vulnerabilities may cause the affected device to reload. Repeated
exploitation could result in a sustained DoS condition.
An unauthenticated, remote attacker may be able to use the
unauthorized configuration modification vulnerability to gain full
control over the Wireless LAN Controller if the attacker is able to
submit a crafted request directly to an administrative interface of
the affected device.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.comw/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
+------------------------------------------------------+
| Vulnerability/ | Affected | First | Recommended |
| Bug ID | Release | Fixed | Release |
| | | Version | |
|----------------+----------+------------+-------------|
| | 4.1 | Not | Not |
| | | Vulnerable | Vulnerable |
| |----------+------------+-------------|
| | 4.1M | Not | Not |
| | | Vulnerable | Vulnerable |
| |----------+------------+-------------|
| | 4.2 | 4.2.205.0 | 4.2.207.0 |
| |----------+------------+-------------|
| Malformed HTTP | 4.2M | Not | Not |
| or HTTPS | | Vulnerable | Vulnerable |
|authentication |----------+------------+-------------|
| response | | Migrate to | 5.2.193.0 |
| denial of | 5.0 | 5.2 or 6.0 | or |
| service | | | 6.0.182.0 |
|vulnerability |----------+------------+-------------|
| (CSCsx03715) | | Migrate to | 5.2.193.0 |
| | 5.1 | 5.2 or 6.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.2 | 5.2.178.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | 6.0 | Not | Not |
| | | Vulnerable | Vulnerable |
|----------------+----------+------------+-------------|
| | 4.1 | Migrate to | 4.2.205.0 |
| | | 4.2 | |
| |----------+------------+-------------|
| | | | 5.2.193.0, |
| | | Migrate to | 6.0.182.0 |
| | 4.1M | 5.2, 6.0, | or |
| | | or 4.2M | 4.2.176.51 |
| | | | Mesh |
| |----------+------------+-------------|
| | 4.2 | 4.2.205.0 | 4.2.207.0 |
| |----------+------------+-------------|
| SSH | 4.2M | Not | Not |
| connections | | Vulnerable | Vulnerable |
|denial of |----------+------------+-------------|
| service | | Migrate to | 5.2.193.0 |
| vulnerability | 5.0 | 5.2 or 6.0 | or |
| (CSCsw40789) | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.1 | 5.1.163.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.2 | 5.2.178.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | 6.0 | Not | Not |
| | | Vulnerable | Vulnerable |
|----------------+----------+------------+-------------|
| | 4.1 | Migrate to | 4.2.205.0 |
| | | 4.2 | |
| |----------+------------+-------------|
| | | | 5.2.193.0, |
| | | Migrate to | 6.0.182.0 |
| | 4.1 M | 5.2, 6.0, | or |
| | | or 4.2M | 4.2.176.51 |
| | | | Mesh |
| |----------+------------+-------------|
| | 4.2 | 4.2.205.0 | 4.2.207.0 |
| |----------+------------+-------------|
| Crafted HTTP | 4.2M | Not | Not |
| request may | | Vulnerable | Vulnerable |
|cause the WLC |----------+------------+-------------|
| to crash | | Migrate to | 5.2.193.0 |
| (CSCsy27708) | 5.0 | 5.2 or 6.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | Migrate to | 5.2.193.0 |
| | 5.1 | 5.2 or 6.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.2 | 5.2.191.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | 6.0 | Not | Not |
| | | Vulnerable | Vulnerable |
|----------------+----------+------------+-------------|
| | 4.1 | Migrate to | 4.2.205.0 |
| | | 4.2 | |
| |----------+------------+-------------|
| | | | 5.2.193.0, |
| | | Migrate to | 6.0.182.0 |
| | 4.1M | 5.2, 6.0, | or |
| | | or 4.2M | 4.2.176.51 |
| | | | Mesh |
| |----------+------------+-------------|
| Crafted HTTP | 4.2 | 4.2.205.0 | 4.2.207.0 |
|or HTTPS |----------+------------+-------------|
| request | 4.2M | Not | Not |
| unauthorized | | Vulnerable | Vulnerable |
|configuration |----------+------------+-------------|
| modification | 5.0 | Migrate to | 5.2.193.0, |
| vulnerability | | 5.2 or 6.0 | 6.0.182.0 |
|(CSCsy44672) |----------+------------+-------------|
| | | Migrate to | 5.2.193.0 |
| | 5.1 | 5.2 or 6.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.2 | 5.2.191.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | 6.0 | Not | Not |
| | | Vulnerable | Vulnerable |
+------------------------------------------------------+
Workarounds
===========
The SSH connections denial of service vulnerability identified by
Cisco Bug ID CSCsw40789 may be remediated by disabling SSH on the
affected device. This workaround requires subsequent management of
the device to be performed using the HTTP/HTTPS web management
interface or the serial console of the device.
Additional mitigations that can be deployed on Cisco devices in the
network are available in the Cisco Applied Mitigation Bulletin
companion document for this advisory, which is available at the
following link:
http://www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing, or
otherwise using such software upgrades, customers agree to be bound by
the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
================================
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory at the time of
release.
The DoS vulnerability documented by CSCsw40789 was discovered during
the resolution of customer support cases.
The unauthorized configuration modification vulnerability documented
by CSCsy44672 was found during internal testing.
The DoS vulnerability documented by CSCsx03715 was discovered by
Christoph Bott of SySS GmbH.
The DoS vulnerability documented by CSCsy27708 was discovered by IBM
Research.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20090727-wlc.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-July-27 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iD8DBQFKbdU786n/Gc8U/uARAkG6AKCKI8yrbakylICPezA8Up2E1t372QCePJmj
RTTknUlr0VuKxVZLT0f8+gQ=
=x8Ly
-----END PGP SIGNATURE-----
| VAR-200907-0061 | CVE-2009-1167 | Cisco Wireless LAN Controller Vulnerabilities whose settings are changed |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Unspecified vulnerability on the Cisco Wireless LAN Controller (WLC) platform 4.x before 4.2.205.0 and 5.x before 5.2.191.0, as used in Cisco 1500 Series, 2000 Series, 2100 Series, 4100 Series, 4200 Series, and 4400 Series Wireless Services Modules (WiSM), WLC Modules for Integrated Services Routers, and Catalyst 3750G Integrated Wireless LAN Controllers, allows remote attackers to modify the configuration via a crafted (1) HTTP or (2) HTTPS request, aka Bug ID CSCsy44672. plural Cisco Used in products Cisco Wireless LAN Controller (WLC) Contains a vulnerability that can be changed. The problem is Bug ID : CSCsy44672 It is a problem.Skillfully crafted by a third party HTTP Or HTTPS Settings may be changed via request.
Successful exploits may allow attackers to modify configuration settings, which may compromise the affected device or aid in further attacks.
This issue is being tracked by Cisco Bug ID CSCsy44672. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers
Advisory ID: cisco-sa-20090727-wlc
http://www.cisco.com/warp/public/707/cisco-sa-20090727-wlc.shtml
Revision 1.0
For Public Release 2009 July 27 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
Multiple vulnerabilities exist in the Cisco Wireless LAN Controller
(WLC) platforms. This security advisory outlines the details of the
following vulnerabilities:
* Malformed HTTP or HTTPS authentication response denial of service
vulnerability
* SSH connections denial of service vulnerability
* Crafted HTTP or HTTPS request denial of service vulnerability
* Crafted HTTP or HTTPS request unauthorized configuration
modification vulnerability
Cisco has released free software updates that address these
vulnerabilities.
* The SSH connections denial of service vulnerability affects
software versions 4.1 and later.
Determination of Software Versions
+---------------------------------
To determine the WLC version that is running in a given environment,
use one of the following methods:
* In the web interface, choose the Monitor tab, click Summary in
the left pane, and note the Software Version field.
Note: Customers who use a WLC Module in an Integrated Services
Router (ISR) will need to issue the service-module
wlan-controller 1/0 session command prior to performing the next
step on the command line. Customers who use a Cisco Catalyst
3750G Switch with an integrated WLC Module will need to issue the
session <Stack-Member-Number> processor 1 session command prior
to performing the next step on the command line.
* From the command-line interface, type show sysinfo and note the
Product Version field, as shown in the following example:
(Cisco Controller) >show sysinfo
Manufacturer's Name.. Cisco Systems Inc.
Product Name......... 5.1.151.0
RTOS Version......... Linux-2.6.10_mvl401
Bootloader Version... 4.0.207.0
Build Type........... DATA + WPS
<output suppressed>
Use the show wism module <module number> controller 1 status command
on a Cisco Catalyst 6500 Series/7600 Series Switch if you are using a
WiSM. Note the software version as demonstrated in the following
example, which shows version 5.1.151.0.
Router#show wism module 3 controller 1 status
WiSM Controller 1 in Slot 3
Operational Status of the Controller
: Oper-Up
Service VLAN
: 192
Service Port
: 10
Service Port Mac Address
: 0011.92ff.8742
Service IP Address
: 192.168.10.1
Management IP Address
: 192.168.1.123
Software Version
: 5.1.151.0
Port Channel Number
: 288
Allowed vlan list
: 30,40
Native VLAN ID
: 40
WCP Keep Alive Missed
: 0
Products Confirmed Not Vulnerable
+--------------------------------
The Cisco Wireless Controller 5500 Series is not affected by these
vulnerabilities.
Details
=======
Cisco Wireless LAN Controllers (WLCs) are responsible for system-wide
wireless LAN functions, such as security policies, intrusion
prevention, RF management, quality of service (QoS), and mobility.
These devices communicate with controller-based access points over
any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the
Lightweight Access Point Protocol (LWAPP).
This security advisory describes multiple distinct vulnerabilities in
the WLC family of devices.
* Malformed HTTP or HTTPS authentication response denial of service
vulnerability
An attacker with access to the administrative web interface via
HTTP or HTTPS may cause the device to reload by providing a
malformed response to an authentication request.
Note: The vulnerability can be exploited only via the
administrative web-based interface; Web Authentication features
are not affected.
* SSH connections denial of service vulnerability
Affected devices may be susceptible to a memory leak when they
handle SSH management connections. An attacker could use this
behavior to cause an affected device to crash and reload.
Note: A three-way handshake is not required to exploit this
vulnerability.
Note: The vulnerability can be exploited only via the
administrative web-based interface; Web Authentication features
are not affected.
* Crafted HTTP or HTTPS request unauthorized configuration
modification vulnerability
An unauthorized configuration modification vulnerability exists
in all software versions prior to the first fixed release. A
remote, unauthenticated attacker who can submit HTTP or HTTPS
requests to the WLC directly could gain full control of the
affected device.
Note: The vulnerability can be exploited only by submitting such
a request to an IP address that is bound to an administrative
interface or VLAN.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsx03715 - Malformed HTTP or HTTPS authentication response denial of service vulnerability
+-----------------------------------------------------
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsw40789 - SSH connections denial of service vulnerability
+-----------------------------------------------------
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsy27708 - Crafted HTTP or HTTPS request denial of service vulnerability
+-----------------------------------------------------
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsy44672 - Crafted HTTP or HTTPS request unauthorized configuration modification vulnerability
+-----------------------------------------------------
CVSS Base Score - 10
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
=====
Successful exploitation of the denial of service (DoS)
vulnerabilities may cause the affected device to reload. Repeated
exploitation could result in a sustained DoS condition.
An unauthenticated, remote attacker may be able to use the
unauthorized configuration modification vulnerability to gain full
control over the Wireless LAN Controller if the attacker is able to
submit a crafted request directly to an administrative interface of
the affected device.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.comw/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
+------------------------------------------------------+
| Vulnerability/ | Affected | First | Recommended |
| Bug ID | Release | Fixed | Release |
| | | Version | |
|----------------+----------+------------+-------------|
| | 4.1 | Not | Not |
| | | Vulnerable | Vulnerable |
| |----------+------------+-------------|
| | 4.1M | Not | Not |
| | | Vulnerable | Vulnerable |
| |----------+------------+-------------|
| | 4.2 | 4.2.205.0 | 4.2.207.0 |
| |----------+------------+-------------|
| Malformed HTTP | 4.2M | Not | Not |
| or HTTPS | | Vulnerable | Vulnerable |
|authentication |----------+------------+-------------|
| response | | Migrate to | 5.2.193.0 |
| denial of | 5.0 | 5.2 or 6.0 | or |
| service | | | 6.0.182.0 |
|vulnerability |----------+------------+-------------|
| (CSCsx03715) | | Migrate to | 5.2.193.0 |
| | 5.1 | 5.2 or 6.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.2 | 5.2.178.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | 6.0 | Not | Not |
| | | Vulnerable | Vulnerable |
|----------------+----------+------------+-------------|
| | 4.1 | Migrate to | 4.2.205.0 |
| | | 4.2 | |
| |----------+------------+-------------|
| | | | 5.2.193.0, |
| | | Migrate to | 6.0.182.0 |
| | 4.1M | 5.2, 6.0, | or |
| | | or 4.2M | 4.2.176.51 |
| | | | Mesh |
| |----------+------------+-------------|
| | 4.2 | 4.2.205.0 | 4.2.207.0 |
| |----------+------------+-------------|
| SSH | 4.2M | Not | Not |
| connections | | Vulnerable | Vulnerable |
|denial of |----------+------------+-------------|
| service | | Migrate to | 5.2.193.0 |
| vulnerability | 5.0 | 5.2 or 6.0 | or |
| (CSCsw40789) | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.1 | 5.1.163.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.2 | 5.2.178.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | 6.0 | Not | Not |
| | | Vulnerable | Vulnerable |
|----------------+----------+------------+-------------|
| | 4.1 | Migrate to | 4.2.205.0 |
| | | 4.2 | |
| |----------+------------+-------------|
| | | | 5.2.193.0, |
| | | Migrate to | 6.0.182.0 |
| | 4.1 M | 5.2, 6.0, | or |
| | | or 4.2M | 4.2.176.51 |
| | | | Mesh |
| |----------+------------+-------------|
| | 4.2 | 4.2.205.0 | 4.2.207.0 |
| |----------+------------+-------------|
| Crafted HTTP | 4.2M | Not | Not |
| request may | | Vulnerable | Vulnerable |
|cause the WLC |----------+------------+-------------|
| to crash | | Migrate to | 5.2.193.0 |
| (CSCsy27708) | 5.0 | 5.2 or 6.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | Migrate to | 5.2.193.0 |
| | 5.1 | 5.2 or 6.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.2 | 5.2.191.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | 6.0 | Not | Not |
| | | Vulnerable | Vulnerable |
|----------------+----------+------------+-------------|
| | 4.1 | Migrate to | 4.2.205.0 |
| | | 4.2 | |
| |----------+------------+-------------|
| | | | 5.2.193.0, |
| | | Migrate to | 6.0.182.0 |
| | 4.1M | 5.2, 6.0, | or |
| | | or 4.2M | 4.2.176.51 |
| | | | Mesh |
| |----------+------------+-------------|
| Crafted HTTP | 4.2 | 4.2.205.0 | 4.2.207.0 |
|or HTTPS |----------+------------+-------------|
| request | 4.2M | Not | Not |
| unauthorized | | Vulnerable | Vulnerable |
|configuration |----------+------------+-------------|
| modification | 5.0 | Migrate to | 5.2.193.0, |
| vulnerability | | 5.2 or 6.0 | 6.0.182.0 |
|(CSCsy44672) |----------+------------+-------------|
| | | Migrate to | 5.2.193.0 |
| | 5.1 | 5.2 or 6.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.2 | 5.2.191.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | 6.0 | Not | Not |
| | | Vulnerable | Vulnerable |
+------------------------------------------------------+
Workarounds
===========
The SSH connections denial of service vulnerability identified by
Cisco Bug ID CSCsw40789 may be remediated by disabling SSH on the
affected device. This workaround requires subsequent management of
the device to be performed using the HTTP/HTTPS web management
interface or the serial console of the device.
Additional mitigations that can be deployed on Cisco devices in the
network are available in the Cisco Applied Mitigation Bulletin
companion document for this advisory, which is available at the
following link:
http://www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing, or
otherwise using such software upgrades, customers agree to be bound by
the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
================================
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory at the time of
release.
The DoS vulnerability documented by CSCsw40789 was discovered during
the resolution of customer support cases.
The unauthorized configuration modification vulnerability documented
by CSCsy44672 was found during internal testing.
The DoS vulnerability documented by CSCsx03715 was discovered by
Christoph Bott of SySS GmbH.
The DoS vulnerability documented by CSCsy27708 was discovered by IBM
Research.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20090727-wlc.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-July-27 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
\xa9 2008 - 2009 Cisco Systems, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iD8DBQFKbdU786n/Gc8U/uARAkG6AKCKI8yrbakylICPezA8Up2E1t372QCePJmj
RTTknUlr0VuKxVZLT0f8+gQ=
=x8Ly
-----END PGP SIGNATURE-----
| VAR-200907-0060 | CVE-2009-1166 | Cisco Wireless LAN Controller For managing Web Service disruption at the interface (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The administrative web interface on the Cisco Wireless LAN Controller (WLC) platform 4.x before 4.2.205.0 and 5.x before 5.2.191.0, as used in Cisco 1500 Series, 2000 Series, 2100 Series, 4100 Series, 4200 Series, and 4400 Series Wireless Services Modules (WiSM), WLC Modules for Integrated Services Routers, and Catalyst 3750G Integrated Wireless LAN Controllers, allows remote attackers to cause a denial of service (device reload) via a crafted (1) HTTP or (2) HTTPS request, aka Bug ID CSCsy27708. plural Cisco Used in products Cisco Wireless LAN Controller (WLC) For managing Web Interface has a service disruption (DoS) There is a vulnerability that becomes a condition. The problem is Bug ID : CSCsy27708 It is a problem.Skillfully crafted by a third party HTTP Or HTTPS Service disruption via request (DoS) There is a possibility of being put into a state.
An attacker can exploit this issue to trigger an affected device to crash and reload, causing denial-of-service conditions.
This issue is documented by Cisco Bug ID CSCsy27708. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers
Advisory ID: cisco-sa-20090727-wlc
http://www.cisco.com/warp/public/707/cisco-sa-20090727-wlc.shtml
Revision 1.0
For Public Release 2009 July 27 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
Multiple vulnerabilities exist in the Cisco Wireless LAN Controller
(WLC) platforms.
* The SSH connections denial of service vulnerability affects
software versions 4.1 and later.
Determination of Software Versions
+---------------------------------
To determine the WLC version that is running in a given environment,
use one of the following methods:
* In the web interface, choose the Monitor tab, click Summary in
the left pane, and note the Software Version field.
Note: Customers who use a WLC Module in an Integrated Services
Router (ISR) will need to issue the service-module
wlan-controller 1/0 session command prior to performing the next
step on the command line. Customers who use a Cisco Catalyst
3750G Switch with an integrated WLC Module will need to issue the
session <Stack-Member-Number> processor 1 session command prior
to performing the next step on the command line.
* From the command-line interface, type show sysinfo and note the
Product Version field, as shown in the following example:
(Cisco Controller) >show sysinfo
Manufacturer's Name.. Cisco Systems Inc.
Product Name......... Cisco Controller
Product Version...... 5.1.151.0
RTOS Version......... Linux-2.6.10_mvl401
Bootloader Version... 4.0.207.0
Build Type........... DATA + WPS
<output suppressed>
Use the show wism module <module number> controller 1 status command
on a Cisco Catalyst 6500 Series/7600 Series Switch if you are using a
WiSM. Note the software version as demonstrated in the following
example, which shows version 5.1.151.0.
Router#show wism module 3 controller 1 status
WiSM Controller 1 in Slot 3
Operational Status of the Controller
: Oper-Up
Service VLAN
: 192
Service Port
: 10
Service Port Mac Address
: 0011.92ff.8742
Service IP Address
: 192.168.10.1
Management IP Address
: 192.168.1.123
Software Version
: 5.1.151.0
Port Channel Number
: 288
Allowed vlan list
: 30,40
Native VLAN ID
: 40
WCP Keep Alive Missed
: 0
Products Confirmed Not Vulnerable
+--------------------------------
The Cisco Wireless Controller 5500 Series is not affected by these
vulnerabilities.
Details
=======
Cisco Wireless LAN Controllers (WLCs) are responsible for system-wide
wireless LAN functions, such as security policies, intrusion
prevention, RF management, quality of service (QoS), and mobility.
These devices communicate with controller-based access points over
any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the
Lightweight Access Point Protocol (LWAPP).
This security advisory describes multiple distinct vulnerabilities in
the WLC family of devices.
* Malformed HTTP or HTTPS authentication response denial of service
vulnerability
An attacker with access to the administrative web interface via
HTTP or HTTPS may cause the device to reload by providing a
malformed response to an authentication request.
Note: The vulnerability can be exploited only via the
administrative web-based interface; Web Authentication features
are not affected.
* SSH connections denial of service vulnerability
Affected devices may be susceptible to a memory leak when they
handle SSH management connections.
Note: A three-way handshake is not required to exploit this
vulnerability.
Note: The vulnerability can be exploited only via the
administrative web-based interface; Web Authentication features
are not affected.
* Crafted HTTP or HTTPS request unauthorized configuration
modification vulnerability
An unauthorized configuration modification vulnerability exists
in all software versions prior to the first fixed release. A
remote, unauthenticated attacker who can submit HTTP or HTTPS
requests to the WLC directly could gain full control of the
affected device.
Note: The vulnerability can be exploited only by submitting such
a request to an IP address that is bound to an administrative
interface or VLAN.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsx03715 - Malformed HTTP or HTTPS authentication response denial of service vulnerability
+-----------------------------------------------------
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsw40789 - SSH connections denial of service vulnerability
+-----------------------------------------------------
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsy27708 - Crafted HTTP or HTTPS request denial of service vulnerability
+-----------------------------------------------------
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsy44672 - Crafted HTTP or HTTPS request unauthorized configuration modification vulnerability
+-----------------------------------------------------
CVSS Base Score - 10
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
=====
Successful exploitation of the denial of service (DoS)
vulnerabilities may cause the affected device to reload. Repeated
exploitation could result in a sustained DoS condition.
An unauthenticated, remote attacker may be able to use the
unauthorized configuration modification vulnerability to gain full
control over the Wireless LAN Controller if the attacker is able to
submit a crafted request directly to an administrative interface of
the affected device.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.comw/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
+------------------------------------------------------+
| Vulnerability/ | Affected | First | Recommended |
| Bug ID | Release | Fixed | Release |
| | | Version | |
|----------------+----------+------------+-------------|
| | 4.1 | Not | Not |
| | | Vulnerable | Vulnerable |
| |----------+------------+-------------|
| | 4.1M | Not | Not |
| | | Vulnerable | Vulnerable |
| |----------+------------+-------------|
| | 4.2 | 4.2.205.0 | 4.2.207.0 |
| |----------+------------+-------------|
| Malformed HTTP | 4.2M | Not | Not |
| or HTTPS | | Vulnerable | Vulnerable |
|authentication |----------+------------+-------------|
| response | | Migrate to | 5.2.193.0 |
| denial of | 5.0 | 5.2 or 6.0 | or |
| service | | | 6.0.182.0 |
|vulnerability |----------+------------+-------------|
| (CSCsx03715) | | Migrate to | 5.2.193.0 |
| | 5.1 | 5.2 or 6.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.2 | 5.2.178.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | 6.0 | Not | Not |
| | | Vulnerable | Vulnerable |
|----------------+----------+------------+-------------|
| | 4.1 | Migrate to | 4.2.205.0 |
| | | 4.2 | |
| |----------+------------+-------------|
| | | | 5.2.193.0, |
| | | Migrate to | 6.0.182.0 |
| | 4.1M | 5.2, 6.0, | or |
| | | or 4.2M | 4.2.176.51 |
| | | | Mesh |
| |----------+------------+-------------|
| | 4.2 | 4.2.205.0 | 4.2.207.0 |
| |----------+------------+-------------|
| SSH | 4.2M | Not | Not |
| connections | | Vulnerable | Vulnerable |
|denial of |----------+------------+-------------|
| service | | Migrate to | 5.2.193.0 |
| vulnerability | 5.0 | 5.2 or 6.0 | or |
| (CSCsw40789) | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.1 | 5.1.163.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.2 | 5.2.178.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | 6.0 | Not | Not |
| | | Vulnerable | Vulnerable |
|----------------+----------+------------+-------------|
| | 4.1 | Migrate to | 4.2.205.0 |
| | | 4.2 | |
| |----------+------------+-------------|
| | | | 5.2.193.0, |
| | | Migrate to | 6.0.182.0 |
| | 4.1 M | 5.2, 6.0, | or |
| | | or 4.2M | 4.2.176.51 |
| | | | Mesh |
| |----------+------------+-------------|
| | 4.2 | 4.2.205.0 | 4.2.207.0 |
| |----------+------------+-------------|
| Crafted HTTP | 4.2M | Not | Not |
| request may | | Vulnerable | Vulnerable |
|cause the WLC |----------+------------+-------------|
| to crash | | Migrate to | 5.2.193.0 |
| (CSCsy27708) | 5.0 | 5.2 or 6.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | Migrate to | 5.2.193.0 |
| | 5.1 | 5.2 or 6.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.2 | 5.2.191.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | 6.0 | Not | Not |
| | | Vulnerable | Vulnerable |
|----------------+----------+------------+-------------|
| | 4.1 | Migrate to | 4.2.205.0 |
| | | 4.2 | |
| |----------+------------+-------------|
| | | | 5.2.193.0, |
| | | Migrate to | 6.0.182.0 |
| | 4.1M | 5.2, 6.0, | or |
| | | or 4.2M | 4.2.176.51 |
| | | | Mesh |
| |----------+------------+-------------|
| Crafted HTTP | 4.2 | 4.2.205.0 | 4.2.207.0 |
|or HTTPS |----------+------------+-------------|
| request | 4.2M | Not | Not |
| unauthorized | | Vulnerable | Vulnerable |
|configuration |----------+------------+-------------|
| modification | 5.0 | Migrate to | 5.2.193.0, |
| vulnerability | | 5.2 or 6.0 | 6.0.182.0 |
|(CSCsy44672) |----------+------------+-------------|
| | | Migrate to | 5.2.193.0 |
| | 5.1 | 5.2 or 6.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.2 | 5.2.191.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | 6.0 | Not | Not |
| | | Vulnerable | Vulnerable |
+------------------------------------------------------+
Workarounds
===========
The SSH connections denial of service vulnerability identified by
Cisco Bug ID CSCsw40789 may be remediated by disabling SSH on the
affected device. This workaround requires subsequent management of
the device to be performed using the HTTP/HTTPS web management
interface or the serial console of the device.
Additional mitigations that can be deployed on Cisco devices in the
network are available in the Cisco Applied Mitigation Bulletin
companion document for this advisory, which is available at the
following link:
http://www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing, or
otherwise using such software upgrades, customers agree to be bound by
the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
================================
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory at the time of
release.
The DoS vulnerability documented by CSCsw40789 was discovered during
the resolution of customer support cases.
The unauthorized configuration modification vulnerability documented
by CSCsy44672 was found during internal testing.
The DoS vulnerability documented by CSCsx03715 was discovered by
Christoph Bott of SySS GmbH.
The DoS vulnerability documented by CSCsy27708 was discovered by IBM
Research.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20090727-wlc.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-July-27 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
\xa9 2008 - 2009 Cisco Systems, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iD8DBQFKbdU786n/Gc8U/uARAkG6AKCKI8yrbakylICPezA8Up2E1t372QCePJmj
RTTknUlr0VuKxVZLT0f8+gQ=
=x8Ly
-----END PGP SIGNATURE-----
| VAR-200908-0426 | CVE-2009-2093 | IBM WPG Enterprise In the console SQL Injection vulnerability |
CVSS V2: 6.5 CVSS V3: - Severity: MEDIUM |
SQL injection vulnerability in the console in IBM WebSphere Partner Gateway (WPG) Enterprise 6.0 before FP8, 6.1 before FP3, 6.1.1 before FP2, and 6.2 before FP1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The issue affects the following:
WebSphere Partner Gateway 6.0 Enterprise
WebSphere Partner Gateway 6.1.0 Enterprise
WebSphere Partner Gateway 6.1.1 Enterprise
WebSphere Partner Gateway 6.2 Enterprise. ----------------------------------------------------------------------
Do you have VARM strategy implemented?
(Vulnerability Assessment Remediation Management)
If not, then implement it through the most reliable vulnerability
intelligence source on the market.
Implement it through Secunia. This can be exploited to manipulate SQL queries by
injecting arbitrary SQL code.
WebSphere Partner Gateway 6.0:
Apply the latest Fix Pack (WPG 6.0 FP8 or later) or APAR JR32608.
WebSphere Partner Gateway 6.1:
Apply the latest Fix Pack (WPG 6.1 FP3, WPG 6.1.1 FP2 or later), or
APAR JR32609 or APAR JR32386.
WebSphere Partner Gateway 6.2:
Apply the latest Fix Pack (WPG 6.2 FP1 or later) or APAR JR32607
(JR33176).
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
IBM:
http://www-01.ibm.com/support/docview.wss?uid=swg21382117
IBM ISS X-Force:
http://xforce.iss.net/xforce/xfdb/52393
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200907-0058 | CVE-2009-1164 |
Cisco Wireless LAN Controller For managing Web Service disruption at the interface (DoS) Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-200907-1149 |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The administrative web interface on the Cisco Wireless LAN Controller (WLC) platform 4.2 before 4.2.205.0 and 5.x before 5.2.178.0, as used in Cisco 1500 Series, 2000 Series, 2100 Series, 4100 Series, 4200 Series, and 4400 Series Wireless Services Modules (WiSM), WLC Modules for Integrated Services Routers, and Catalyst 3750G Integrated Wireless LAN Controllers, allows remote attackers to cause a denial of service (device reload) via a malformed response to a (1) HTTP or (2) HTTPS authentication request, aka Bug ID CSCsx03715. plural Cisco Used in products Cisco Wireless LAN Controller (WLC) For managing Web Interface has a service disruption (DoS) There is a vulnerability that becomes a condition. The problem is Bug ID : CSCsx03715 It is a problem.By a third party HTTP Or HTTPS Service disruption through malformed responses to authentication requests (DoS) There is a possibility of being put into a state.
An attacker can exploit this issue to trigger an affected device to reboot, causing denial-of-service conditions. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Wireless LAN Controllers
Advisory ID: cisco-sa-20090727-wlc
http://www.cisco.com/warp/public/707/cisco-sa-20090727-wlc.shtml
Revision 1.0
For Public Release 2009 July 27 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
Multiple vulnerabilities exist in the Cisco Wireless LAN Controller
(WLC) platforms. This security advisory outlines the details of the
following vulnerabilities:
* Malformed HTTP or HTTPS authentication response denial of service
vulnerability
* SSH connections denial of service vulnerability
* Crafted HTTP or HTTPS request denial of service vulnerability
* Crafted HTTP or HTTPS request unauthorized configuration
modification vulnerability
Cisco has released free software updates that address these
vulnerabilities.
* The SSH connections denial of service vulnerability affects
software versions 4.1 and later.
* The crafted HTTP or HTTPS request denial of service vulnerability
affects software versions 4.1 and later.
* The crafted HTTP or HTTPS request unauthorized configuration
modification vulnerability affects software versions 4.1 and
later.
Determination of Software Versions
+---------------------------------
To determine the WLC version that is running in a given environment,
use one of the following methods:
* In the web interface, choose the Monitor tab, click Summary in
the left pane, and note the Software Version field.
Note: Customers who use a WLC Module in an Integrated Services
Router (ISR) will need to issue the service-module
wlan-controller 1/0 session command prior to performing the next
step on the command line. Customers who use a Cisco Catalyst
3750G Switch with an integrated WLC Module will need to issue the
session <Stack-Member-Number> processor 1 session command prior
to performing the next step on the command line.
* From the command-line interface, type show sysinfo and note the
Product Version field, as shown in the following example:
(Cisco Controller) >show sysinfo
Manufacturer's Name.. Cisco Systems Inc.
Product Name......... Cisco Controller
Product Version...... 5.1.151.0
RTOS Version......... Linux-2.6.10_mvl401
Bootloader Version... 4.0.207.0
Build Type........... DATA + WPS
<output suppressed>
Use the show wism module <module number> controller 1 status command
on a Cisco Catalyst 6500 Series/7600 Series Switch if you are using a
WiSM. Note the software version as demonstrated in the following
example, which shows version 5.1.151.0.
Router#show wism module 3 controller 1 status
WiSM Controller 1 in Slot 3
Operational Status of the Controller
: Oper-Up
Service VLAN
: 192
Service Port
: 10
Service Port Mac Address
: 0011.92ff.8742
Service IP Address
: 192.168.10.1
Management IP Address
: 192.168.1.123
Software Version
: 5.1.151.0
Port Channel Number
: 288
Allowed vlan list
: 30,40
Native VLAN ID
: 40
WCP Keep Alive Missed
: 0
Products Confirmed Not Vulnerable
+--------------------------------
The Cisco Wireless Controller 5500 Series is not affected by these
vulnerabilities.
Details
=======
Cisco Wireless LAN Controllers (WLCs) are responsible for system-wide
wireless LAN functions, such as security policies, intrusion
prevention, RF management, quality of service (QoS), and mobility.
These devices communicate with controller-based access points over
any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the
Lightweight Access Point Protocol (LWAPP).
This security advisory describes multiple distinct vulnerabilities in
the WLC family of devices.
Note: The vulnerability can be exploited only via the
administrative web-based interface; Web Authentication features
are not affected.
This vulnerability is documented in Cisco Bug ID CSCsx03715 and
has been assigned Common Vulnerabilities and Exposures (CVE) ID
CVE-2009-1164.
* SSH connections denial of service vulnerability
Affected devices may be susceptible to a memory leak when they
handle SSH management connections.
Note: A three-way handshake is not required to exploit this
vulnerability.
This vulnerability is documented in Cisco Bug ID CSCsw40789 and
has been assigned CVE ID CVE-2009-1165.
* Crafted HTTP or HTTPS request denial of service vulnerability
An attacker with the ability to send a malicious HTTP request to
an affected WLC could cause the device to crash and reload.
Note: The vulnerability can be exploited only via the
administrative web-based interface; Web Authentication features
are not affected.
This vulnerability is documented in Cisco Bug ID CSCsy27708 and
has been assigned CVE ID CVE-2009-1166.
* Crafted HTTP or HTTPS request unauthorized configuration
modification vulnerability
An unauthorized configuration modification vulnerability exists
in all software versions prior to the first fixed release. A
remote, unauthenticated attacker who can submit HTTP or HTTPS
requests to the WLC directly could gain full control of the
affected device.
Note: The vulnerability can be exploited only by submitting such
a request to an IP address that is bound to an administrative
interface or VLAN.
The vulnerability is documented by Cisco Bug ID CSCsy44672 and has
been assigned CVE ID CVE-2009-1167.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsx03715 - Malformed HTTP or HTTPS authentication response denial of service vulnerability
+-----------------------------------------------------
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsw40789 - SSH connections denial of service vulnerability
+-----------------------------------------------------
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsy27708 - Crafted HTTP or HTTPS request denial of service vulnerability
+-----------------------------------------------------
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsy44672 - Crafted HTTP or HTTPS request unauthorized configuration modification vulnerability
+-----------------------------------------------------
CVSS Base Score - 10
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
=====
Successful exploitation of the denial of service (DoS)
vulnerabilities may cause the affected device to reload. Repeated
exploitation could result in a sustained DoS condition.
An unauthenticated, remote attacker may be able to use the
unauthorized configuration modification vulnerability to gain full
control over the Wireless LAN Controller if the attacker is able to
submit a crafted request directly to an administrative interface of
the affected device.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.comw/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
+------------------------------------------------------+
| Vulnerability/ | Affected | First | Recommended |
| Bug ID | Release | Fixed | Release |
| | | Version | |
|----------------+----------+------------+-------------|
| | 4.1 | Not | Not |
| | | Vulnerable | Vulnerable |
| |----------+------------+-------------|
| | 4.1M | Not | Not |
| | | Vulnerable | Vulnerable |
| |----------+------------+-------------|
| | 4.2 | 4.2.205.0 | 4.2.207.0 |
| |----------+------------+-------------|
| Malformed HTTP | 4.2M | Not | Not |
| or HTTPS | | Vulnerable | Vulnerable |
|authentication |----------+------------+-------------|
| response | | Migrate to | 5.2.193.0 |
| denial of | 5.0 | 5.2 or 6.0 | or |
| service | | | 6.0.182.0 |
|vulnerability |----------+------------+-------------|
| (CSCsx03715) | | Migrate to | 5.2.193.0 |
| | 5.1 | 5.2 or 6.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.2 | 5.2.178.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | 6.0 | Not | Not |
| | | Vulnerable | Vulnerable |
|----------------+----------+------------+-------------|
| | 4.1 | Migrate to | 4.2.205.0 |
| | | 4.2 | |
| |----------+------------+-------------|
| | | | 5.2.193.0, |
| | | Migrate to | 6.0.182.0 |
| | 4.1M | 5.2, 6.0, | or |
| | | or 4.2M | 4.2.176.51 |
| | | | Mesh |
| |----------+------------+-------------|
| | 4.2 | 4.2.205.0 | 4.2.207.0 |
| |----------+------------+-------------|
| SSH | 4.2M | Not | Not |
| connections | | Vulnerable | Vulnerable |
|denial of |----------+------------+-------------|
| service | | Migrate to | 5.2.193.0 |
| vulnerability | 5.0 | 5.2 or 6.0 | or |
| (CSCsw40789) | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.1 | 5.1.163.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.2 | 5.2.178.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | 6.0 | Not | Not |
| | | Vulnerable | Vulnerable |
|----------------+----------+------------+-------------|
| | 4.1 | Migrate to | 4.2.205.0 |
| | | 4.2 | |
| |----------+------------+-------------|
| | | | 5.2.193.0, |
| | | Migrate to | 6.0.182.0 |
| | 4.1 M | 5.2, 6.0, | or |
| | | or 4.2M | 4.2.176.51 |
| | | | Mesh |
| |----------+------------+-------------|
| | 4.2 | 4.2.205.0 | 4.2.207.0 |
| |----------+------------+-------------|
| Crafted HTTP | 4.2M | Not | Not |
| request may | | Vulnerable | Vulnerable |
|cause the WLC |----------+------------+-------------|
| to crash | | Migrate to | 5.2.193.0 |
| (CSCsy27708) | 5.0 | 5.2 or 6.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | Migrate to | 5.2.193.0 |
| | 5.1 | 5.2 or 6.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.2 | 5.2.191.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | 6.0 | Not | Not |
| | | Vulnerable | Vulnerable |
|----------------+----------+------------+-------------|
| | 4.1 | Migrate to | 4.2.205.0 |
| | | 4.2 | |
| |----------+------------+-------------|
| | | | 5.2.193.0, |
| | | Migrate to | 6.0.182.0 |
| | 4.1M | 5.2, 6.0, | or |
| | | or 4.2M | 4.2.176.51 |
| | | | Mesh |
| |----------+------------+-------------|
| Crafted HTTP | 4.2 | 4.2.205.0 | 4.2.207.0 |
|or HTTPS |----------+------------+-------------|
| request | 4.2M | Not | Not |
| unauthorized | | Vulnerable | Vulnerable |
|configuration |----------+------------+-------------|
| modification | 5.0 | Migrate to | 5.2.193.0, |
| vulnerability | | 5.2 or 6.0 | 6.0.182.0 |
|(CSCsy44672) |----------+------------+-------------|
| | | Migrate to | 5.2.193.0 |
| | 5.1 | 5.2 or 6.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | | | 5.2.193.0 |
| | 5.2 | 5.2.191.0 | or |
| | | | 6.0.182.0 |
| |----------+------------+-------------|
| | 6.0 | Not | Not |
| | | Vulnerable | Vulnerable |
+------------------------------------------------------+
Workarounds
===========
The SSH connections denial of service vulnerability identified by
Cisco Bug ID CSCsw40789 may be remediated by disabling SSH on the
affected device. This workaround requires subsequent management of
the device to be performed using the HTTP/HTTPS web management
interface or the serial console of the device.
Additional mitigations that can be deployed on Cisco devices in the
network are available in the Cisco Applied Mitigation Bulletin
companion document for this advisory, which is available at the
following link:
http://www.cisco.com/warp/public/707/cisco-amb-20090727-wlc.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing, or
otherwise using such software upgrades, customers agree to be bound by
the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
================================
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory at the time of
release.
The DoS vulnerability documented by CSCsw40789 was discovered during
the resolution of customer support cases.
The unauthorized configuration modification vulnerability documented
by CSCsy44672 was found during internal testing.
The DoS vulnerability documented by CSCsx03715 was discovered by
Christoph Bott of SySS GmbH.
The DoS vulnerability documented by CSCsy27708 was discovered by IBM
Research.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20090727-wlc.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-July-27 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
\xa9 2008 - 2009 Cisco Systems, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iD8DBQFKbdU786n/Gc8U/uARAkG6AKCKI8yrbakylICPezA8Up2E1t372QCePJmj
RTTknUlr0VuKxVZLT0f8+gQ=
=x8Ly
-----END PGP SIGNATURE-----
| VAR-201106-0004 | CVE-2009-5078 | GNU troff of contrib/pdfmark/pdfroff.sh Vulnerable to arbitrary file creation |
CVSS V2: 6.4 CVSS V3: 6.5 Severity: MEDIUM |
contrib/pdfmark/pdfroff.sh in GNU troff (aka groff) before 1.21 launches the Ghostscript program without the -dSAFER option, which allows remote attackers to create, overwrite, rename, or delete arbitrary files via a crafted document.
Successful exploits may allow attackers mount a symlink attack, which may allow the attacker to delete or corrupt sensitive files. Attackers can also rename arbitrary files and potentially cause a denial-of-service condition. Other attacks are also possible. Groff (GNU Troff) is the latest open source implementation of Troff, a document preparation system that generates print and screen documents for various devices from the same input source. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2015-08-13-2 OS X Yosemite v10.10.5 and Security Update
2015-006
OS X Yosemite v10.10.5 and Security Update 2015-006 is now available
and addresses the following:
apache
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in Apache 2.4.16, the most
serious of which may allow a remote attacker to cause a denial of
service.
Description: Multiple vulnerabilities existed in Apache versions
prior to 2.4.16. These were addressed by updating Apache to version
2.4.16.
CVE-ID
CVE-2014-3581
CVE-2014-3583
CVE-2014-8109
CVE-2015-0228
CVE-2015-0253
CVE-2015-3183
CVE-2015-3185
apache_mod_php
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in PHP 5.5.20, the most
serious of which may lead to arbitrary code execution.
Description: Multiple vulnerabilities existed in PHP versions prior
to 5.5.20. These were addressed by updating Apache to version 5.5.27.
CVE-ID
CVE-2015-2783
CVE-2015-2787
CVE-2015-3307
CVE-2015-3329
CVE-2015-3330
CVE-2015-4021
CVE-2015-4022
CVE-2015-4024
CVE-2015-4025
CVE-2015-4026
CVE-2015-4147
CVE-2015-4148
Apple ID OD Plug-in
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able change the password of a
local user
Description: In some circumstances, a state management issue existed
in password authentication. The issue was addressed through improved
state management.
CVE-ID
CVE-2015-3799 : an anonymous researcher working with HP's Zero Day
Initiative
AppleGraphicsControl
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in AppleGraphicsControl which could
have led to the disclosure of kernel memory layout. This issue was
addressed through improved bounds checking.
CVE-ID
CVE-2015-5768 : JieTao Yang of KeenTeam
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue existed in
IOBluetoothHCIController. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2015-3779 : Teddy Reed of Facebook Security
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to determine kernel
memory layout
Description: A memory management issue could have led to the
disclosure of kernel memory layout. This issue was addressed with
improved memory management.
CVE-ID
CVE-2015-3780 : Roberto Paleari and Aristide Fattori of Emaze
Networks
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious app may be able to access notifications from
other iCloud devices
Description: An issue existed where a malicious app could access a
Bluetooth-paired Mac or iOS device's Notification Center
notifications via the Apple Notification Center Service. The issue
affected devices using Handoff and logged into the same iCloud
account. This issue was resolved by revoking access to the Apple
Notification Center Service.
CVE-ID
CVE-2015-3786 : Xiaolong Bai (Tsinghua University), System Security
Lab (Indiana University), Tongxin Li (Peking University), XiaoFeng
Wang (Indiana University)
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: An attacker with privileged network position may be able to
perform denial of service attack using malformed Bluetooth packets
Description: An input validation issue existed in parsing of
Bluetooth ACL packets. This issue was addressed through improved
input validation.
CVE-ID
CVE-2015-3787 : Trend Micro
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: Multiple buffer overflow issues existed in blued's
handling of XPC messages. These issues were addressed through
improved bounds checking.
CVE-ID
CVE-2015-3777 : mitp0sh of [PDX]
bootp
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious Wi-Fi network may be able to determine networks
a device has previously accessed
Description: Upon connecting to a Wi-Fi network, iOS may have
broadcast MAC addresses of previously accessed networks via the DNAv4
protocol. This issue was addressed through disabling DNAv4 on
unencrypted Wi-Fi networks.
CVE-ID
CVE-2015-3778 : Piers O'Hanlon of Oxford Internet Institute,
University of Oxford (on the EPSRC Being There project)
CloudKit
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to access the iCloud
user record of a previously signed in user
Description: A state inconsistency existed in CloudKit when signing
out users. This issue was addressed through improved state handling.
CVE-ID
CVE-2015-3782 : Deepkanwal Plaha of University of Toronto
CoreMedia Playback
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: Memory corruption issues existed in CoreMedia Playback.
These were addressed through improved memory handling.
CVE-ID
CVE-2015-5777 : Apple
CVE-2015-5778 : Apple
CoreText
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5761 : John Villamil (@day6reak), Yahoo Pentest Team
CoreText
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5755 : John Villamil (@day6reak), Yahoo Pentest Team
curl
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities in cURL and libcurl prior to
7.38.0, one of which may allow remote attackers to bypass the Same
Origin Policy.
Description: Multiple vulnerabilities existed in cURL and libcurl
prior to 7.38.0. These issues were addressed by updating cURL to
version 7.43.0.
CVE-ID
CVE-2014-3613
CVE-2014-3620
CVE-2014-3707
CVE-2014-8150
CVE-2014-8151
CVE-2015-3143
CVE-2015-3144
CVE-2015-3145
CVE-2015-3148
CVE-2015-3153
Data Detectors Engine
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a sequence of unicode characters can lead to an
unexpected application termination or arbitrary code execution
Description: Memory corruption issues existed in processing of
Unicode characters. These issues were addressed through improved
memory handling.
CVE-ID
CVE-2015-5750 : M1x7e1 of Safeye Team (www.safeye.org)
Date & Time pref pane
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Applications that rely on system time may have unexpected
behavior
Description: An authorization issue existed when modifying the
system date and time preferences. This issue was addressed with
additional authorization checks.
CVE-ID
CVE-2015-3757 : Mark S C Smith
Dictionary Application
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: An attacker with a privileged network position may be able
to intercept users' Dictionary app queries
Description: An issue existed in the Dictionary app, which did not
properly secure user communications. This issue was addressed by
moving Dictionary queries to HTTPS.
CVE-ID
CVE-2015-3774 : Jeffrey Paul of EEQJ, Jan Bee of the Google Security
Team
DiskImages
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted DMG file may lead to an
unexpected application termination or arbitrary code execution with
system privileges
Description: A memory corruption issue existed in parsing of
malformed DMG images. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2015-3800 : Frank Graziano of the Yahoo Pentest Team
dyld
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A path validation issue existed in dyld. This was
addressed through improved environment sanitization.
CVE-ID
CVE-2015-3760 : beist of grayhash, Stefan Esser
FontParser
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-3804 : Apple
CVE-2015-5775 : Apple
FontParser
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5756 : John Villamil (@day6reak), Yahoo Pentest Team
groff
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple issues in pdfroff
Description: Multiple issues existed in pdfroff, the most serious of
which may allow arbitrary filesystem modification. These issues were
addressed by removing pdfroff.
CVE-ID
CVE-2009-5044
CVE-2009-5078
ImageIO
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
TIFF images. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2015-5758 : Apple
ImageIO
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Visiting a maliciously crafted website may result in the
disclosure of process memory
Description: An uninitialized memory access issue existed in
ImageIO's handling of PNG and TIFF images. Visiting a malicious
website may result in sending data from process memory to the
website. This issue is addressed through improved memory
initialization and additional validation of PNG and TIFF images.
CVE-ID
CVE-2015-5781 : Michal Zalewski
CVE-2015-5782 : Michal Zalewski
Install Framework Legacy
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with root privileges
Description: An issue existed in how Install.framework's 'runner'
binary dropped privileges. This issue was addressed through improved
privilege management.
CVE-ID
CVE-2015-5784 : Ian Beer of Google Project Zero
Install Framework Legacy
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A race condition existed in
Install.framework's 'runner' binary that resulted in
privileges being incorrectly dropped. This issue was addressed
through improved object locking.
CVE-ID
CVE-2015-5754 : Ian Beer of Google Project Zero
IOFireWireFamily
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: Memory corruption issues existed in IOFireWireFamily.
These issues were addressed through additional type input validation.
CVE-ID
CVE-2015-3769 : Ilja van Sprundel
CVE-2015-3771 : Ilja van Sprundel
CVE-2015-3772 : Ilja van Sprundel
IOGraphics
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in IOGraphics. This
issue was addressed through additional type input validation.
CVE-ID
CVE-2015-3770 : Ilja van Sprundel
CVE-2015-5783 : Ilja van Sprundel
IOHIDFamily
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A buffer overflow issue existed in IOHIDFamily. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5774 : TaiG Jailbreak Team
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in the mach_port_space_info interface,
which could have led to the disclosure of kernel memory layout. This
was addressed by disabling the mach_port_space_info interface.
CVE-ID
CVE-2015-3766 : Cererdlong of Alibaba Mobile Security Team,
@PanguTeam
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: An integer overflow existed in the handling of IOKit
functions. This issue was addressed through improved validation of
IOKit API arguments.
CVE-ID
CVE-2015-3768 : Ilja van Sprundel
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to cause a system denial of service
Description: A resource exhaustion issue existed in the fasttrap
driver. This was addressed through improved memory handling.
CVE-ID
CVE-2015-5747 : Maxime VILLARD of m00nbsd
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to cause a system denial of service
Description: A validation issue existed in the mounting of HFS
volumes. This was addressed by adding additional checks.
CVE-ID
CVE-2015-5748 : Maxime VILLARD of m00nbsd
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute unsigned code
Description: An issue existed that allowed unsigned code to be
appended to signed code in a specially crafted executable file. This
issue was addressed through improved code signature validation.
CVE-ID
CVE-2015-3806 : TaiG Jailbreak Team
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A specially crafted executable file could allow unsigned,
malicious code to execute
Description: An issue existed in the way multi-architecture
executable files were evaluated that could have allowed unsigned code
to be executed. This issue was addressed through improved validation
of executable files.
CVE-ID
CVE-2015-3803 : TaiG Jailbreak Team
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute unsigned code
Description: A validation issue existed in the handling of Mach-O
files. This was addressed by adding additional checks.
CVE-ID
CVE-2015-3802 : TaiG Jailbreak Team
CVE-2015-3805 : TaiG Jailbreak Team
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted plist may lead to an
unexpected application termination or arbitrary code execution with
system privileges
Description: A memory corruption existed in processing of malformed
plists. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3776 : Teddy Reed of Facebook Security, Patrick Stein
(@jollyjinx) of Jinx Germany
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A path validation issue existed. This was addressed
through improved environment sanitization.
CVE-ID
CVE-2015-3761 : Apple
Libc
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted regular expression may lead
to an unexpected application termination or arbitrary code execution
Description: Memory corruption issues existed in the TRE library.
These were addressed through improved memory handling.
CVE-ID
CVE-2015-3796 : Ian Beer of Google Project Zero
CVE-2015-3797 : Ian Beer of Google Project Zero
CVE-2015-3798 : Ian Beer of Google Project Zero
Libinfo
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: A remote attacker may be able to cause unexpected
application termination or arbitrary code execution
Description: Memory corruption issues existed in handling AF_INET6
sockets. These were addressed by improved memory handling.
CVE-ID
CVE-2015-5776 : Apple
libpthread
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in handling syscalls.
This issue was addressed through improved lock state checking.
CVE-ID
CVE-2015-5757 : Lufeng Li of Qihoo 360
libxml2
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in libxml2 versions prior
to 2.9.2, the most serious of which may allow a remote attacker to
cause a denial of service
Description: Multiple vulnerabilities existed in libxml2 versions
prior to 2.9.2. These were addressed by updating libxml2 to version
2.9.2.
CVE-ID
CVE-2012-6685 : Felix Groebert of Google
CVE-2014-0191 : Felix Groebert of Google
libxml2
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted XML document may lead to
disclosure of user information
Description: A memory access issue existed in libxml2. This was
addressed by improved memory handling
CVE-ID
CVE-2014-3660 : Felix Groebert of Google
libxml2
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted XML document may lead to
disclosure of user information
Description: A memory corruption issue existed in parsing of XML
files. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3807 : Apple
libxpc
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in handling of
malformed XPC messages. This issue was improved through improved
bounds checking.
CVE-ID
CVE-2015-3795 : Mathew Rowley
mail_cmds
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary shell commands
Description: A validation issue existed in the mailx parsing of
email addresses. This was addressed by improved sanitization.
CVE-ID
CVE-2014-7844
Notification Center OSX
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to access all
notifications previously displayed to users
Description: An issue existed in Notification Center, which did not
properly delete user notifications. This issue was addressed by
correctly deleting notifications dismissed by users.
CVE-ID
CVE-2015-3764 : Jonathan Zdziarski
ntfs
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue existed in NTFS. This issue
was addressed through improved memory handling.
CVE-ID
CVE-2015-5763 : Roberto Paleari and Aristide Fattori of Emaze
Networks
OpenSSH
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Remote attackers may be able to circumvent a time delay for
failed login attempts and conduct brute-force attacks
Description: An issue existed when processing keyboard-interactive
devices. This issue was addressed through improved authentication
request validation.
CVE-ID
CVE-2015-5600
OpenSSL
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in OpenSSL versions prior
to 0.9.8zg, the most serious of which may allow a remote attacker to
cause a denial of service.
Description: Multiple vulnerabilities existed in OpenSSL versions
prior to 0.9.8zg. These were addressed by updating OpenSSL to version
0.9.8zg.
CVE-ID
CVE-2015-1788
CVE-2015-1789
CVE-2015-1790
CVE-2015-1791
CVE-2015-1792
perl
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted regular expression may lead to
disclosure of unexpected application termination or arbitrary code
execution
Description: An integer underflow issue existed in the way Perl
parsed regular expressions. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2013-7422
PostgreSQL
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: An attacker may be able to cause unexpected application
termination or gain access to data without proper authentication
Description: Multiple issues existed in PostgreSQL 9.2.4. These
issues were addressed by updating PostgreSQL to 9.2.13.
CVE-ID
CVE-2014-0067
CVE-2014-8161
CVE-2015-0241
CVE-2015-0242
CVE-2015-0243
CVE-2015-0244
python
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in Python 2.7.6, the most
serious of which may lead to arbitrary code execution
Description: Multiple vulnerabilities existed in Python versions
prior to 2.7.6. These were addressed by updating Python to version
2.7.10.
CVE-ID
CVE-2013-7040
CVE-2013-7338
CVE-2014-1912
CVE-2014-7185
CVE-2014-9365
QL Office
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted Office document may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in parsing of Office
documents. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5773 : Apple
QL Office
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted XML file may lead to
disclosure of user information
Description: An external entity reference issue existed in XML file
parsing. This issue was addressed through improved parsing.
CVE-ID
CVE-2015-3784 : Bruno Morisson of INTEGRITY S.A.
Quartz Composer Framework
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted QuickTime file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in parsing of
QuickTime files. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2015-5771 : Apple
Quick Look
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Searching for a previously viewed website may launch the web
browser and render that website
Description: An issue existed where QuickLook had the capability to
execute JavaScript. The issue was addressed by disallowing execution
of JavaScript.
CVE-ID
CVE-2015-3781 : Andrew Pouliot of Facebook, Anto Loyola of Qubole
QuickTime 7
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in QuickTime.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-3772
CVE-2015-3779
CVE-2015-5753 : Apple
CVE-2015-5779 : Apple
QuickTime 7
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in QuickTime.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-3765 : Joe Burnett of Audio Poison
CVE-2015-3788 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-3789 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-3790 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-3791 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-3792 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-5751 : WalkerFuz
SceneKit
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Viewing a maliciously crafted Collada file may lead to
arbitrary code execution
Description: A heap buffer overflow existed in SceneKit's handling
of Collada files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5772 : Apple
SceneKit
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: A remote attacker may be able to cause unexpected
application termination or arbitrary code execution
Description: A memory corruption issue existed in SceneKit. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3783 : Haris Andrianakis of Google Security Team
Security
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A standard user may be able to gain access to admin
privileges without proper authentication
Description: An issue existed in handling of user authentication.
This issue was addressed through improved authentication checks.
CVE-ID
CVE-2015-3775 : [Eldon Ahrold]
SMBClient
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A remote attacker may be able to cause unexpected
application termination or arbitrary code execution
Description: A memory corruption issue existed in the SMB client.
This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3773 : Ilja van Sprundel
Speech UI
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted unicode string with speech
alerts enabled may lead to an unexpected application termination or
arbitrary code execution
Description: A memory corruption issue existed in handling of
Unicode strings. This issue was addressed by improved memory
handling.
CVE-ID
CVE-2015-3794 : Adam Greenbaum of Refinitive
sudo
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in sudo versions prior to
1.7.10p9, the most serious of which may allow an attacker access to
arbitrary files
Description: Multiple vulnerabilities existed in sudo versions prior
to 1.7.10p9. These were addressed by updating sudo to version
1.7.10p9.
CVE-ID
CVE-2013-1775
CVE-2013-1776
CVE-2013-2776
CVE-2013-2777
CVE-2014-0106
CVE-2014-9680
tcpdump
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in tcpdump 4.7.3, the most
serious of which may allow a remote attacker to cause a denial of
service.
Description: Multiple vulnerabilities existed in tcpdump versions
prior to 4.7.3. These were addressed by updating tcpdump to version
4.7.3.
CVE-ID
CVE-2014-8767
CVE-2014-8769
CVE-2014-9140
Text Formats
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted text file may lead to
disclosure of user information
Description: An XML external entity reference issue existed with
TextEdit parsing. This issue was addressed through improved parsing.
CVE-ID
CVE-2015-3762 : Xiaoyong Wu of the Evernote Security Team
udf
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted DMG file may lead to an
unexpected application termination or arbitrary code execution with
system privileges
Description: A memory corruption issue existed in parsing of
malformed DMG images. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2015-3767 : beist of grayhash
OS X Yosemite v10.10.5 includes the security content of Safari 8.0.8:
https://support.apple.com/en-us/HT205033
OS X Yosemite 10.10.5 and Security Update 2015-006 may be obtained
from the Mac App Store or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJVzM3+AAoJEBcWfLTuOo7tx/YP/RTsUUx0UTk7rXj6AEcHmiR4
Y2xTUOXqRmxhieSbsGK9laKL5++lIzkGh5RC7oYag0+OgWtZz+EU/EtdoEJmGNJ6
+PgoEnizYdKhO1kos1KCHOwG6UFCqoeEm6Icm33nVUqWp7uAmhVRMRxtMJEScLSR
2LpsK0grIhFXtJGqu053TSKSCa1UTab8XWteZTT84uFGMSKbAFONj5CPIrR6+uev
QpVTwrnskPDBOXJwGhjypvIBTbt2aa1wjCukOAWFHwf7Pma/QUdhKRkUK4vAb9/k
fu2t2fBOvSMguJHRO+340NsQR9LvmdruBeAyNUH64srF1jtbAg0QnvZsPyO5aIyR
A8WrzHl3oIc0II0y7VpI+3o0J3Nn03EcBPtIKeoeyznnjNziDm72HPI2d2+5ZSRz
xjAd4Nmw+dgGq+UMkusIXgtRK4HcEpwzfImf3zqnKHakSncnFPhGKyNEgn8bK9a7
AeAvSqMXXsJg8weHUF2NLnAn/42k2wIE8d5BOLaIy13xz6MJn7VUI21pK0zCaGBF
sfkRFZP0eEVh8ZzU/nWp9E5KDpbsd72biJwvjWH4OrmkfzUWxStQiVwPTxtZD9LW
c5ZWe+vqZJV9eYRH2hAOMPaYkOQ5Z4DySNVVOFAG0eq9til8+V0k3L7ipIVd2XUB
msu6gVP8uZhFYNb8byVJ
=+0e/
-----END PGP SIGNATURE-----
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201310-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Low
Title: Groff: Multiple Vulnerabilities
Date: October 25, 2013
Bugs: #386335
ID: 201310-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Groff, allowing
context-dependent attackers to conduct symlink attacks.
Background
==========
GNU Troff (Groff) is a text formatter used for man pages. Please review
the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Groff users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/groff-1.22.2"
References
==========
[ 1 ] CVE-2009-5044
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5044
[ 2 ] CVE-2009-5078
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5078
[ 3 ] CVE-2009-5079
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5079
[ 4 ] CVE-2009-5080
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5080
[ 5 ] CVE-2009-5081
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5081
[ 6 ] CVE-2009-5082
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5082
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201310-14.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2013 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-201106-0002 | CVE-2009-5044 | GNU troff of contrib/pdfmark/pdfroff.sh Vulnerable to overwriting arbitrary files |
CVSS V2: 3.3 CVSS V3: - Severity: LOW |
contrib/pdfmark/pdfroff.sh in GNU troff (aka groff) before 1.21 allows local users to overwrite arbitrary files via a symlink attack on a pdf#####.tmp temporary file.
Successful exploits may allow attackers mount a symlink attack, which may allow the attacker to delete or corrupt sensitive files. Attackers can also rename arbitrary files and potentially cause a denial-of-service condition. Other attacks are also possible. Groff (GNU Troff) is the latest open source implementation of Troff, a document preparation system that generates print and screen documents for various devices from the same input source. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
APPLE-SA-2015-08-13-2 OS X Yosemite v10.10.5 and Security Update
2015-006
OS X Yosemite v10.10.5 and Security Update 2015-006 is now available
and addresses the following:
apache
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in Apache 2.4.16, the most
serious of which may allow a remote attacker to cause a denial of
service.
Description: Multiple vulnerabilities existed in Apache versions
prior to 2.4.16. These were addressed by updating Apache to version
2.4.16.
CVE-ID
CVE-2014-3581
CVE-2014-3583
CVE-2014-8109
CVE-2015-0228
CVE-2015-0253
CVE-2015-3183
CVE-2015-3185
apache_mod_php
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in PHP 5.5.20, the most
serious of which may lead to arbitrary code execution.
Description: Multiple vulnerabilities existed in PHP versions prior
to 5.5.20. These were addressed by updating Apache to version 5.5.27.
CVE-ID
CVE-2015-2783
CVE-2015-2787
CVE-2015-3307
CVE-2015-3329
CVE-2015-3330
CVE-2015-4021
CVE-2015-4022
CVE-2015-4024
CVE-2015-4025
CVE-2015-4026
CVE-2015-4147
CVE-2015-4148
Apple ID OD Plug-in
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able change the password of a
local user
Description: In some circumstances, a state management issue existed
in password authentication. The issue was addressed through improved
state management.
CVE-ID
CVE-2015-3799 : an anonymous researcher working with HP's Zero Day
Initiative
AppleGraphicsControl
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in AppleGraphicsControl which could
have led to the disclosure of kernel memory layout. This issue was
addressed through improved bounds checking.
CVE-ID
CVE-2015-5768 : JieTao Yang of KeenTeam
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue existed in
IOBluetoothHCIController. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2015-3779 : Teddy Reed of Facebook Security
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to determine kernel
memory layout
Description: A memory management issue could have led to the
disclosure of kernel memory layout. This issue was addressed with
improved memory management.
CVE-ID
CVE-2015-3780 : Roberto Paleari and Aristide Fattori of Emaze
Networks
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious app may be able to access notifications from
other iCloud devices
Description: An issue existed where a malicious app could access a
Bluetooth-paired Mac or iOS device's Notification Center
notifications via the Apple Notification Center Service. The issue
affected devices using Handoff and logged into the same iCloud
account. This issue was resolved by revoking access to the Apple
Notification Center Service.
CVE-ID
CVE-2015-3786 : Xiaolong Bai (Tsinghua University), System Security
Lab (Indiana University), Tongxin Li (Peking University), XiaoFeng
Wang (Indiana University)
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: An attacker with privileged network position may be able to
perform denial of service attack using malformed Bluetooth packets
Description: An input validation issue existed in parsing of
Bluetooth ACL packets. This issue was addressed through improved
input validation.
CVE-ID
CVE-2015-3787 : Trend Micro
Bluetooth
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local attacker may be able to cause unexpected application
termination or arbitrary code execution
Description: Multiple buffer overflow issues existed in blued's
handling of XPC messages. These issues were addressed through
improved bounds checking.
CVE-ID
CVE-2015-3777 : mitp0sh of [PDX]
bootp
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious Wi-Fi network may be able to determine networks
a device has previously accessed
Description: Upon connecting to a Wi-Fi network, iOS may have
broadcast MAC addresses of previously accessed networks via the DNAv4
protocol. This issue was addressed through disabling DNAv4 on
unencrypted Wi-Fi networks.
CVE-ID
CVE-2015-3778 : Piers O'Hanlon of Oxford Internet Institute,
University of Oxford (on the EPSRC Being There project)
CloudKit
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to access the iCloud
user record of a previously signed in user
Description: A state inconsistency existed in CloudKit when signing
out users. This issue was addressed through improved state handling.
CVE-ID
CVE-2015-3782 : Deepkanwal Plaha of University of Toronto
CoreMedia Playback
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description: Memory corruption issues existed in CoreMedia Playback.
These were addressed through improved memory handling.
CVE-ID
CVE-2015-5777 : Apple
CVE-2015-5778 : Apple
CoreText
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5761 : John Villamil (@day6reak), Yahoo Pentest Team
CoreText
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5755 : John Villamil (@day6reak), Yahoo Pentest Team
curl
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities in cURL and libcurl prior to
7.38.0, one of which may allow remote attackers to bypass the Same
Origin Policy.
Description: Multiple vulnerabilities existed in cURL and libcurl
prior to 7.38.0. These issues were addressed by updating cURL to
version 7.43.0.
CVE-ID
CVE-2014-3613
CVE-2014-3620
CVE-2014-3707
CVE-2014-8150
CVE-2014-8151
CVE-2015-3143
CVE-2015-3144
CVE-2015-3145
CVE-2015-3148
CVE-2015-3153
Data Detectors Engine
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a sequence of unicode characters can lead to an
unexpected application termination or arbitrary code execution
Description: Memory corruption issues existed in processing of
Unicode characters. These issues were addressed through improved
memory handling.
CVE-ID
CVE-2015-5750 : M1x7e1 of Safeye Team (www.safeye.org)
Date & Time pref pane
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Applications that rely on system time may have unexpected
behavior
Description: An authorization issue existed when modifying the
system date and time preferences. This issue was addressed with
additional authorization checks.
CVE-ID
CVE-2015-3757 : Mark S C Smith
Dictionary Application
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: An attacker with a privileged network position may be able
to intercept users' Dictionary app queries
Description: An issue existed in the Dictionary app, which did not
properly secure user communications. This issue was addressed by
moving Dictionary queries to HTTPS.
CVE-ID
CVE-2015-3774 : Jeffrey Paul of EEQJ, Jan Bee of the Google Security
Team
DiskImages
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted DMG file may lead to an
unexpected application termination or arbitrary code execution with
system privileges
Description: A memory corruption issue existed in parsing of
malformed DMG images. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2015-3800 : Frank Graziano of the Yahoo Pentest Team
dyld
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A path validation issue existed in dyld. This was
addressed through improved environment sanitization.
CVE-ID
CVE-2015-3760 : beist of grayhash, Stefan Esser
FontParser
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-3804 : Apple
CVE-2015-5775 : Apple
FontParser
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
font files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5756 : John Villamil (@day6reak), Yahoo Pentest Team
groff
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple issues in pdfroff
Description: Multiple issues existed in pdfroff, the most serious of
which may allow arbitrary filesystem modification. These issues were
addressed by removing pdfroff.
CVE-ID
CVE-2009-5044
CVE-2009-5078
ImageIO
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted TIFF image may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in the processing of
TIFF images. This issue was addressed through improved bounds
checking.
CVE-ID
CVE-2015-5758 : Apple
ImageIO
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Visiting a maliciously crafted website may result in the
disclosure of process memory
Description: An uninitialized memory access issue existed in
ImageIO's handling of PNG and TIFF images. Visiting a malicious
website may result in sending data from process memory to the
website. This issue is addressed through improved memory
initialization and additional validation of PNG and TIFF images.
CVE-ID
CVE-2015-5781 : Michal Zalewski
CVE-2015-5782 : Michal Zalewski
Install Framework Legacy
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with root privileges
Description: An issue existed in how Install.framework's 'runner'
binary dropped privileges. This issue was addressed through improved
privilege management.
CVE-ID
CVE-2015-5784 : Ian Beer of Google Project Zero
Install Framework Legacy
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A race condition existed in
Install.framework's 'runner' binary that resulted in
privileges being incorrectly dropped. This issue was addressed
through improved object locking.
CVE-ID
CVE-2015-5754 : Ian Beer of Google Project Zero
IOFireWireFamily
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: Memory corruption issues existed in IOFireWireFamily.
These issues were addressed through additional type input validation.
CVE-ID
CVE-2015-3769 : Ilja van Sprundel
CVE-2015-3771 : Ilja van Sprundel
CVE-2015-3772 : Ilja van Sprundel
IOGraphics
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in IOGraphics. This
issue was addressed through additional type input validation.
CVE-ID
CVE-2015-3770 : Ilja van Sprundel
CVE-2015-5783 : Ilja van Sprundel
IOHIDFamily
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A buffer overflow issue existed in IOHIDFamily. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5774 : TaiG Jailbreak Team
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to determine kernel
memory layout
Description: An issue existed in the mach_port_space_info interface,
which could have led to the disclosure of kernel memory layout. This
was addressed by disabling the mach_port_space_info interface.
CVE-ID
CVE-2015-3766 : Cererdlong of Alibaba Mobile Security Team,
@PanguTeam
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: An integer overflow existed in the handling of IOKit
functions. This issue was addressed through improved validation of
IOKit API arguments.
CVE-ID
CVE-2015-3768 : Ilja van Sprundel
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to cause a system denial of service
Description: A resource exhaustion issue existed in the fasttrap
driver. This was addressed through improved memory handling.
CVE-ID
CVE-2015-5747 : Maxime VILLARD of m00nbsd
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to cause a system denial of service
Description: A validation issue existed in the mounting of HFS
volumes. This was addressed by adding additional checks.
CVE-ID
CVE-2015-5748 : Maxime VILLARD of m00nbsd
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute unsigned code
Description: An issue existed that allowed unsigned code to be
appended to signed code in a specially crafted executable file. This
issue was addressed through improved code signature validation.
CVE-ID
CVE-2015-3806 : TaiG Jailbreak Team
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A specially crafted executable file could allow unsigned,
malicious code to execute
Description: An issue existed in the way multi-architecture
executable files were evaluated that could have allowed unsigned code
to be executed. This issue was addressed through improved validation
of executable files.
CVE-ID
CVE-2015-3803 : TaiG Jailbreak Team
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute unsigned code
Description: A validation issue existed in the handling of Mach-O
files. This was addressed by adding additional checks.
CVE-ID
CVE-2015-3802 : TaiG Jailbreak Team
CVE-2015-3805 : TaiG Jailbreak Team
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted plist may lead to an
unexpected application termination or arbitrary code execution with
system privileges
Description: A memory corruption existed in processing of malformed
plists. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3776 : Teddy Reed of Facebook Security, Patrick Stein
(@jollyjinx) of Jinx Germany
Kernel
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A path validation issue existed. This was addressed
through improved environment sanitization.
CVE-ID
CVE-2015-3761 : Apple
Libc
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted regular expression may lead
to an unexpected application termination or arbitrary code execution
Description: Memory corruption issues existed in the TRE library.
These were addressed through improved memory handling.
CVE-ID
CVE-2015-3796 : Ian Beer of Google Project Zero
CVE-2015-3797 : Ian Beer of Google Project Zero
CVE-2015-3798 : Ian Beer of Google Project Zero
Libinfo
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: A remote attacker may be able to cause unexpected
application termination or arbitrary code execution
Description: Memory corruption issues existed in handling AF_INET6
sockets. These were addressed by improved memory handling.
CVE-ID
CVE-2015-5776 : Apple
libpthread
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in handling syscalls.
This issue was addressed through improved lock state checking.
CVE-ID
CVE-2015-5757 : Lufeng Li of Qihoo 360
libxml2
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in libxml2 versions prior
to 2.9.2, the most serious of which may allow a remote attacker to
cause a denial of service
Description: Multiple vulnerabilities existed in libxml2 versions
prior to 2.9.2. These were addressed by updating libxml2 to version
2.9.2.
CVE-ID
CVE-2012-6685 : Felix Groebert of Google
CVE-2014-0191 : Felix Groebert of Google
libxml2
Available for: OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted XML document may lead to
disclosure of user information
Description: A memory access issue existed in libxml2. This was
addressed by improved memory handling
CVE-ID
CVE-2014-3660 : Felix Groebert of Google
libxml2
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted XML document may lead to
disclosure of user information
Description: A memory corruption issue existed in parsing of XML
files. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3807 : Apple
libxpc
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to execute arbitrary
code with system privileges
Description: A memory corruption issue existed in handling of
malformed XPC messages. This issue was improved through improved
bounds checking.
CVE-ID
CVE-2015-3795 : Mathew Rowley
mail_cmds
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary shell commands
Description: A validation issue existed in the mailx parsing of
email addresses. This was addressed by improved sanitization.
CVE-ID
CVE-2014-7844
Notification Center OSX
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A malicious application may be able to access all
notifications previously displayed to users
Description: An issue existed in Notification Center, which did not
properly delete user notifications. This issue was addressed by
correctly deleting notifications dismissed by users.
CVE-ID
CVE-2015-3764 : Jonathan Zdziarski
ntfs
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A memory corruption issue existed in NTFS. This issue
was addressed through improved memory handling.
CVE-ID
CVE-2015-5763 : Roberto Paleari and Aristide Fattori of Emaze
Networks
OpenSSH
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Remote attackers may be able to circumvent a time delay for
failed login attempts and conduct brute-force attacks
Description: An issue existed when processing keyboard-interactive
devices. This issue was addressed through improved authentication
request validation.
CVE-ID
CVE-2015-5600
OpenSSL
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in OpenSSL versions prior
to 0.9.8zg, the most serious of which may allow a remote attacker to
cause a denial of service.
Description: Multiple vulnerabilities existed in OpenSSL versions
prior to 0.9.8zg. These were addressed by updating OpenSSL to version
0.9.8zg.
CVE-ID
CVE-2015-1788
CVE-2015-1789
CVE-2015-1790
CVE-2015-1791
CVE-2015-1792
perl
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted regular expression may lead to
disclosure of unexpected application termination or arbitrary code
execution
Description: An integer underflow issue existed in the way Perl
parsed regular expressions. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2013-7422
PostgreSQL
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: An attacker may be able to cause unexpected application
termination or gain access to data without proper authentication
Description: Multiple issues existed in PostgreSQL 9.2.4. These
issues were addressed by updating PostgreSQL to 9.2.13.
CVE-ID
CVE-2014-0067
CVE-2014-8161
CVE-2015-0241
CVE-2015-0242
CVE-2015-0243
CVE-2015-0244
python
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in Python 2.7.6, the most
serious of which may lead to arbitrary code execution
Description: Multiple vulnerabilities existed in Python versions
prior to 2.7.6. These were addressed by updating Python to version
2.7.10.
CVE-ID
CVE-2013-7040
CVE-2013-7338
CVE-2014-1912
CVE-2014-7185
CVE-2014-9365
QL Office
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted Office document may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in parsing of Office
documents. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5773 : Apple
QL Office
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted XML file may lead to
disclosure of user information
Description: An external entity reference issue existed in XML file
parsing. This issue was addressed through improved parsing.
CVE-ID
CVE-2015-3784 : Bruno Morisson of INTEGRITY S.A.
Quartz Composer Framework
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted QuickTime file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in parsing of
QuickTime files. This issue was addressed through improved memory
handling.
CVE-ID
CVE-2015-5771 : Apple
Quick Look
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Searching for a previously viewed website may launch the web
browser and render that website
Description: An issue existed where QuickLook had the capability to
execute JavaScript. The issue was addressed by disallowing execution
of JavaScript.
CVE-ID
CVE-2015-3781 : Andrew Pouliot of Facebook, Anto Loyola of Qubole
QuickTime 7
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in QuickTime.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-3772
CVE-2015-3779
CVE-2015-5753 : Apple
CVE-2015-5779 : Apple
QuickTime 7
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted file may lead to an
unexpected application termination or arbitrary code execution
Description: Multiple memory corruption issues existed in QuickTime.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-3765 : Joe Burnett of Audio Poison
CVE-2015-3788 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-3789 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-3790 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-3791 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-3792 : Ryan Pentney and Richard Johnson of Cisco Talos
CVE-2015-5751 : WalkerFuz
SceneKit
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Viewing a maliciously crafted Collada file may lead to
arbitrary code execution
Description: A heap buffer overflow existed in SceneKit's handling
of Collada files. This issue was addressed through improved input
validation.
CVE-ID
CVE-2015-5772 : Apple
SceneKit
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact: A remote attacker may be able to cause unexpected
application termination or arbitrary code execution
Description: A memory corruption issue existed in SceneKit. This
issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3783 : Haris Andrianakis of Google Security Team
Security
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A standard user may be able to gain access to admin
privileges without proper authentication
Description: An issue existed in handling of user authentication.
This issue was addressed through improved authentication checks.
CVE-ID
CVE-2015-3775 : [Eldon Ahrold]
SMBClient
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: A remote attacker may be able to cause unexpected
application termination or arbitrary code execution
Description: A memory corruption issue existed in the SMB client.
This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-3773 : Ilja van Sprundel
Speech UI
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted unicode string with speech
alerts enabled may lead to an unexpected application termination or
arbitrary code execution
Description: A memory corruption issue existed in handling of
Unicode strings. This issue was addressed by improved memory
handling.
CVE-ID
CVE-2015-3794 : Adam Greenbaum of Refinitive
sudo
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in sudo versions prior to
1.7.10p9, the most serious of which may allow an attacker access to
arbitrary files
Description: Multiple vulnerabilities existed in sudo versions prior
to 1.7.10p9. These were addressed by updating sudo to version
1.7.10p9.
CVE-ID
CVE-2013-1775
CVE-2013-1776
CVE-2013-2776
CVE-2013-2777
CVE-2014-0106
CVE-2014-9680
tcpdump
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Multiple vulnerabilities existed in tcpdump 4.7.3, the most
serious of which may allow a remote attacker to cause a denial of
service.
Description: Multiple vulnerabilities existed in tcpdump versions
prior to 4.7.3. These were addressed by updating tcpdump to version
4.7.3.
CVE-ID
CVE-2014-8767
CVE-2014-8769
CVE-2014-9140
Text Formats
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Parsing a maliciously crafted text file may lead to
disclosure of user information
Description: An XML external entity reference issue existed with
TextEdit parsing. This issue was addressed through improved parsing.
CVE-ID
CVE-2015-3762 : Xiaoyong Wu of the Evernote Security Team
udf
Available for: OS X Yosemite v10.10 to v10.10.4
Impact: Processing a maliciously crafted DMG file may lead to an
unexpected application termination or arbitrary code execution with
system privileges
Description: A memory corruption issue existed in parsing of
malformed DMG images. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2015-3767 : beist of grayhash
OS X Yosemite v10.10.5 includes the security content of Safari 8.0.8:
https://support.apple.com/en-us/HT205033
OS X Yosemite 10.10.5 and Security Update 2015-006 may be obtained
from the Mac App Store or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJVzM3+AAoJEBcWfLTuOo7tx/YP/RTsUUx0UTk7rXj6AEcHmiR4
Y2xTUOXqRmxhieSbsGK9laKL5++lIzkGh5RC7oYag0+OgWtZz+EU/EtdoEJmGNJ6
+PgoEnizYdKhO1kos1KCHOwG6UFCqoeEm6Icm33nVUqWp7uAmhVRMRxtMJEScLSR
2LpsK0grIhFXtJGqu053TSKSCa1UTab8XWteZTT84uFGMSKbAFONj5CPIrR6+uev
QpVTwrnskPDBOXJwGhjypvIBTbt2aa1wjCukOAWFHwf7Pma/QUdhKRkUK4vAb9/k
fu2t2fBOvSMguJHRO+340NsQR9LvmdruBeAyNUH64srF1jtbAg0QnvZsPyO5aIyR
A8WrzHl3oIc0II0y7VpI+3o0J3Nn03EcBPtIKeoeyznnjNziDm72HPI2d2+5ZSRz
xjAd4Nmw+dgGq+UMkusIXgtRK4HcEpwzfImf3zqnKHakSncnFPhGKyNEgn8bK9a7
AeAvSqMXXsJg8weHUF2NLnAn/42k2wIE8d5BOLaIy13xz6MJn7VUI21pK0zCaGBF
sfkRFZP0eEVh8ZzU/nWp9E5KDpbsd72biJwvjWH4OrmkfzUWxStQiVwPTxtZD9LW
c5ZWe+vqZJV9eYRH2hAOMPaYkOQ5Z4DySNVVOFAG0eq9til8+V0k3L7ipIVd2XUB
msu6gVP8uZhFYNb8byVJ
=+0e/
-----END PGP SIGNATURE-----
. This fixes a vulnerability,
which can be exploited by malicious, local users to perform certain
actions with escalated privileges.
For more information:
SA44999
SOLUTION:
Apply updated packages via the zypper package manager. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. ----------------------------------------------------------------------
Join Secunia @ FIRST Conference, 12-17 June, Hilton Vienna, Austria
See to the presentation "The Dynamics and Threats of End-Point Software Portfolios" by Secunia's Research Analyst Director, Stefan Frei.
Read more:
http://conference.first.org/
----------------------------------------------------------------------
TITLE:
GNU Troff "pdfroff" Script Insecure Temporary File Creation
SECUNIA ADVISORY ID:
SA44999
VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/44999/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=44999
RELEASE DATE:
2011-06-18
DISCUSS ADVISORY:
http://secunia.com/advisories/44999/#comments
AVAILABLE ON SITE AND IN CUSTOMER AREA:
* Last Update
* Popularity
* Comments
* Criticality Level
* Impact
* Where
* Solution Status
* Operating System / Software
* CVE Reference(s)
http://secunia.com/advisories/44999/
ONLY AVAILABLE IN CUSTOMER AREA:
* Authentication Level
* Report Reliability
* Secunia PoC
* Secunia Analysis
* Systems Affected
* Approve Distribution
* Remediation Status
* Secunia CVSS Score
* CVSS
https://ca.secunia.com/?page=viewadvisory&vuln_id=44999
ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:
* AUTOMATED SCANNING
http://secunia.com/vulnerability_scanning/personal/
http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
DESCRIPTION:
A vulnerability has been reported in GNU Troff, which can be
exploited by malicious, local users to perform certain actions with
escalated privileges.
The vulnerability is caused due to the "pdfroff" script creating
temporary files insecurely.
The vulnerability is reported in version 1.20. Other versions may
also be affected.
SOLUTION:
Restrict access to trusted users only.
PROVIDED AND/OR DISCOVERED BY:
Reported in a Debian bug report by Brian M. Carlson.
ORIGINAL ADVISORY:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538330
OTHER REFERENCES:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
DEEP LINKS:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED DESCRIPTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXTENDED SOLUTION:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
EXPLOIT:
Further details available in Customer Area:
http://secunia.com/vulnerability_intelligence/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
private users keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201310-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Low
Title: Groff: Multiple Vulnerabilities
Date: October 25, 2013
Bugs: #386335
ID: 201310-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple vulnerabilities have been found in Groff, allowing
context-dependent attackers to conduct symlink attacks.
Background
==========
GNU Troff (Groff) is a text formatter used for man pages. Please review
the CVE identifiers referenced below for details.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Groff users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=sys-apps/groff-1.22.2"
References
==========
[ 1 ] CVE-2009-5044
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5044
[ 2 ] CVE-2009-5078
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5078
[ 3 ] CVE-2009-5079
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5079
[ 4 ] CVE-2009-5080
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5080
[ 5 ] CVE-2009-5081
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5081
[ 6 ] CVE-2009-5082
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5082
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201310-14.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2013 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5