Sign-up

VARIoT IoT vulnerabilities database

Affected products: vendor, model and version
CWE format is 'CWE-number'. Threat type can be: remote or local
Look up free text in title and description

VAR-200802-0532 No CVE Multiple Vendor IP Camera ActiveX Control URL Parameter Stack Overflow Vulnerability CVSS V2: -
CVSS V3: -
Severity: -
D-Link MPEG4 SHM Audio Control, 4XEM VatCtrl Class and Vivotek RTSP MPEG4 SP Control are all ActiveX controls installed by the IP cameras of their respective manufacturers.  A buffer overflow vulnerability exists in the implementation of the above-mentioned ActiveX control of the network camera. A remote attacker may use this vulnerability to control the user system.  VATDecoder.VatCtrl.1 ActiveX control (VATDecoder.dll), RtspVaPgCtrl Class ActiveX control (RtspVapgDecoderNew.dll), and VAPgDecoder.VaPgCtrl.1 ActiveX control (VAPGDecoder.dll) does not properly validate the string assigned to the Url parameter if the user is deceived If a malicious webpage is accessed and a long string is passed to this parameter, it may trigger a stack overflow and cause arbitrary instructions to be executed.
VAR-200802-0295 CVE-2008-1049 Parallels H-Sphere Used in Parallels SiteStudio Vulnerability in CVSS V2: 10.0
CVSS V3: -
Severity: HIGH
Unspecified vulnerability in Parallels SiteStudio before 1.7.2, and 1.8.x before 1.8b, as used in Parallels H-Sphere 3.0 before Patch 9 and 2.5 before Patch 11, has unknown impact and attack vectors. H-Sphere SiteStudio is prone to an unspecified vulnerability. Very few technical details are currently available. We will update this BID as more information emerges. Successful attacks can compromise the application. Versions prior to H-Sphere SiteStudio 1.8b are affected. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: H-Sphere SiteStudio Unspecified Vulnerability SECUNIA ADVISORY ID: SA29084 VERIFY ADVISORY: http://secunia.com/advisories/29084/ CRITICAL: Moderately critical IMPACT: Unknown WHERE: >From remote SOFTWARE: H-Sphere 2.x http://secunia.com/product/935/ SiteStudio 1.x http://secunia.com/product/5069/ DESCRIPTION: A vulnerability with unknown impact has been reported in H-Sphere SiteStudio. SOLUTION: Update to H-Sphere version 2.5 Patch 11 and SiteStudio version 1.7.2 (see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.psoft.net/misc/hs_ss_technical_update.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-200810-0446 CVE-2008-4771 Various IP Security Camera ActiveX Controls 'url' Attribute Buffer Overflow Vulnerability CVSS V2: 9.3
CVSS V3: -
Severity: HIGH
Stack-based buffer overflow in VATDecoder.VatCtrl.1 ActiveX control in (1) 4xem VatCtrl Class (VATDecoder.dll 1.0.0.27 and 1.0.0.51), (2) D-Link MPEG4 SHM Audio Control (VAPGDecoder.dll 1.7.0.5), (3) Vivotek RTSP MPEG4 SP Control (RtspVapgDecoderNew.dll 2.0.0.39), and possibly other products, allows remote attackers to execute arbitrary code via a long Url property. NOTE: some of these details are obtained from third party information. Various IP Security Camera ActiveX controls are prone to a remote buffer-overflow vulnerability because the applications fail to properly bounds-check user-supplied data before copying it into insufficiently sized memory buffers. Exploiting this issue may allow remote attackers to execute arbitrary code in the context of applications that use the affected ActiveX control (typically Internet Explorer) and to compromise affected computers. Failed attempts will likely result in denial-of-service conditions. 4XEM VatCtrl Class ('VATDecoder.dll') 1.0.0.51. Vivotek RTSP MPEG4 SP Control ('RtspVapgDecoderNew.dll') 2.0.0.39. UPDATE (March 25, 2008): D-Link MPEG4 SHM Audio Control ('VAPGDecoder.dll') 1.7.0.5 identified by CLSID: A93B47FD-9BF6-4DA8-97FC-9270B9D64A6C is being actively exploited in the wild. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: 4XEM VatDecoder VatCtrl Class ActiveX Control "Url" Property Buffer Overflow SECUNIA ADVISORY ID: SA29146 VERIFY ADVISORY: http://secunia.com/advisories/29146/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: 4XEM VatDecoder 1.x http://secunia.com/product/17836/ DESCRIPTION: rgod has discovered a vulnerability in 4XEM VatDecoder, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error in the VATDecoder.VatCtrl.1 ActiveX control (VATDecoder.dll) when handling strings assigned to the "Url" property. This can be exploited to cause a stack-based buffer overflow by assigning an overly long string to the affected property. Successful exploitation allows execution of arbitrary code. The vulnerability is confirmed in VATDecoder.dll version 1.0.0.27 and reported in version 1.0.0.51. Other versions may also be affected. SOLUTION: Set the kill-bit for the affected ActiveX control. PROVIDED AND/OR DISCOVERED BY: rgod ORIGINAL ADVISORY: http://www.milw0rm.com/exploits/5193 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-200802-0286 CVE-2008-1040 Fujitsu Interstage Application Server Single Sign-On Buffer Overflow Vulnerability CVSS V2: 10.0
CVSS V3: -
Severity: HIGH
Buffer overflow in the Single Sign-On function in Fujitsu Interstage Application Server 8.0.0 through 8.0.3 and 9.0.0, Interstage Studio 8.0.1 and 9.0.0, and Interstage Apworks 8.0.0 allows remote attackers to execute arbitrary code via a long URI. Fujitsu Interstage Application Server is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input. Attackers may leverage this issue to execute arbitrary code in the context of the affected application. Failed attacks will likely cause denial-of-service conditions. This issue affects the following applications: Interstage Application Server Enterprise Edition 8.0.0, 8.0.1, 8.0.2, 8.0.3, 9.0.0, and 9.0.0A Interstage Application Server Standard-J Edition 8.0.0, 8.0.1, 8.0.2, 8.0.3, 9.0.0, and 9.0.0A Interstage Apworks Enterprise Edition 8.0.0 Interstage Apworks Standard-J Edition 8.0.0 Interstage Studio Enterprise Edition 8.0.1 and 9.0.0 Interstage Studio Standard-J Edition 8.0.1 and 9.0.0. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Interstage Application Server Single Sign-On Buffer Overflow SECUNIA ADVISORY ID: SA29088 VERIFY ADVISORY: http://secunia.com/advisories/29088/ CRITICAL: Highly critical IMPACT: DoS, System access WHERE: >From remote SOFTWARE: Interstage Application Server 8.x http://secunia.com/product/13685/ Interstage Application Server 9.x http://secunia.com/product/15986/ DESCRIPTION: A vulnerability has been reported in Interstage Application Server, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system. The vulnerability is caused due to a boundary error within the Single Sign-on function. This can be exploited to cause a buffer overflow by sending a specially crafted request to the server. Successful exploitation allows execution of arbitrary code. Please see the vendor advisory for a list of affected products. SOLUTION: Please see the vendor advisory for a workaround. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.fujitsu.com/global/support/software/security/products-f/interstage-200804e.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-200812-0322 CVE-2008-5286 CUPS of _cupsImageReadPNG Integer overflow vulnerability in functions CVSS V2: 7.5
CVSS V3: -
Severity: HIGH
Integer overflow in the _cupsImageReadPNG function in CUPS 1.1.17 through 1.3.9 allows remote attackers to execute arbitrary code via a PNG image with a large height value, which bypasses a validation check and triggers a buffer overflow. Common Unix Printing System(CUPS)是一款通用Unix打印系统,是Unix环境下的跨平台打印解决方案,基于Internet打印协议,提供大多数PostScript和raster打印机服务. CUPS PNG过滤器的_cupsImageReadPNG()函数中执行了以下计算: bufsize = img->xsize * img->ysize * 3; if ((bufsize / (img->ysize * 3)) != img->xsize) { fprintf(stderr, \"DEBUG: PNG image dimensions (\\%ux\\%u) too large!\n\", (unsigned)width, (unsigned)height); fclose(fp); return (1); } 验证代码的img->ysize * 3可能会出现整数溢出,导致执行任意代码. CUPS is prone to an integer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied PNG image sizes before using them to allocate memory buffers. Successful exploits may allow attackers to execute arbitrary code with the privileges of a user running the utilities. Failed exploit attempts likely cause denial-of-service conditions. Versions prior to CUPS 1.3.10 are vulnerable. It is based on the Internet Printing Protocol and provides most PostScript and raster printer services. For the stable distribution (etch) this problem has been fixed in version 1.2.7-4etch6. For testing distribution (lenny) this issue will be fixed soon. For the unstable distribution (sid) this problem has been fixed in version 1.3.8-1lenny4. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch6.dsc Size/MD5 checksum: 1092 a7198b7e0d7724a972d4027e805b1387 http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch6.diff.gz Size/MD5 checksum: 108940 1321ea49cfa8c06d619759acb00b0b2e http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7.orig.tar.gz Size/MD5 checksum: 4214272 c9ba33356e5bb93efbcf77b6e142e498 Architecture independent components: http://security.debian.org/pool/updates/main/c/cupsys/cupsys-common_1.2.7-4etch6_all.deb Size/MD5 checksum: 917900 4abe699f9d2a8f866b1e323934c6172a http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-gnutls10_1.2.7-4etch6_all.deb Size/MD5 checksum: 46256 9e98540d35e8a7aef76a1042cc4befe4 Alpha architecture: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch6_alpha.deb Size/MD5 checksum: 1614646 18542415a7a35563aacf6baccc2c474c http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch6_alpha.deb Size/MD5 checksum: 39316 641f1871ea3d1e61a56dc009b2e58652 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch6_alpha.deb Size/MD5 checksum: 85894 99a322067e2207a67afc55dccd5d63b4 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch6_alpha.deb Size/MD5 checksum: 1092462 e2c0dd66dc9d52d41b7e179fa83908ab http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch6_alpha.deb Size/MD5 checksum: 95658 51c76b87321a3c01dfe996fabad2de88 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch6_alpha.deb Size/MD5 checksum: 72682 751a0c814ae40bf75b0494dafd19bd8e http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch6_alpha.deb Size/MD5 checksum: 175346 f8701aeb6bc3670c3f1e60cc80c4ded7 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch6_alpha.deb Size/MD5 checksum: 183712 42dc520b09c22f1d25b7ff1e6d7574bb AMD64 architecture: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch6_amd64.deb Size/MD5 checksum: 1576182 fe94635e099af684c654fb6468522f21 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch6_amd64.deb Size/MD5 checksum: 36342 3e5954fdc1c572e86f2eeef93c1f466f http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch6_amd64.deb Size/MD5 checksum: 80704 9a21d4104655094da5f2ff3a4c019a08 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch6_amd64.deb Size/MD5 checksum: 1087506 cd83b8b030a4c972b1b3fa396114d9e9 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch6_amd64.deb Size/MD5 checksum: 86360 aeed41809da68dc26e7c586e87878c45 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch6_amd64.deb Size/MD5 checksum: 53008 9f8e3453367ef72e6ef6f00dc6baf624 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch6_amd64.deb Size/MD5 checksum: 162608 a768dc52659411be6fd46b38df61d69b http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch6_amd64.deb Size/MD5 checksum: 142546 a6caf31df81c4aea72c0abc9c0a0b1af ARM architecture: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch6_arm.deb Size/MD5 checksum: 1569702 f7cd63fd8d10e8fcaea2649260b8437a http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch6_arm.deb Size/MD5 checksum: 35934 e5a3e25422b8ded68767d8c32d9291f5 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch6_arm.deb Size/MD5 checksum: 78916 f9707c6c35f2c3198892a8d82eecfa8b http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch6_arm.deb Size/MD5 checksum: 1026248 79e9a9669d9d896d303e29ed7d2b7122 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch6_arm.deb Size/MD5 checksum: 85540 45e25e1887e37f029a3a8da50b309fe4 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch6_arm.deb Size/MD5 checksum: 48732 b90d30685f1e68a036a512cf331547e6 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch6_arm.deb Size/MD5 checksum: 155278 1a0b8b93532c23d26866afc163689dd6 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch6_arm.deb Size/MD5 checksum: 132032 5c4843fe297598ee3c618f92feaef93e HP Precision architecture: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch6_hppa.deb Size/MD5 checksum: 1624116 e285d90e7861906f00f8e709cb3039ae http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch6_hppa.deb Size/MD5 checksum: 39544 d3015a7ef0c7c345d3940a6c9f428cf0 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch6_hppa.deb Size/MD5 checksum: 84804 a4fa9da96d848e7596d6e3d623fdef07 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch6_hppa.deb Size/MD5 checksum: 1032854 ec6badd9fcff41974f425d97a0a12165 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch6_hppa.deb Size/MD5 checksum: 92038 3dcbb10b949495e21fc742b9b42a3a84 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch6_hppa.deb Size/MD5 checksum: 57376 e64d3d7a95c80c92602e3e7548998bc2 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch6_hppa.deb Size/MD5 checksum: 171856 ab864167ddd2c8b4247898ed36059435 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch6_hppa.deb Size/MD5 checksum: 153942 4149487b7dfd72b027de9851a4adb32e Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch6_i386.deb Size/MD5 checksum: 1556170 c0cefa71d7f58abd666c2c1459d3ede9 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch6_i386.deb Size/MD5 checksum: 36250 e464d81d46968426796a8182e6418691 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch6_i386.deb Size/MD5 checksum: 79702 77c4aef7c78be537c09bc689ad1f5139 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch6_i386.deb Size/MD5 checksum: 997624 ec73926b9d49c2790c6381a927ad20a2 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch6_i386.deb Size/MD5 checksum: 87310 86517be38ba93afd954091ad5643c65b http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch6_i386.deb Size/MD5 checksum: 53240 4fccf1dfd78b230033407a914760d3f5 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch6_i386.deb Size/MD5 checksum: 161274 41344ee4c268c095b89c8decc0e2df68 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch6_i386.deb Size/MD5 checksum: 137796 51b8758e0338e1ec6ec9d74ea5f960ef Intel IA-64 architecture: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch6_ia64.deb Size/MD5 checksum: 1771030 d4235a8ee49af176f27c8a097a696864 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch6_ia64.deb Size/MD5 checksum: 46326 729ebfb9347d0463f7a6f5cc10c371e7 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch6_ia64.deb Size/MD5 checksum: 106218 9a9142746bbca2c53644c084b45fea9c http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch6_ia64.deb Size/MD5 checksum: 1108324 ea4f9d4d44e6b964c3793fd3a2862671 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch6_ia64.deb Size/MD5 checksum: 107068 bab641470a0bf7034b9ebc7ae072d6fa http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch6_ia64.deb Size/MD5 checksum: 74214 770441377ccf9ad422da6e9d3ba612eb http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch6_ia64.deb Size/MD5 checksum: 204316 7df30a0f5661ea79cdcc537d4012b217 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch6_ia64.deb Size/MD5 checksum: 192364 41d3bab218b036299f8ffae98a9008de Big endian MIPS architecture: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch6_mips.deb Size/MD5 checksum: 1567974 ba75b6ff260e84dd64b939cae9262a54 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch6_mips.deb Size/MD5 checksum: 36112 6cae983101bdd812ff1f6f26169ab06a http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch6_mips.deb Size/MD5 checksum: 76146 16b61a899c465fc7f142d97744dffba3 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch6_mips.deb Size/MD5 checksum: 1098272 daa46352b0ad47b5c3061c42a15e6ddb http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch6_mips.deb Size/MD5 checksum: 86920 dd75cd6ce9bd9ceaae7d39b60fda49c9 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch6_mips.deb Size/MD5 checksum: 57690 32cfeb2301ded386cf4ab6d0127f30a3 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch6_mips.deb Size/MD5 checksum: 158092 9abd9b0ce1dc1528b0ca50b5fbb7b78b http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch6_mips.deb Size/MD5 checksum: 150986 149531690113d5333beaf1622f915037 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch6_mipsel.deb Size/MD5 checksum: 1553596 a42820cf5bd8d46c4a5cab2a6bd0929a http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch6_mipsel.deb Size/MD5 checksum: 36076 f7239a53b24df0813b16aac1efc850b7 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch6_mipsel.deb Size/MD5 checksum: 77462 a60a8f2d6ab7958026585952890fc751 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch6_mipsel.deb Size/MD5 checksum: 1085502 a18f21c9c0eff69d326bf42596d3ed32 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch6_mipsel.deb Size/MD5 checksum: 87080 1b5618e9841ec899e63ee14cb36116d1 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch6_mipsel.deb Size/MD5 checksum: 57848 def6826bc2876abfcf1b9ad01eea3546 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch6_mipsel.deb Size/MD5 checksum: 158634 bc4151665423bb6acc3225d1f8017b50 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch6_mipsel.deb Size/MD5 checksum: 150888 f27527d8e7d3b892f5e2dc7aa0776434 PowerPC architecture: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch6_powerpc.deb Size/MD5 checksum: 1576684 9c91771aea9ad144c56967ac8caf1fd5 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch6_powerpc.deb Size/MD5 checksum: 41290 69d7ba1506a7415dc74621aa833edf59 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch6_powerpc.deb Size/MD5 checksum: 89994 12245002a3f5e437921979cd8362d346 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch6_powerpc.deb Size/MD5 checksum: 1143404 c79dd5b219961ded9d9dfebf2361fed0 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch6_powerpc.deb Size/MD5 checksum: 88542 988f4b258fbdf870d51aacd1dd26b116 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch6_powerpc.deb Size/MD5 checksum: 51880 650b5a80af7485308b6fca8a0453c9c0 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch6_powerpc.deb Size/MD5 checksum: 163284 4fc43ad526d97ad3823524988c892851 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch6_powerpc.deb Size/MD5 checksum: 136868 2e1cdfaf184170342520895e26ee84b1 IBM S/390 architecture: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch6_s390.deb Size/MD5 checksum: 1587456 5522fd1afaaa1105a51c91354783fd6f http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch6_s390.deb Size/MD5 checksum: 37422 38b8fd3823381f4384f8758139f3d418 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch6_s390.deb Size/MD5 checksum: 82336 55c8f39b3d04e0a127426f2daf89941f http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch6_s390.deb Size/MD5 checksum: 1037274 02149d41988647e7f4de8e626801c588 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch6_s390.deb Size/MD5 checksum: 88040 8c844af7aeb9c0e1ec9a093a537d5f91 http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch6_s390.deb Size/MD5 checksum: 52508 c3695c0157c8bba7eb2bc614173bcd0f http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch6_s390.deb Size/MD5 checksum: 166802 1893c39f92d371c7b474d57f4d8c105e http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch6_s390.deb Size/MD5 checksum: 144928 0eb6cdbc1deceb32bbf2c145a99f7d98 Sun Sparc architecture: http://security.debian.org/pool/updates/main/c/cupsys/cupsys_1.2.7-4etch6_sparc.deb Size/MD5 checksum: 1562538 0757006ce0c52845673d2cbe9fae0b38 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-bsd_1.2.7-4etch6_sparc.deb Size/MD5 checksum: 36020 27636d7df41cfef4c9e41ee236a9b308 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-client_1.2.7-4etch6_sparc.deb Size/MD5 checksum: 78518 174e3b09d2d667e01d0b47ecb06a2925 http://security.debian.org/pool/updates/main/c/cupsys/cupsys-dbg_1.2.7-4etch6_sparc.deb Size/MD5 checksum: 992164 79a9729f9280b70aa7e8573636cfeb8c http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2_1.2.7-4etch6_sparc.deb Size/MD5 checksum: 85368 4c3b851a551b47fed4229f55b8a0a4fe http://security.debian.org/pool/updates/main/c/cupsys/libcupsimage2-dev_1.2.7-4etch6_sparc.deb Size/MD5 checksum: 51756 d4406a58edf127974a79b0df75eab757 http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2_1.2.7-4etch6_sparc.deb Size/MD5 checksum: 159176 29057219279ea090cf47b35b1da416af http://security.debian.org/pool/updates/main/c/cupsys/libcupsys2-dev_1.2.7-4etch6_sparc.deb Size/MD5 checksum: 139560 ca580a13d486d24f74c9a230efee6bde These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJNaPhW5ql+IAeqTIRAiX7AJwJd3Szo5tvpYyBrqggsDuPSulvKACfVJsa EwALyW+6s+Lgp2d1GI2ong4= =R0SH -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: CUPS "process_browse_data()" Double Free Vulnerability SECUNIA ADVISORY ID: SA28994 VERIFY ADVISORY: http://secunia.com/advisories/28994/ CRITICAL: Moderately critical IMPACT: DoS, System access WHERE: >From local network SOFTWARE: CUPS 1.x http://secunia.com/product/921/ DESCRIPTION: A vulnerability has been discovered in CUPS, which can be exploited by malicious people to cause a DoS (Denial of Service) or to potentially compromise a vulnerable system. The vulnerability is caused due to an error within the "process_browse_data()" function when adding printers and classes. This can be exploited to free the same buffer twice by sending specially crafted browser packets to the UDP port on which cupsd is listening (by default port 631/UDP). The vulnerability is confirmed in version 1.3.5. SOLUTION: Update to version 1.3.6. PROVIDED AND/OR DISCOVERED BY: Reported as a CUPS bug by h.blischke. ORIGINAL ADVISORY: http://www.cups.org/str.php?L2656 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:028 http://www.mandriva.com/security/ _______________________________________________________________________ Package : cups Date : January 24, 2009 Affected: 2008.0, 2008.1 _______________________________________________________________________ Problem Description: Security vulnerabilities have been discovered and corrected in CUPS. CUPS before 1.3.8 allows local users, and possibly remote attackers, to cause a denial of service (daemon crash) by adding a large number of RSS Subscriptions, which triggers a NULL pointer dereference (CVE-2008-5183). The web interface (cgi-bin/admin.c) in CUPS before 1.3.8 uses the guest username when a user is not logged on to the web server, which makes it easier for remote attackers to bypass intended policy and conduct CSRF attacks via the (1) add and (2) cancel RSS subscription functions (CVE-2008-5184). The updated packages have been patched to prevent this. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5183 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5184 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5286 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0032 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.0: 9ff1555139c59b89ea0623dfdfff4de5 2008.0/i586/cups-1.3.6-1.4mdv2008.0.i586.rpm 3cda60090d2108259f55cdbc6cf372e5 2008.0/i586/cups-common-1.3.6-1.4mdv2008.0.i586.rpm 1fbbbf89a0341cf430905757bdc6c355 2008.0/i586/cups-serial-1.3.6-1.4mdv2008.0.i586.rpm f6eb5a73b984f77e851cb39826ba26a1 2008.0/i586/libcups2-1.3.6-1.4mdv2008.0.i586.rpm e8279e8427ef9c3ec9536abe94038423 2008.0/i586/libcups2-devel-1.3.6-1.4mdv2008.0.i586.rpm 9974e6ad715a853706ec26acf9ca73c3 2008.0/i586/php-cups-1.3.6-1.4mdv2008.0.i586.rpm 6f6a298d7935094b6fcd18d39c3de1b7 2008.0/SRPMS/cups-1.3.6-1.4mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 355ce3cfb79a4aebbdabedb206a32e05 2008.0/x86_64/cups-1.3.6-1.4mdv2008.0.x86_64.rpm e3a2b95ac7138318d6cefab0fdf3face 2008.0/x86_64/cups-common-1.3.6-1.4mdv2008.0.x86_64.rpm fb0abf9e3d492edd06876b7d4cebe784 2008.0/x86_64/cups-serial-1.3.6-1.4mdv2008.0.x86_64.rpm 5b5196b27e24fb6ad910563ed884ce2e 2008.0/x86_64/lib64cups2-1.3.6-1.4mdv2008.0.x86_64.rpm e8b1cdbba7283ff2e9b76eb498f508d0 2008.0/x86_64/lib64cups2-devel-1.3.6-1.4mdv2008.0.x86_64.rpm 178ca59986af801a2c29611fa16ce2dd 2008.0/x86_64/php-cups-1.3.6-1.4mdv2008.0.x86_64.rpm 6f6a298d7935094b6fcd18d39c3de1b7 2008.0/SRPMS/cups-1.3.6-1.4mdv2008.0.src.rpm Mandriva Linux 2008.1: 93a94c922f72f8844e232ed779a8c66c 2008.1/i586/cups-1.3.6-5.3mdv2008.1.i586.rpm eccb6a07dd53dbbeb490675c2cf311f0 2008.1/i586/cups-common-1.3.6-5.3mdv2008.1.i586.rpm 2ad9c7135f6d8a2217d34055ca8f57b3 2008.1/i586/cups-serial-1.3.6-5.3mdv2008.1.i586.rpm 62d4efcf07165da647db08d6636ac596 2008.1/i586/libcups2-1.3.6-5.3mdv2008.1.i586.rpm f0779950606ab9fa83b9de410a7beb70 2008.1/i586/libcups2-devel-1.3.6-5.3mdv2008.1.i586.rpm d0bd96dc1aec2dab736d538a7bd49a2b 2008.1/i586/php-cups-1.3.6-5.3mdv2008.1.i586.rpm abd1474014a74c467881ca52b4090ace 2008.1/SRPMS/cups-1.3.6-5.3mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 64aca60db93cd3886f58823155e2f982 2008.1/x86_64/cups-1.3.6-5.3mdv2008.1.x86_64.rpm 2cb2d9467430c4619ed23d37099ad2cc 2008.1/x86_64/cups-common-1.3.6-5.3mdv2008.1.x86_64.rpm 69b5f842144013c41c946783c898c1db 2008.1/x86_64/cups-serial-1.3.6-5.3mdv2008.1.x86_64.rpm 243a0d7da4c4e24ac8c7571a202e1627 2008.1/x86_64/lib64cups2-1.3.6-5.3mdv2008.1.x86_64.rpm 2d4bbbd60d026d3bc272001d447dc5ae 2008.1/x86_64/lib64cups2-devel-1.3.6-5.3mdv2008.1.x86_64.rpm e1a2d953fdc0dbb7eda2097f0e4c38e9 2008.1/x86_64/php-cups-1.3.6-5.3mdv2008.1.x86_64.rpm abd1474014a74c467881ca52b4090ace 2008.1/SRPMS/cups-1.3.6-5.3mdv2008.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJe0RhmqjQ0CJFipgRAsXFAKDBJeogydK5chEfSmEpHuVXDsC6xQCgq+vl JbRgydRjIpXNqGzlnNrqXZI= =2ydF -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-print/cups < 1.3.9-r1 >= 1.3.9-r1 Description =========== Several buffer overflows were found in: * The read_rle16 function in imagetops (CVE-2008-3639, found by regenrecht, reported via ZDI) * The WriteProlog function in texttops (CVE-2008-3640, found by regenrecht, reported via ZDI) * The Hewlett-Packard Graphics Language (HPGL) filter (CVE-2008-3641, found by regenrecht, reported via iDefense) * The _cupsImageReadPNG function (CVE-2008-5286, reported by iljavs) Impact ====== A remote attacker could send specially crafted input to a vulnerable server, resulting in the remote execution of arbitrary code with the privileges of the user running the server. Workaround ========== None this time. Resolution ========== All CUPS users should upgrade to the latest version. # emerge --sync # emerge --ask --oneshot --verbose ">=net-print/cups-1.3.9-r1" References ========== [ 1 ] CVE-2008-3639 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3639 [ 2 ] CVE-2008-3640 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3640 [ 3 ] CVE-2008-3641 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3641 [ 4 ] CVE-2008-5286 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5286 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200812-11.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . =========================================================== Ubuntu Security Notice USN-707-1 January 12, 2009 cups, cupsys vulnerabilities CVE-2008-5183, CVE-2008-5184, CVE-2008-5286, CVE-2008-5377 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.10 Ubuntu 8.04 LTS Ubuntu 8.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: cupsys 1.2.2-0ubuntu0.6.06.12 Ubuntu 7.10: cupsys 1.3.2-1ubuntu7.9 Ubuntu 8.04 LTS: cupsys 1.3.7-1ubuntu3.3 Ubuntu 8.10: cups 1.3.9-2ubuntu6.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that CUPS didn't properly handle adding a large number of RSS subscriptions. A local user could exploit this and cause CUPS to crash, leading to a denial of service. This issue only applied to Ubuntu 7.10, 8.04 LTS and 8.10. (CVE-2008-5183) It was discovered that CUPS did not authenticate users when adding and cancelling RSS subscriptions. An unprivileged local user could bypass intended restrictions and add a large number of RSS subscriptions. This issue only applied to Ubuntu 7.10 and 8.04 LTS. (CVE-2008-5184) It was discovered that the PNG filter in CUPS did not properly handle certain malformed images. In Ubuntu 7.10, 8.04 LTS, and 8.10, attackers would be isolated by the AppArmor CUPS profile. (CVE-2008-5286) It was discovered that the example pstopdf CUPS filter created log files in an insecure way. Local users could exploit a race condition to create or overwrite files with the privileges of the user invoking the program. This issue only applied to Ubuntu 6.06 LTS, 7.10, and 8.04 LTS. (CVE-2008-5377) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.12.diff.gz Size/MD5: 100650 effacab03a0a75663148e730badca56e http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.12.dsc Size/MD5: 1060 e320589ea4731d43a927b6ea986e2ca9 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2.orig.tar.gz Size/MD5: 4070384 2c99b8aa4c8dc25c8a84f9c06aa52e3e Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-gnutls10_1.2.2-0ubuntu0.6.06.12_all.deb Size/MD5: 996 01d1b0dbc0bf6fed042b103b81d91293 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.2.2-0ubuntu0.6.06.12_amd64.deb Size/MD5: 36230 ac91b545a2f40de7c165f160928334be http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.2.2-0ubuntu0.6.06.12_amd64.deb Size/MD5: 81912 f3ec3b95abadf43c3642d422bb1d8d64 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.12_amd64.deb Size/MD5: 2286872 779f854a26f5670c1183aac0a9adf15b http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.2.2-0ubuntu0.6.06.12_amd64.deb Size/MD5: 6092 e4f7e6b58bbcf3656487d779ada528d1 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.2.2-0ubuntu0.6.06.12_amd64.deb Size/MD5: 77434 f7789b8cca7ea8f57ca2ca14f4cc1a9b http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.2.2-0ubuntu0.6.06.12_amd64.deb Size/MD5: 25748 e2a92ba2421bafc00df0a6c1f99bcda8 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.2.2-0ubuntu0.6.06.12_amd64.deb Size/MD5: 130184 6a0808bf1ea2650d8a97fc50ceee0aa6 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.2.2-0ubuntu0.6.06.12_i386.deb Size/MD5: 34766 ec9c0af53c98f9d904a8241331179a6d http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.2.2-0ubuntu0.6.06.12_i386.deb Size/MD5: 77990 c582e927e8d8bbdd29c5c111bc0dd162 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.12_i386.deb Size/MD5: 2254158 f9e7ba99ce5ff49546a8922df47d0005 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.2.2-0ubuntu0.6.06.12_i386.deb Size/MD5: 6092 969b76527edef12a2f3c77a77c97480e http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.2.2-0ubuntu0.6.06.12_i386.deb Size/MD5: 76550 2e653b4dac7063a7d290918bdafd43cf http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.2.2-0ubuntu0.6.06.12_i386.deb Size/MD5: 25748 cfff840b4e9984245fcd15d845183810 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.2.2-0ubuntu0.6.06.12_i386.deb Size/MD5: 122384 ec7ddfb032ee70d393c65d9d90060ea0 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.2.2-0ubuntu0.6.06.12_powerpc.deb Size/MD5: 40466 119cafd93458295da6a6c8c12b35a262 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.2.2-0ubuntu0.6.06.12_powerpc.deb Size/MD5: 89530 bc52672d7f4903f7ec745cbe778e4da2 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.12_powerpc.deb Size/MD5: 2301402 e3bf63715dbebb29410ce13098b645f1 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.2.2-0ubuntu0.6.06.12_powerpc.deb Size/MD5: 6088 68fd62d76fc0a4e2e515f5a644852e60 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.2.2-0ubuntu0.6.06.12_powerpc.deb Size/MD5: 79208 b83506e935ffd0ac4c1311f003424f2b http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.2.2-0ubuntu0.6.06.12_powerpc.deb Size/MD5: 25744 cb2ca08057f83b9b40b60960712d8766 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.2.2-0ubuntu0.6.06.12_powerpc.deb Size/MD5: 128150 597300fc1511305508b9c0e62c061660 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.2.2-0ubuntu0.6.06.12_sparc.deb Size/MD5: 35388 afe7217a6f8ebe6fba8f7668f8a6d5bf http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.2.2-0ubuntu0.6.06.12_sparc.deb Size/MD5: 78722 0f5be23fb63000b5fb2945f4a40ad70a http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.2.2-0ubuntu0.6.06.12_sparc.deb Size/MD5: 2287758 3b8180329fa4c55ece2b828e07d3366c http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.2.2-0ubuntu0.6.06.12_sparc.deb Size/MD5: 6090 aee18e619e301cdd7472d6f6a326655c http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.2.2-0ubuntu0.6.06.12_sparc.deb Size/MD5: 76468 398ecfef9fff03f088e4964ad0e76c71 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.2.2-0ubuntu0.6.06.12_sparc.deb Size/MD5: 25748 22655777c70067f973fef557c9196bdf http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.2.2-0ubuntu0.6.06.12_sparc.deb Size/MD5: 123876 99879b6877338c254ae31dcd0f4bae29 Updated packages for Ubuntu 7.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.2-1ubuntu7.9.diff.gz Size/MD5: 129791 3e27f46f569ec5719b5fe13fb78a9f14 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.2-1ubuntu7.9.dsc Size/MD5: 1226 3a8eb42c55eb55163497543c39f23124 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.2.orig.tar.gz Size/MD5: 4848424 9e3e1dee4d872fdff0682041198d3d73 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-common_1.3.2-1ubuntu7.9_all.deb Size/MD5: 1080428 2a130e02392de2ce721ac25a9a71ef0f amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.3.2-1ubuntu7.9_amd64.deb Size/MD5: 37202 8a68cf9bfa98bda7cf30f6bfba41dd2e http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.3.2-1ubuntu7.9_amd64.deb Size/MD5: 89510 e721173ffa8c31fc92703b908140e84c http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.2-1ubuntu7.9_amd64.deb Size/MD5: 2034862 f512c15b34be6e169e9f947ca916ca93 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.3.2-1ubuntu7.9_amd64.deb Size/MD5: 60018 4f4e8635956b4b882074cc2760ebcb5e http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.3.2-1ubuntu7.9_amd64.deb Size/MD5: 46878 197a3efe70b9864efe397bb27e455933 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.3.2-1ubuntu7.9_amd64.deb Size/MD5: 152008 c05765a56717613f12ca4e47dd751864 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.3.2-1ubuntu7.9_amd64.deb Size/MD5: 186748 03cda4eef301db2a8f2cb6f5344c9f02 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.3.2-1ubuntu7.9_i386.deb Size/MD5: 36480 6742a1d19a47e85b583bfc6cc8e5bef1 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.3.2-1ubuntu7.9_i386.deb Size/MD5: 86482 33d1e6cc218245db992e2b8337d63fad http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.2-1ubuntu7.9_i386.deb Size/MD5: 2018562 6217c3d4a08b575b0fd01a2f0b6d9965 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.3.2-1ubuntu7.9_i386.deb Size/MD5: 58836 228f15292895fb6714cf83ac08376530 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.3.2-1ubuntu7.9_i386.deb Size/MD5: 46256 a2a663a767af4beccac469b36af692b4 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.3.2-1ubuntu7.9_i386.deb Size/MD5: 145696 099603137d153ed2f50e0154fde6811f http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.3.2-1ubuntu7.9_i386.deb Size/MD5: 183548 69d7d5292ed78f5a5dca16d9be7d9ebe lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-bsd_1.3.2-1ubuntu7.9_lpia.deb Size/MD5: 36670 2f95875950737fb3b29d8170e0e842be http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-client_1.3.2-1ubuntu7.9_lpia.deb Size/MD5: 88296 51a1b00b3aa778300d6be240ca814448 http://ports.ubuntu.com/pool/main/c/cupsys/cupsys_1.3.2-1ubuntu7.9_lpia.deb Size/MD5: 2021580 ec2e3b013c825e7b1c269778d722c41f http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2-dev_1.3.2-1ubuntu7.9_lpia.deb Size/MD5: 59622 38519a455e3dca46fdc55980903ef527 http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2_1.3.2-1ubuntu7.9_lpia.deb Size/MD5: 47694 2a305b565e33a52d5cfe71bb09d3fbc0 http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2-dev_1.3.2-1ubuntu7.9_lpia.deb Size/MD5: 142418 b0423e069760ca141c0e73f07b7049fb http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2_1.3.2-1ubuntu7.9_lpia.deb Size/MD5: 181750 8e286ae296e7b3fd216d7137a4c21c19 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.3.2-1ubuntu7.9_powerpc.deb Size/MD5: 46502 a1296168b5d3706b8870d2aca19cfc4a http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.3.2-1ubuntu7.9_powerpc.deb Size/MD5: 107760 d98d3f88cf3706b28ca9706e4f21897e http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.2-1ubuntu7.9_powerpc.deb Size/MD5: 2099848 088263da7a0baba49e4b28f000070cdf http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.3.2-1ubuntu7.9_powerpc.deb Size/MD5: 59484 85a44c9e70aadd41bdcb9401af938361 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.3.2-1ubuntu7.9_powerpc.deb Size/MD5: 51846 4442245f4cf71913bbd642f5185f93a0 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.3.2-1ubuntu7.9_powerpc.deb Size/MD5: 146944 ca2f12efe3d8b1ef0711019a6f4be4a3 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.3.2-1ubuntu7.9_powerpc.deb Size/MD5: 192530 47b0cc559fb4548701addb4e389beda1 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.3.2-1ubuntu7.9_sparc.deb Size/MD5: 37568 441cbf24d055107a408220ea945357e6 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.3.2-1ubuntu7.9_sparc.deb Size/MD5: 89612 42f545e2092863afc31a6beb921ba803 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.2-1ubuntu7.9_sparc.deb Size/MD5: 2061116 df2be5541017e5a11f265dc0420d1de4 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.3.2-1ubuntu7.9_sparc.deb Size/MD5: 58094 4602a5ee17eae8d0769901ffff089eac http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.3.2-1ubuntu7.9_sparc.deb Size/MD5: 45560 fce319567830955760626e98a52bd9e0 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.3.2-1ubuntu7.9_sparc.deb Size/MD5: 148474 0fa2f0010fbd4b08d91b1c62765ed46e http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.3.2-1ubuntu7.9_sparc.deb Size/MD5: 182570 ef1eec9c88b499b3cea8742fc31d8edf Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.7-1ubuntu3.3.diff.gz Size/MD5: 134438 a4a1876673e461e35cfec8952ca054f5 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.7-1ubuntu3.3.dsc Size/MD5: 1441 2ced31d2fde396439410f30e758d7db2 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.7.orig.tar.gz Size/MD5: 4700333 383e556d9841475847da6076c88da467 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-common_1.3.7-1ubuntu3.3_all.deb Size/MD5: 1144166 4893a05510da7c9b5434d00fc29e455f amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.3.7-1ubuntu3.3_amd64.deb Size/MD5: 37532 480443df9d0723c844c0c0f6408169a2 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.3.7-1ubuntu3.3_amd64.deb Size/MD5: 89978 0d287573cdcc4701998ce53af56dd3f9 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.7-1ubuntu3.3_amd64.deb Size/MD5: 1880612 2314ea0930f6d00794e0176916b6da35 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.3.7-1ubuntu3.3_amd64.deb Size/MD5: 60906 9042974135c36a37171a424b7d4a202d http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.3.7-1ubuntu3.3_amd64.deb Size/MD5: 50368 3cd1eb8125943eaa9ee6dde601f4422e http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.3.7-1ubuntu3.3_amd64.deb Size/MD5: 344934 c5aec8c571564cbd0c895145a875d02a http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.3.7-1ubuntu3.3_amd64.deb Size/MD5: 177930 36d56cb0664534f425871d13d77e4b1a i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.3.7-1ubuntu3.3_i386.deb Size/MD5: 36968 6f01ef27169dfc9aa944c5049acbbe63 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.3.7-1ubuntu3.3_i386.deb Size/MD5: 88402 dd874fead670a6d57e90176ad1facc94 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.3.7-1ubuntu3.3_i386.deb Size/MD5: 1863008 ff961e2dbb46de7be8722d88178a38e6 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.3.7-1ubuntu3.3_i386.deb Size/MD5: 60100 0881e753bb681af3463d6ed8d11c09cf http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.3.7-1ubuntu3.3_i386.deb Size/MD5: 49846 07a541a01b7e231c9988e779a3f602d0 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2-dev_1.3.7-1ubuntu3.3_i386.deb Size/MD5: 339346 d5efe383bc97ce56837e36806bfba341 http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsys2_1.3.7-1ubuntu3.3_i386.deb Size/MD5: 174778 a578d4f7a0fe9195167e7a0cafc37974 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-bsd_1.3.7-1ubuntu3.3_lpia.deb Size/MD5: 36678 3176e400d418ca744825919b30d1a248 http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-client_1.3.7-1ubuntu3.3_lpia.deb Size/MD5: 88752 998f5ae89f57c5a3874a2bec71f435af http://ports.ubuntu.com/pool/main/c/cupsys/cupsys_1.3.7-1ubuntu3.3_lpia.deb Size/MD5: 1865256 715aafc333b7d070b516950843cdf664 http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2-dev_1.3.7-1ubuntu3.3_lpia.deb Size/MD5: 60548 39aa25aae6614a78a0b3c29e30d464f9 http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2_1.3.7-1ubuntu3.3_lpia.deb Size/MD5: 50860 1ba114f3487de2725c3704efbaf6a5c5 http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2-dev_1.3.7-1ubuntu3.3_lpia.deb Size/MD5: 337010 98f33df59e831f8213370b533c9a6f7b http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2_1.3.7-1ubuntu3.3_lpia.deb Size/MD5: 173708 dca1c947f9af44e5d4c6bc2c604aa371 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-bsd_1.3.7-1ubuntu3.3_powerpc.deb Size/MD5: 46930 5baf8d502a2bdca9954d98a542e92f1b http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-client_1.3.7-1ubuntu3.3_powerpc.deb Size/MD5: 110824 b0aab96be927c4d4924df4c45049f8a0 http://ports.ubuntu.com/pool/main/c/cupsys/cupsys_1.3.7-1ubuntu3.3_powerpc.deb Size/MD5: 1949124 d53346f89338971030ed9a202726849c http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2-dev_1.3.7-1ubuntu3.3_powerpc.deb Size/MD5: 59928 0c7f0193cfee10e401ca8304bc6a20bb http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2_1.3.7-1ubuntu3.3_powerpc.deb Size/MD5: 54930 694817b2babba26327d4b021a36f938a http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2-dev_1.3.7-1ubuntu3.3_powerpc.deb Size/MD5: 341674 78be76c752899ff02d96f7d9f4c8cbc1 http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2_1.3.7-1ubuntu3.3_powerpc.deb Size/MD5: 183682 2dfb517ad5388b6471fc3f33148110c7 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-bsd_1.3.7-1ubuntu3.3_sparc.deb Size/MD5: 38030 018dbd428bea31bff3efe42c650ab930 http://ports.ubuntu.com/pool/main/c/cupsys/cupsys-client_1.3.7-1ubuntu3.3_sparc.deb Size/MD5: 91034 0cdf41119c49465205ec9d85e0fcedcb http://ports.ubuntu.com/pool/main/c/cupsys/cupsys_1.3.7-1ubuntu3.3_sparc.deb Size/MD5: 1897932 265d337f28fada008fdf22034c76d43b http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2-dev_1.3.7-1ubuntu3.3_sparc.deb Size/MD5: 57852 5ebf07d4d87d5c0ba46bb52b0cabe6bd http://ports.ubuntu.com/pool/main/c/cupsys/libcupsimage2_1.3.7-1ubuntu3.3_sparc.deb Size/MD5: 48224 ed14b7888ad80c70678b20881c6b9606 http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2-dev_1.3.7-1ubuntu3.3_sparc.deb Size/MD5: 341382 ed914dcee1d36a7437ebdb46d44fba62 http://ports.ubuntu.com/pool/main/c/cupsys/libcupsys2_1.3.7-1ubuntu3.3_sparc.deb Size/MD5: 173608 98ee538398dcf7c112099d3e398b686e Updated packages for Ubuntu 8.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups_1.3.9-2ubuntu6.1.diff.gz Size/MD5: 328034 b25d444f40ebc1f17984cb538172480c http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups_1.3.9-2ubuntu6.1.dsc Size/MD5: 2043 3b36a5cadfe85ed62bf8b28de6ec7591 http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups_1.3.9.orig.tar.gz Size/MD5: 4809771 e6f2d90491ed050e5ff2104b617b88ea Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-common_1.3.9-2ubuntu6.1_all.deb Size/MD5: 1162340 88ad6900549400af9f75f927227d45cb http://security.ubuntu.com/ubuntu/pool/main/c/cups/cupsys-bsd_1.3.9-2ubuntu6.1_all.deb Size/MD5: 57652 7a33348b800c156e43a83e9083436bd5 http://security.ubuntu.com/ubuntu/pool/main/c/cups/cupsys-client_1.3.9-2ubuntu6.1_all.deb Size/MD5: 57660 6c89ff2b1f7fe264b5caaaf986b36d9c http://security.ubuntu.com/ubuntu/pool/main/c/cups/cupsys-dbg_1.3.9-2ubuntu6.1_all.deb Size/MD5: 57652 ee1e3c3d68c190281678d7c1e7adadc9 http://security.ubuntu.com/ubuntu/pool/main/c/cups/cupsys_1.3.9-2ubuntu6.1_all.deb Size/MD5: 57656 2e8d25c423fbc2e265b0d56633ebc67d http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcupsys2-dev_1.3.9-2ubuntu6.1_all.deb Size/MD5: 57670 b0c0e0f336be70d0c458b45936f98d0d http://security.ubuntu.com/ubuntu/pool/universe/c/cups/cupsys-common_1.3.9-2ubuntu6.1_all.deb Size/MD5: 4530 23fb36af369fe018cd11fb3291dcc3cc http://security.ubuntu.com/ubuntu/pool/universe/c/cups/libcupsys2_1.3.9-2ubuntu6.1_all.deb Size/MD5: 57656 46de04530c997f729b7dce967559c8b3 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-bsd_1.3.9-2ubuntu6.1_amd64.deb Size/MD5: 37318 7c4c4cadb4f9b7f6e2c6080b790e6ee1 http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-client_1.3.9-2ubuntu6.1_amd64.deb Size/MD5: 119788 72cab9079aeefee51e09a3b31ae592fa http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-dbg_1.3.9-2ubuntu6.1_amd64.deb Size/MD5: 1682518 3180c4e3fa3d5cfe0b2b894898485fdd http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups_1.3.9-2ubuntu6.1_amd64.deb Size/MD5: 2172420 d7928f5c71b128511a0864db35ba6fe9 http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcups2-dev_1.3.9-2ubuntu6.1_amd64.deb Size/MD5: 352208 ba6478c9d8f3712b0c1e648e48bbb0c3 http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcups2_1.3.9-2ubuntu6.1_amd64.deb Size/MD5: 172690 b2f7befc45ccf3bcd176186f9c48ceb1 http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcupsimage2-dev_1.3.9-2ubuntu6.1_amd64.deb Size/MD5: 61404 a16ecd777aca26b88c24d16b69e5f193 http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcupsimage2_1.3.9-2ubuntu6.1_amd64.deb Size/MD5: 52392 7a9f6aabf047ad3225f8ec44d2fb5540 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-bsd_1.3.9-2ubuntu6.1_i386.deb Size/MD5: 36216 b4999abd3bf22b2963db0969b40da8e1 http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-client_1.3.9-2ubuntu6.1_i386.deb Size/MD5: 115352 9ec804831b4557a4ada56602384ecc39 http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups-dbg_1.3.9-2ubuntu6.1_i386.deb Size/MD5: 1542016 c120e8f977f4b19be21e3b3067ca0df5 http://security.ubuntu.com/ubuntu/pool/main/c/cups/cups_1.3.9-2ubuntu6.1_i386.deb Size/MD5: 2139174 18db7072b040bc4f3319b3b51361a239 http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcups2-dev_1.3.9-2ubuntu6.1_i386.deb Size/MD5: 345996 53a7bdb95ee0b5d3b0f96c463710dadd http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcups2_1.3.9-2ubuntu6.1_i386.deb Size/MD5: 169534 efa2f12acaf19bfab23d60478b5586cd http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcupsimage2-dev_1.3.9-2ubuntu6.1_i386.deb Size/MD5: 60536 ceb4ded5423c0a25ddcc924d29e390f5 http://security.ubuntu.com/ubuntu/pool/main/c/cups/libcupsimage2_1.3.9-2ubuntu6.1_i386.deb Size/MD5: 51750 cf8f8190d6281a5881b8cc1922035758 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/c/cups/cups-bsd_1.3.9-2ubuntu6.1_lpia.deb Size/MD5: 36030 95ca36c48f733f3d709e94c2202e97db http://ports.ubuntu.com/pool/main/c/cups/cups-client_1.3.9-2ubuntu6.1_lpia.deb Size/MD5: 114514 c44f5a21e630c130008be55aa258cb42 http://ports.ubuntu.com/pool/main/c/cups/cups-dbg_1.3.9-2ubuntu6.1_lpia.deb Size/MD5: 1571226 37ce539f88c38ba11a89515ddc188d2c http://ports.ubuntu.com/pool/main/c/cups/cups_1.3.9-2ubuntu6.1_lpia.deb Size/MD5: 2135890 46cb00e52f60f8adc58496bc550a5ad9 http://ports.ubuntu.com/pool/main/c/cups/libcups2-dev_1.3.9-2ubuntu6.1_lpia.deb Size/MD5: 342976 e14329c1e782470735f35422c592b473 http://ports.ubuntu.com/pool/main/c/cups/libcups2_1.3.9-2ubuntu6.1_lpia.deb Size/MD5: 167800 9cbad1fe09d9904ae6e026987d85731a http://ports.ubuntu.com/pool/main/c/cups/libcupsimage2-dev_1.3.9-2ubuntu6.1_lpia.deb Size/MD5: 60672 8a5ca81cd3803ad98afe963360242177 http://ports.ubuntu.com/pool/main/c/cups/libcupsimage2_1.3.9-2ubuntu6.1_lpia.deb Size/MD5: 52440 07bf6935608f398215f2880d5be9fd25 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/c/cups/cups-bsd_1.3.9-2ubuntu6.1_powerpc.deb Size/MD5: 43578 6876bb9233cf8352dfbf66bc95ddf7e9 http://ports.ubuntu.com/pool/main/c/cups/cups-client_1.3.9-2ubuntu6.1_powerpc.deb Size/MD5: 138186 b3868a2e0d935a95e9083773859f1cbe http://ports.ubuntu.com/pool/main/c/cups/cups-dbg_1.3.9-2ubuntu6.1_powerpc.deb Size/MD5: 1663458 2bf2dae0699cf7dc45889dc678f20fcc http://ports.ubuntu.com/pool/main/c/cups/cups_1.3.9-2ubuntu6.1_powerpc.deb Size/MD5: 2264178 b5b51d8116a46689275f98ea94e946af http://ports.ubuntu.com/pool/main/c/cups/libcups2-dev_1.3.9-2ubuntu6.1_powerpc.deb Size/MD5: 347972 af66fd54a390946c7b676cf54cb6e22e http://ports.ubuntu.com/pool/main/c/cups/libcups2_1.3.9-2ubuntu6.1_powerpc.deb Size/MD5: 176964 0605e8b21a449afea97a3f5060af63e1 http://ports.ubuntu.com/pool/main/c/cups/libcupsimage2-dev_1.3.9-2ubuntu6.1_powerpc.deb Size/MD5: 61336 79c4d467e37c334effe0b5ee31238901 http://ports.ubuntu.com/pool/main/c/cups/libcupsimage2_1.3.9-2ubuntu6.1_powerpc.deb Size/MD5: 57492 a6d2f97d74132b1f2a40599398ecd9b1 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/c/cups/cups-bsd_1.3.9-2ubuntu6.1_sparc.deb Size/MD5: 37220 31f862d50b31324596054730ea09f7d3 http://ports.ubuntu.com/pool/main/c/cups/cups-client_1.3.9-2ubuntu6.1_sparc.deb Size/MD5: 117632 b594a8cb5b194fef18a0393968fe0736 http://ports.ubuntu.com/pool/main/c/cups/cups-dbg_1.3.9-2ubuntu6.1_sparc.deb Size/MD5: 1490260 01fcb6d2d1c062dcdfd6cde440ef2a98 http://ports.ubuntu.com/pool/main/c/cups/cups_1.3.9-2ubuntu6.1_sparc.deb Size/MD5: 2200956 ebfffd46f41befdda3e30e3cb1ab521e http://ports.ubuntu.com/pool/main/c/cups/libcups2-dev_1.3.9-2ubuntu6.1_sparc.deb Size/MD5: 344800 6192418a2f2625f81551e9839d1187b4 http://ports.ubuntu.com/pool/main/c/cups/libcups2_1.3.9-2ubuntu6.1_sparc.deb Size/MD5: 165706 5804589b4f9bcc3bf016e3394f7acb7f http://ports.ubuntu.com/pool/main/c/cups/libcupsimage2-dev_1.3.9-2ubuntu6.1_sparc.deb Size/MD5: 57906 34fef3b4e0a01df4a76c92768a8c292e http://ports.ubuntu.com/pool/main/c/cups/libcupsimage2_1.3.9-2ubuntu6.1_sparc.deb Size/MD5: 49792 24e09a0af0155fd8a13ca3f1db035c6d
VAR-200803-0288 CVE-2008-1114 Vocera Communications Wireless Handset Hashed password stealing vulnerability CVSS V2: 4.3
CVSS V3: -
Severity: MEDIUM
Vocera Communications wireless handsets, when using Protected Extensible Authentication Protocol (PEAP), do not validate server certificates, which allows remote wireless access points to steal hashed passwords and conduct man-in-the-middle (MITM) attacks. Multiple VoIP products are prone to a security-bypass vulnerability in their PEAP implementation because their software fails to properly validate server certificates. Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks by impersonating trusted authentication servers. This will aid in further attacks. The following products are prone to this issue: - Vocera Communications System badges - Cisco Wireless IP Phone 7921 Other devices and packages may also be affected
VAR-200803-0287 CVE-2008-1113 Cisco Unified Wireless IP Phone 7921 Hashed password stealing vulnerability CVSS V2: 7.8
CVSS V3: -
Severity: HIGH
Cisco Unified Wireless IP Phone 7921, when using Protected Extensible Authentication Protocol (PEAP), does not validate server certificates, which allows remote wireless access points to steal hashed passwords and conduct man-in-the-middle (MITM) attacks. Multiple VoIP products are prone to a security-bypass vulnerability in their PEAP implementation because their software fails to properly validate server certificates. Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks by impersonating trusted authentication servers. This will aid in further attacks. The following products are prone to this issue: - Vocera Communications System badges - Cisco Wireless IP Phone 7921 Other devices and packages may also be affected. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Cisco IP Phone 7921 Insecure PEAP Implementation SECUNIA ADVISORY ID: SA29082 VERIFY ADVISORY: http://secunia.com/advisories/29082/ CRITICAL: Less critical IMPACT: Exposure of sensitive information WHERE: >From local network OPERATING SYSTEM: Cisco IP Phone 7921 http://secunia.com/product/17833/ DESCRIPTION: A security issue has been reported in Cisco IP Phone 7921, which potentially can be exploited by malicious people to disclose sensitive information. The problem is that server certificates are not validated when using the PEAP protocol. This can be exploited to e.g. gain knowledge of authentication credentials when a user is tricked into connecting to a malicious authentication server. SOLUTION: The vendor is reportedly working on a update and recommends using EAP-TLS instead of PEAP. PROVIDED AND/OR DISCOVERED BY: Unknown researchers reported via ZDNet's Zero Day blog. OTHER REFERENCES: http://blogs.zdnet.com/security/?p=896 http://blogs.zdnet.com/security/?p=901 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-200802-0125 CVE-2008-0894 Apple Safari Vulnerability in obtaining important memory content CVSS V2: 6.8
CVSS V3: -
Severity: MEDIUM
Apple Safari might allow remote attackers to obtain potentially sensitive memory contents or cause a denial of service (crash) via a crafted (1) bitmap (BMP) or (2) GIF file, a related issue to CVE-2008-0420. Apple Safari Is getting important memory content, or service disruption ( crash ) There is a vulnerability that becomes a condition. This issue occurs when the application tries to handle malformed image files. An attacker can exploit this issue to crash the affected application, denying service to legitimate users. Attackers may also obtain potentially sensitive information that may aid in further attacks. Very few details are currently available. We will update this BID as more information emerges. This issue may be related to the one described in BID 27826 (Multiple Web Browser BMP Partial Palette Information Disclosure and Denial Of Service Vulnerability). This vulnerability is related to CVE-2008-0420
VAR-200802-0189 CVE-2008-0871 Now SMS/MMS Gateway Vulnerable to stack-based buffer overflow CVSS V2: 6.8
CVSS V3: -
Severity: MEDIUM
Multiple stack-based buffer overflows in Now SMS/MMS Gateway 2007.06.27 and earlier allow remote attackers to execute arbitrary code via a (1) long password in an Authorization header to the HTTP service or a (2) large packet to the SMPP service. Now SMS/MMS Gateway is prone to multiple buffer-overflow vulnerabilities because it fails to adequately bounds-check user-supplied input before copying it to insufficiently sized buffers. Successfully exploiting these issues will allow an attacker to execute arbitrary code with the privileges of the user running the affected application. Failed exploit attempts will likely crash the application. These issues affect Now SMS/MMS Gateway 2007.06.27 and prior versions. Now SMS & MMS Gateway (NowSMS) is a suite of SMS and MMS content delivery solutions from Now Wireless, UK. This solution can be used as SMS gateway, MMS gateway, WAP Push gateway and multimedia message center. The Web interface of NowSMS listening on port 8800 allows users to use the gateway to send various types of messages. The function used to process the base64 password in the HTTP Authorization parameter on this interface has a stack overflow vulnerability. If the user sends a message that exceeds 256 bytes, this overflow can be triggered, resulting in the execution of arbitrary instructions. NowSMS uses 4K bytes of stack buffer to accommodate incoming SMPP messages. Due to the lack of checking on the real size of the message (up to 0xffffffff bytes), a remote attacker can trigger stack overflow by sending an oversized message, resulting in the execution of arbitrary instructions. The SMPP server is not enabled by default and has no default listening port. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Now SMS/MMS Gateway HTTP/SMPP Handling Buffer Overflows SECUNIA ADVISORY ID: SA29003 VERIFY ADVISORY: http://secunia.com/advisories/29003/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: Now SMS/MMS Gateway 2007.x http://secunia.com/product/17663/ DESCRIPTION: Luigi Auriemma has discovered some vulnerabilities in Now SMS/MMS Gateway, which can be exploited by malicious people to compromise a vulnerable system. Successful exploitation allows execution of arbitrary code. 2) A boundary error in the SMPP server when processing SMPP packets can be exploited to cause a stack-based buffer overflow via a specially crafted SMPP packet. Successful exploitation allows execution of arbitrary code but requires that the SMPP server is enabled and a specific port is set. The vulnerabilities are confirmed in version 2007.06.27. Other versions may also be affected. SOLUTION: Restrict network access to the services. PROVIDED AND/OR DISCOVERED BY: Luigi Auriemma ORIGINAL ADVISORY: http://aluigi.altervista.org/adv/nowsmsz-adv.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-200802-0206 CVE-2008-0830 iPhoto for DPAP Service disruption at the server (DoS) Vulnerabilities CVSS V2: 7.5
CVSS V3: -
Severity: HIGH
The Digital Photo Access Protocol (DPAP) server for iPhoto 4.0.3 allows remote attackers to cause a denial of service (crash) via a malformed dpap: URI, a different vulnerability than CVE-2008-0043. Apple iPhoto is prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to crash the affected application, denying service to legitimate users. Exploiting this issue will allow attackers to execute arbitrary code with the permissions of a user running the application. Failed attacks will likely cause denial-of-service conditions. This issue affects Apple iPhoto 4.0.3 and prior versions
VAR-200802-0141 CVE-2008-0910 plural F-Secure Vulnerability that can prevent malware in anti-virus products CVSS V2: 7.5
CVSS V3: -
Severity: HIGH
Multiple F-Secure anti-virus products, including Internet Security 2006 through 2008, Anti-Virus 2006 through 2008, F-Secure Protection Service, and others, allow remote attackers to bypass malware detection via a crafted RAR archive. NOTE: this might be related to CVE-2008-0792. The problem is CVE-2008-0792 May be related toSkillfully crafted by a third party RAR Malware may be avoided through the archive. F-Secure Anti-Virus is prone to a security bypass vulnerability. A remote attacker can bypass error checking with a well-crafted RAR program. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: F-Secure Products CAB and RAR Archives Security Bypass SECUNIA ADVISORY ID: SA28919 VERIFY ADVISORY: http://secunia.com/advisories/28919/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From remote OPERATING SYSTEM: F-Secure Messaging Security Gateway P-Series http://secunia.com/product/8998/ F-Secure Messaging Security Gateway X-Series http://secunia.com/product/8997/ SOFTWARE: F-Secure Anti-Virus 2006 http://secunia.com/product/6882/ F-Secure Anti-Virus 2007 http://secunia.com/product/14374/ F-Secure Anti-Virus 2008 http://secunia.com/product/17554/ F-Secure Internet Security 2006 http://secunia.com/product/6883/ F-Secure Internet Security 2007 http://secunia.com/product/14375/ F-Secure Internet Security 2008 http://secunia.com/product/17555/ F-Secure Anti-Virus Client Security 6.x http://secunia.com/product/5786/ F-Secure Anti-Virus Client Security 7.x http://secunia.com/product/14381/ F-Secure Anti-Virus for Workstations 5.x http://secunia.com/product/457/ F-Secure Anti-Virus for Workstations 7.x http://secunia.com/product/14226/ F-Secure Anti-Virus Linux Client Security 5.x http://secunia.com/product/14377/ F-Secure Anti-Virus for Linux 4.x http://secunia.com/product/3165/ F-Secure Anti-Virus for Windows Servers 5.x http://secunia.com/product/452/ F-Secure Anti-Virus for Windows Servers 7.x http://secunia.com/product/14382/ F-Secure Anti-Virus Linux Server Security 5.x http://secunia.com/product/14376/ F-Secure Anti-Virus for Citrix Servers 5.x http://secunia.com/product/5198/ F-Secure Anti-Virus for Microsoft Exchange 6.x http://secunia.com/product/454/ F-Secure Anti-Virus for Microsoft Exchange 7.x http://secunia.com/product/14551/ F-Secure Internet Gatekeeper 6.x http://secunia.com/product/3339/ F-Secure Internet Gatekeeper for Linux 2.x http://secunia.com/product/4635/ F-Secure Anti-Virus for MIMEsweeper 5.x http://secunia.com/product/455/ DESCRIPTION: A vulnerability has been reported in various F-Secure products, which can be exploited by malware to bypass the scanning functionality. The vulnerability is caused due to an error in the handling of CAB and RAR files and can be exploited to bypass the anti-virus scanning functionality via a specially crafted CAB or RAR file. Please see the vendor's advisory for details. PROVIDED AND/OR DISCOVERED BY: The vendor credits Thierry Zoller of n.runs AG. ORIGINAL ADVISORY: http://www.f-secure.com/security/fsc-2008-1.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-200802-0091 CVE-2008-0792 plural F-Secure Vulnerability that can prevent malware in anti-virus products CVSS V2: 5.8
CVSS V3: -
Severity: MEDIUM
Multiple F-Secure anti-virus products, including Internet Security 2006 through 2008, Anti-Virus 2006 through 2008, F-Secure Protection Service, and others, allow remote attackers to bypass malware detection via a crafted CAB archive. F-Secure Anti-Virus is prone to a security bypass vulnerability. A remote attacker can bypass error checking with a well-crafted RAR program. Note: This vulnerability may be related to CVE-2008-0792. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: F-Secure Products CAB and RAR Archives Security Bypass SECUNIA ADVISORY ID: SA28919 VERIFY ADVISORY: http://secunia.com/advisories/28919/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From remote OPERATING SYSTEM: F-Secure Messaging Security Gateway P-Series http://secunia.com/product/8998/ F-Secure Messaging Security Gateway X-Series http://secunia.com/product/8997/ SOFTWARE: F-Secure Anti-Virus 2006 http://secunia.com/product/6882/ F-Secure Anti-Virus 2007 http://secunia.com/product/14374/ F-Secure Anti-Virus 2008 http://secunia.com/product/17554/ F-Secure Internet Security 2006 http://secunia.com/product/6883/ F-Secure Internet Security 2007 http://secunia.com/product/14375/ F-Secure Internet Security 2008 http://secunia.com/product/17555/ F-Secure Anti-Virus Client Security 6.x http://secunia.com/product/5786/ F-Secure Anti-Virus Client Security 7.x http://secunia.com/product/14381/ F-Secure Anti-Virus for Workstations 5.x http://secunia.com/product/457/ F-Secure Anti-Virus for Workstations 7.x http://secunia.com/product/14226/ F-Secure Anti-Virus Linux Client Security 5.x http://secunia.com/product/14377/ F-Secure Anti-Virus for Linux 4.x http://secunia.com/product/3165/ F-Secure Anti-Virus for Windows Servers 5.x http://secunia.com/product/452/ F-Secure Anti-Virus for Windows Servers 7.x http://secunia.com/product/14382/ F-Secure Anti-Virus Linux Server Security 5.x http://secunia.com/product/14376/ F-Secure Anti-Virus for Citrix Servers 5.x http://secunia.com/product/5198/ F-Secure Anti-Virus for Microsoft Exchange 6.x http://secunia.com/product/454/ F-Secure Anti-Virus for Microsoft Exchange 7.x http://secunia.com/product/14551/ F-Secure Internet Gatekeeper 6.x http://secunia.com/product/3339/ F-Secure Internet Gatekeeper for Linux 2.x http://secunia.com/product/4635/ F-Secure Anti-Virus for MIMEsweeper 5.x http://secunia.com/product/455/ DESCRIPTION: A vulnerability has been reported in various F-Secure products, which can be exploited by malware to bypass the scanning functionality. The vulnerability is caused due to an error in the handling of CAB and RAR files and can be exploited to bypass the anti-virus scanning functionality via a specially crafted CAB or RAR file. Please see the vendor's advisory for details. PROVIDED AND/OR DISCOVERED BY: The vendor credits Thierry Zoller of n.runs AG. ORIGINAL ADVISORY: http://www.f-secure.com/security/fsc-2008-1.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-200802-0008 CVE-2008-0026 Cisco Unified Communications Manager In key Parameter SQL Injection vulnerability CVSS V2: 6.5
CVSS V3: -
Severity: MEDIUM
SQL injection vulnerability in Cisco Unified CallManager/Communications Manager (CUCM) 5.0/5.1 before 5.1(3a) and 6.0/6.1 before 6.1(1a) allows remote authenticated users to execute arbitrary SQL commands via the key parameter to the (1) admin and (2) user interface pages. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. This issue is tracked by Cisco bug ID CSCsk64286. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Input passed to the "key" parameter is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. SOLUTION: Apply updated packages. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080213-cucmsql.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. A successful attack could allow an authenticated attacker to access information such as usernames and password hashes that are stored in the database. Cisco has released free software updates that address this vulnerability. Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0026 leavingcisco.com has been assigned to this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080213-cucmsql.shtml. The software version of a CallManager or Unified Communications Manager system can be determined by navigating to Show > Software via the administration interface. For Unified Communications Manager, the software version can also be determined by running the show version active command in the Command Line Interface (CLI). No 3.x and 4.x releases are vulnerable. No other Cisco products are known to be affected by this vulnerability. This solution extends enterprise telephony features and functions to packet telephony network devices such as IP phones, media processing devices, voice-over-IP (VoIP) gateways, and multimedia applications. Attacks against this vulnerability are conducted through the web interface and use the http or https protocol. A successful attack could terminate a SQL call and force a connection to the back-end database resulting in the disclosure of potentially sensitive information such as usernames and password hashes. This vulnerability is documented as bug ID CSCsk64286 Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is performed in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsl08519 - SQL Injection Vulnerability in User And Admin Interface Pages CVSS Base Score - 4 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Partial Integrity Impact - None Availability Impact - None CVSS Temporal Score - 3.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== An authenticated attacker may be able to exploit this vulnerability to extract records from the Cisco Unified Communications Manager database. A successful attack might retrieve sensitive data such as user names, passwords hashes, and information from call records. An attacker cannot use this vulnerability to alter or delete call record information from the database. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Version 5.1 - Fixed Release 5.1(3a): http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-51?psrtdcat20e2 Version 6.1 - Fixed Release 6.1(1a) http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-61?psrtdcat20e2 Workarounds =========== There are no workarounds for this vulnerability. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any malicious use of the vulnerability described in this advisory; however, the vulnerability is expected to be discussed in public announcements. This advisory will be updated with references to any public messages relating to this vulnerability once they become available. This vulnerability was reported to Cisco by Nico Leidecker and Tracey Parry at Portcullis Computer Security Limited. Cisco PSIRT would like to thank these two individuals for bringing this issue to our attention and for working with PSIRT toward coordinated disclosure of the issue. Cisco PSIRT greatly appreciates the opportunity to work with researchers on security vulnerabilities and welcomes the opportunity to review and assist in product reports. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20080213-cucmsql.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2008-February-13 | public | | | | release. | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. - --------------------------------------------------------------------- All contents are Copyright \xa9 2006-2007 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. - --------------------------------------------------------------------- Updated: Feb 13, 2008 Document ID: 100358 - --------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iD8DBQFHsyIH86n/Gc8U/uARAgl/AJ49dMNtfonMtLq5D4j/gTgLLzORfQCcCuJP Qe3cs37XfmjaD4FWmMDAUp0= =PYCy -----END PGP SIGNATURE-----
VAR-200802-0044 CVE-2008-0529 Cisco Unified IP Phone of SCCP as well as SIP Protocol Multiple remote vulnerabilities in CVSS V2: 10.0
CVSS V3: -
Severity: HIGH
Buffer overflow in the telnet server in Cisco Unified IP Phone 7906G, 7911G, 7941G, 7961G, 7970G, and 7971G running SCCP firmware might allow remote authenticated users to execute arbitrary code via a crafted command. An arbitrary code may be executed via a command created by a third party.Please refer to the “Overview” for the impact of this vulnerability. An attacker can exploit these issues to execute arbitrary code with superuser privileges or crash the affected device, denying service to legitimate users. There are workarounds for several of these vulnerabilities. Cisco has made free software available to address this issue for affected customers. Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are known to be vulnerable. This vulnerability is corrected in SCCP firmware version 8.0(8) and SIP firmware version 8.8(0). This vulnerability is documented in CVE-2008-0530 leavingcisco.com and Cisco Bug IDs CSCsj74818 and CSCsk21863. It is possible to cause a vulnerable device to reboot by sending a large ICMP echo request packet. This vulnerability is corrected in SCCP firmware version 8.0(6). This vulnerability is documented in CVE-2008-0526 leavingcisco.com and Cisco Bug ID CSCsh71110. By sending a specially crafted HTTP request to TCP port 80 on a vulnerable phone, it may be possible to cause the phone to reboot. It is possible to workaround this issue by disabling the internal HTTP server on vulnerable phones. The internal HTTP server only listens to TCP port 80. This vulnerability is corrected in SCCP firmware version 3.2(17) for 7935 devices and SCCP firmware version 3.3(15) for 7936 devices. This vulnerability is documented in CVE-2008-0527 leavingcisco.com and Cisco Bug ID CSCsk20026. By sending a specially crafted to packet to TCP port 22 on a vulnerable phone, it may be possible for an unauthenticated attacker to cause the phone to reboot. It is possible to workaround this issue by disabling the internal SSH server on vulnerable phones. The internal SSH server only listens to TCP port 22. This vulnerability is corrected in SCCP firmware version 8.2(2)SR2. This vulnerability is documented in CVE-2004-2486 leavingcisco.com and Cisco Bug ID CSCsh79629. This vulnerability is corrected in SIP firmware version 8.8(0). This vulnerability is documented in CVE-2008-0528 leavingcisco.com and Cisco Bug ID CSCsj74786. The telnet server is disabled by default and can be configured to allow either privileged or unprivileged user-level access. If the telnet server is enabled for privileged or unprivileged access, the phone password parameter must additionally be configured to permit telnet access. It is possible to workaround this issue by disabling the internal telnet server on vulnerable phones. This vulnerability is corrected in SIP firmware version 8.8(0). This vulnerability is documented in CVE-2008-0529 leavingcisco.com and Cisco Bug ID CSCsj78359. If an attacker controls the SIP proxy to which a vulnerable phone is registered, attempts to register, or the attacker can act as a man-in-the-middle, it may be possible to send a malicious challenge/response message to a phone and execute arbitrary code. This vulnerability is corrected in SIP firmware version 8.8(0). This vulnerability is documented in CVE-2008-0531 leavingcisco.com and Cisco Bug ID CSCsj74765. Vulnerability Scoring Details ============================= Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. CVSS is a standards based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCsj74818 - DNS Response Parsing Stack Overflow CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsk21863 - DNS Response Parsing Stack Overflow CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsh71110 - 7940/7960 IP Phone ICMP Denial of Service CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsk20026 - IP Phone HTTP Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsh79629 - TNP Phone SSH Vulnerability CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsj74786 - SIP Mime Boundary Overflow CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsj78359 - SIP 40/60:Telnet access stack overflow CVSS Base Score - 8.5 Access Vector - Network Access Complexity - Medium Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsj74765 - SIP Proxy Response Overflow CVSS Base Score - 7.3 Access Vector - Network Access Complexity - High Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 6.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities may cause vulnerable IP phone devices to reboot which will interrupt client voice services and, in some cases, allow the execution of arbitrary code. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance. Workarounds =========== Workarounds are available for several of the vulnerabilities. Disabling unnecessary internal phone Telnet and HTTP servers will eliminate exposure to the Telnet Server overflow and HTTP Server DoS vulnerabilities. It is possible to mitigate these vulnerabilities with access control lists (ACL). Filters that deny ICMP Echo Request, TCP port 22 (SSH), TCP port 23 (Telnet), TCP port 80 (HTTP), TCP/UDP port 53 (DNS) and TCP/UDP port 5060 (SIP) should be deployed at voice/data network boundaries as part of a tACL policy for protection of traffic which enters the network at ingress access points. This policy should be configured to protect the network device and other devices behind it where the filter is applied. Additional information about tACLs is available in "Transit Access Control Lists: Filtering at Your Edge": http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20080116-phone.shtml Obtaining Fixed Software ======================== Cisco will make free software available to address this vulnerability for affected customers. This advisory will be updated as fixed software becomes available. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found a http://www.cisco.com/public/sw-license-agreement.html , or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades. Fixed firmware for all SCCP-related vulnerabilities can be obtained here: http://www.cisco.com/pcgi-bin/tablebuild.pl/ip-7900ser?psrtdcat20e2 Fixed Firmware for SIP-Related Vulnerabilities All the SIP-related vulnerabilities referenced in this advisory are fixed in SIP firmware version 8.0(6) and later for Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices, which can be obtained here: http://www.cisco.com/pcgi-bin/tablebuild.pl/sip-ip-phone7960?psrtdcat20e2 Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. The SIP MIME Boundary, Telnet Server, DNS Response Parsing and SIP Proxy Response overflows were reported to Cisco by Jon Griffin and Mustaque Ahamad of the School of Computer Science at the Georgia Institute of Technology. The HTTP Server DoS was reported to Cisco by Sven Weizenegger of T-Systems. The Large ICMP Echo Request DoS vulnerability was reported to Cisco by a customer. The SSH Server DoS was discovered internally by Cisco. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080213-phone.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2008-February-13 | public | | | | release. | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFHsxkJ86n/Gc8U/uARAkIXAJ45lC0HwhFYS0qwgFMkWfvvnyeoBgCglw0y ePH+n78tRXxwRSzEPmNJcak= =YQOM -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Successful exploitation may allow execution of arbitrary code but requires e.g. control of a SIP proxy. PROVIDED AND/OR DISCOVERED BY: 1) Reported by the vendor 2-5) Jon Griffin and Mustaque Ahamad, School of Computer Science, Georgia Institute of Technology 6) Reported by a Cisco customer 7) Sven Weizenegger, T-Systems ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080213-phone.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-200802-0043 CVE-2008-0528 Cisco Unified IP Phone of SCCP as well as SIP Protocol Multiple remote vulnerabilities in CVSS V2: 10.0
CVSS V3: -
Severity: HIGH
Buffer overflow in Cisco Unified IP Phone 7940, 7940G, 7960, and 7960G running SIP firmware might allow remote attackers to execute arbitrary code via a SIP message with crafted MIME data. An attacker can exploit these issues to execute arbitrary code with superuser privileges or crash the affected device, denying service to legitimate users. There are workarounds for several of these vulnerabilities. Cisco has made free software available to address this issue for affected customers. Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are known to be vulnerable. This vulnerability is corrected in SCCP firmware version 8.0(8) and SIP firmware version 8.8(0). This vulnerability is documented in CVE-2008-0530 leavingcisco.com and Cisco Bug IDs CSCsj74818 and CSCsk21863. It is possible to cause a vulnerable device to reboot by sending a large ICMP echo request packet. This vulnerability is corrected in SCCP firmware version 8.0(6). This vulnerability is documented in CVE-2008-0526 leavingcisco.com and Cisco Bug ID CSCsh71110. By sending a specially crafted HTTP request to TCP port 80 on a vulnerable phone, it may be possible to cause the phone to reboot. It is possible to workaround this issue by disabling the internal HTTP server on vulnerable phones. The internal HTTP server only listens to TCP port 80. This vulnerability is corrected in SCCP firmware version 3.2(17) for 7935 devices and SCCP firmware version 3.3(15) for 7936 devices. This vulnerability is documented in CVE-2008-0527 leavingcisco.com and Cisco Bug ID CSCsk20026. By sending a specially crafted to packet to TCP port 22 on a vulnerable phone, it may be possible for an unauthenticated attacker to cause the phone to reboot. It is possible to workaround this issue by disabling the internal SSH server on vulnerable phones. The internal SSH server only listens to TCP port 22. This vulnerability is corrected in SCCP firmware version 8.2(2)SR2. This vulnerability is documented in CVE-2004-2486 leavingcisco.com and Cisco Bug ID CSCsh79629. This vulnerability is corrected in SIP firmware version 8.8(0). This vulnerability is documented in CVE-2008-0528 leavingcisco.com and Cisco Bug ID CSCsj74786. The telnet server is disabled by default and can be configured to allow either privileged or unprivileged user-level access. If the telnet server is enabled for privileged or unprivileged access, the phone password parameter must additionally be configured to permit telnet access. By entering a specially crafted command on a phone configured to permit unprivileged access, it may be possible for an unprivileged-level, authenticated user to trigger a buffer overflow and obtain privileged-level access to the phone. It is possible to workaround this issue by disabling the internal telnet server on vulnerable phones. This vulnerability is corrected in SIP firmware version 8.8(0). This vulnerability is documented in CVE-2008-0529 leavingcisco.com and Cisco Bug ID CSCsj78359. This vulnerability is corrected in SIP firmware version 8.8(0). This vulnerability is documented in CVE-2008-0531 leavingcisco.com and Cisco Bug ID CSCsj74765. Vulnerability Scoring Details ============================= Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. CVSS is a standards based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCsj74818 - DNS Response Parsing Stack Overflow CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsk21863 - DNS Response Parsing Stack Overflow CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsh71110 - 7940/7960 IP Phone ICMP Denial of Service CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsk20026 - IP Phone HTTP Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsh79629 - TNP Phone SSH Vulnerability CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsj74786 - SIP Mime Boundary Overflow CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsj78359 - SIP 40/60:Telnet access stack overflow CVSS Base Score - 8.5 Access Vector - Network Access Complexity - Medium Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsj74765 - SIP Proxy Response Overflow CVSS Base Score - 7.3 Access Vector - Network Access Complexity - High Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 6.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities may cause vulnerable IP phone devices to reboot which will interrupt client voice services and, in some cases, allow the execution of arbitrary code. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance. Workarounds =========== Workarounds are available for several of the vulnerabilities. Disabling unnecessary internal phone Telnet and HTTP servers will eliminate exposure to the Telnet Server overflow and HTTP Server DoS vulnerabilities. It is possible to mitigate these vulnerabilities with access control lists (ACL). Filters that deny ICMP Echo Request, TCP port 22 (SSH), TCP port 23 (Telnet), TCP port 80 (HTTP), TCP/UDP port 53 (DNS) and TCP/UDP port 5060 (SIP) should be deployed at voice/data network boundaries as part of a tACL policy for protection of traffic which enters the network at ingress access points. This policy should be configured to protect the network device and other devices behind it where the filter is applied. Additional information about tACLs is available in "Transit Access Control Lists: Filtering at Your Edge": http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20080116-phone.shtml Obtaining Fixed Software ======================== Cisco will make free software available to address this vulnerability for affected customers. This advisory will be updated as fixed software becomes available. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found a http://www.cisco.com/public/sw-license-agreement.html , or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades. Fixed firmware for all SCCP-related vulnerabilities can be obtained here: http://www.cisco.com/pcgi-bin/tablebuild.pl/ip-7900ser?psrtdcat20e2 Fixed Firmware for SIP-Related Vulnerabilities All the SIP-related vulnerabilities referenced in this advisory are fixed in SIP firmware version 8.0(6) and later for Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices, which can be obtained here: http://www.cisco.com/pcgi-bin/tablebuild.pl/sip-ip-phone7960?psrtdcat20e2 Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. The SIP MIME Boundary, Telnet Server, DNS Response Parsing and SIP Proxy Response overflows were reported to Cisco by Jon Griffin and Mustaque Ahamad of the School of Computer Science at the Georgia Institute of Technology. The HTTP Server DoS was reported to Cisco by Sven Weizenegger of T-Systems. The Large ICMP Echo Request DoS vulnerability was reported to Cisco by a customer. The SSH Server DoS was discovered internally by Cisco. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080213-phone.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2008-February-13 | public | | | | release. | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFHsxkJ86n/Gc8U/uARAkIXAJ45lC0HwhFYS0qwgFMkWfvvnyeoBgCglw0y ePH+n78tRXxwRSzEPmNJcak= =YQOM -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Successful exploitation may allow execution of arbitrary code but requires e.g. control of a SIP proxy. PROVIDED AND/OR DISCOVERED BY: 1) Reported by the vendor 2-5) Jon Griffin and Mustaque Ahamad, School of Computer Science, Georgia Institute of Technology 6) Reported by a Cisco customer 7) Sven Weizenegger, T-Systems ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080213-phone.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-200802-0041 CVE-2008-0526 Cisco Unified IP Phone of SCCP as well as SIP Protocol Multiple remote vulnerabilities in CVSS V2: 7.8
CVSS V3: -
Severity: HIGH
Cisco Unified IP Phone 7940, 7940G, 7960, and 7960G running SCCP firmware allows remote attackers to cause a denial of service (reboot) via a long ICMP echo request (ping) packet. .Please refer to the “Overview” for the impact of this vulnerability. An attacker can exploit these issues to execute arbitrary code with superuser privileges or crash the affected device, denying service to legitimate users. There are workarounds for several of these vulnerabilities. Cisco has made free software available to address this issue for affected customers. Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are known to be vulnerable. A specially-crafted DNS response may be able to trigger a buffer overflow and execute arbitrary code on a vulnerable phone. This vulnerability is corrected in SCCP firmware version 8.0(8) and SIP firmware version 8.8(0). This vulnerability is documented in CVE-2008-0530 leavingcisco.com and Cisco Bug IDs CSCsj74818 and CSCsk21863. This vulnerability is corrected in SCCP firmware version 8.0(6). This vulnerability is documented in CVE-2008-0526 leavingcisco.com and Cisco Bug ID CSCsh71110. By sending a specially crafted HTTP request to TCP port 80 on a vulnerable phone, it may be possible to cause the phone to reboot. It is possible to workaround this issue by disabling the internal HTTP server on vulnerable phones. The internal HTTP server only listens to TCP port 80. This vulnerability is corrected in SCCP firmware version 3.2(17) for 7935 devices and SCCP firmware version 3.3(15) for 7936 devices. This vulnerability is documented in CVE-2008-0527 leavingcisco.com and Cisco Bug ID CSCsk20026. By sending a specially crafted to packet to TCP port 22 on a vulnerable phone, it may be possible for an unauthenticated attacker to cause the phone to reboot. It is possible to workaround this issue by disabling the internal SSH server on vulnerable phones. The internal SSH server only listens to TCP port 22. This vulnerability is corrected in SCCP firmware version 8.2(2)SR2. This vulnerability is documented in CVE-2004-2486 leavingcisco.com and Cisco Bug ID CSCsh79629. SIP-Only Related Vulnerabilities * SIP MIME Boundary Overflow Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices running SIP firmware contain a buffer overflow vulnerability in the handling of Multipurpose Internet Mail Extensions (MIME) encoded data. By sending a specially crafted SIP message to a vulnerable phone, it may be possible to trigger a buffer overflow and execute arbitrary code on the phone. This vulnerability is corrected in SIP firmware version 8.8(0). This vulnerability is documented in CVE-2008-0528 leavingcisco.com and Cisco Bug ID CSCsj74786. The telnet server is disabled by default and can be configured to allow either privileged or unprivileged user-level access. If the telnet server is enabled for privileged or unprivileged access, the phone password parameter must additionally be configured to permit telnet access. By entering a specially crafted command on a phone configured to permit unprivileged access, it may be possible for an unprivileged-level, authenticated user to trigger a buffer overflow and obtain privileged-level access to the phone. It is possible to workaround this issue by disabling the internal telnet server on vulnerable phones. This vulnerability is corrected in SIP firmware version 8.8(0). This vulnerability is documented in CVE-2008-0529 leavingcisco.com and Cisco Bug ID CSCsj78359. If an attacker controls the SIP proxy to which a vulnerable phone is registered, attempts to register, or the attacker can act as a man-in-the-middle, it may be possible to send a malicious challenge/response message to a phone and execute arbitrary code. This vulnerability is corrected in SIP firmware version 8.8(0). This vulnerability is documented in CVE-2008-0531 leavingcisco.com and Cisco Bug ID CSCsj74765. Vulnerability Scoring Details ============================= Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. CVSS is a standards based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCsj74818 - DNS Response Parsing Stack Overflow CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsk21863 - DNS Response Parsing Stack Overflow CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsh71110 - 7940/7960 IP Phone ICMP Denial of Service CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsk20026 - IP Phone HTTP Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsh79629 - TNP Phone SSH Vulnerability CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsj74786 - SIP Mime Boundary Overflow CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsj78359 - SIP 40/60:Telnet access stack overflow CVSS Base Score - 8.5 Access Vector - Network Access Complexity - Medium Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsj74765 - SIP Proxy Response Overflow CVSS Base Score - 7.3 Access Vector - Network Access Complexity - High Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 6.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities may cause vulnerable IP phone devices to reboot which will interrupt client voice services and, in some cases, allow the execution of arbitrary code. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance. Workarounds =========== Workarounds are available for several of the vulnerabilities. Disabling unnecessary internal phone Telnet and HTTP servers will eliminate exposure to the Telnet Server overflow and HTTP Server DoS vulnerabilities. It is possible to mitigate these vulnerabilities with access control lists (ACL). Filters that deny ICMP Echo Request, TCP port 22 (SSH), TCP port 23 (Telnet), TCP port 80 (HTTP), TCP/UDP port 53 (DNS) and TCP/UDP port 5060 (SIP) should be deployed at voice/data network boundaries as part of a tACL policy for protection of traffic which enters the network at ingress access points. This policy should be configured to protect the network device and other devices behind it where the filter is applied. Additional information about tACLs is available in "Transit Access Control Lists: Filtering at Your Edge": http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20080116-phone.shtml Obtaining Fixed Software ======================== Cisco will make free software available to address this vulnerability for affected customers. This advisory will be updated as fixed software becomes available. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found a http://www.cisco.com/public/sw-license-agreement.html , or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. The SIP MIME Boundary, Telnet Server, DNS Response Parsing and SIP Proxy Response overflows were reported to Cisco by Jon Griffin and Mustaque Ahamad of the School of Computer Science at the Georgia Institute of Technology. The HTTP Server DoS was reported to Cisco by Sven Weizenegger of T-Systems. The SSH Server DoS was discovered internally by Cisco. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080213-phone.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2008-February-13 | public | | | | release. | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFHsxkJ86n/Gc8U/uARAkIXAJ45lC0HwhFYS0qwgFMkWfvvnyeoBgCglw0y ePH+n78tRXxwRSzEPmNJcak= =YQOM -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Successful exploitation may allow execution of arbitrary code but requires e.g. control of a SIP proxy. PROVIDED AND/OR DISCOVERED BY: 1) Reported by the vendor 2-5) Jon Griffin and Mustaque Ahamad, School of Computer Science, Georgia Institute of Technology 6) Reported by a Cisco customer 7) Sven Weizenegger, T-Systems ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080213-phone.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-200802-0046 CVE-2008-0531 Cisco Unified IP Phone Heap overflow vulnerability CVSS V2: 9.3
CVSS V3: -
Severity: HIGH
Heap-based buffer overflow in Cisco Unified IP Phone 7940, 7940G, 7960, and 7960G running SIP firmware might allow remote SIP servers to execute arbitrary code via a crafted challenge/response message. Cisco Unified IP Phone Contains a heap overflow vulnerability. An attacker can exploit these issues to execute arbitrary code with superuser privileges or crash the affected device, denying service to legitimate users. There are workarounds for several of these vulnerabilities. Cisco has made free software available to address this issue for affected customers. Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are known to be vulnerable. This vulnerability is corrected in SCCP firmware version 8.0(8) and SIP firmware version 8.8(0). This vulnerability is documented in CVE-2008-0530 leavingcisco.com and Cisco Bug IDs CSCsj74818 and CSCsk21863. It is possible to cause a vulnerable device to reboot by sending a large ICMP echo request packet. This vulnerability is corrected in SCCP firmware version 8.0(6). This vulnerability is documented in CVE-2008-0526 leavingcisco.com and Cisco Bug ID CSCsh71110. By sending a specially crafted HTTP request to TCP port 80 on a vulnerable phone, it may be possible to cause the phone to reboot. It is possible to workaround this issue by disabling the internal HTTP server on vulnerable phones. The internal HTTP server only listens to TCP port 80. This vulnerability is corrected in SCCP firmware version 3.2(17) for 7935 devices and SCCP firmware version 3.3(15) for 7936 devices. This vulnerability is documented in CVE-2008-0527 leavingcisco.com and Cisco Bug ID CSCsk20026. By sending a specially crafted to packet to TCP port 22 on a vulnerable phone, it may be possible for an unauthenticated attacker to cause the phone to reboot. It is possible to workaround this issue by disabling the internal SSH server on vulnerable phones. The internal SSH server only listens to TCP port 22. This vulnerability is corrected in SCCP firmware version 8.2(2)SR2. This vulnerability is documented in CVE-2004-2486 leavingcisco.com and Cisco Bug ID CSCsh79629. This vulnerability is corrected in SIP firmware version 8.8(0). This vulnerability is documented in CVE-2008-0528 leavingcisco.com and Cisco Bug ID CSCsj74786. The telnet server is disabled by default and can be configured to allow either privileged or unprivileged user-level access. If the telnet server is enabled for privileged or unprivileged access, the phone password parameter must additionally be configured to permit telnet access. By entering a specially crafted command on a phone configured to permit unprivileged access, it may be possible for an unprivileged-level, authenticated user to trigger a buffer overflow and obtain privileged-level access to the phone. It is possible to workaround this issue by disabling the internal telnet server on vulnerable phones. This vulnerability is corrected in SIP firmware version 8.8(0). This vulnerability is documented in CVE-2008-0529 leavingcisco.com and Cisco Bug ID CSCsj78359. If an attacker controls the SIP proxy to which a vulnerable phone is registered, attempts to register, or the attacker can act as a man-in-the-middle, it may be possible to send a malicious challenge/response message to a phone and execute arbitrary code. This vulnerability is corrected in SIP firmware version 8.8(0). This vulnerability is documented in CVE-2008-0531 leavingcisco.com and Cisco Bug ID CSCsj74765. Vulnerability Scoring Details ============================= Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. CVSS is a standards based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCsj74818 - DNS Response Parsing Stack Overflow CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsk21863 - DNS Response Parsing Stack Overflow CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsh71110 - 7940/7960 IP Phone ICMP Denial of Service CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsk20026 - IP Phone HTTP Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsh79629 - TNP Phone SSH Vulnerability CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsj74786 - SIP Mime Boundary Overflow CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsj78359 - SIP 40/60:Telnet access stack overflow CVSS Base Score - 8.5 Access Vector - Network Access Complexity - Medium Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsj74765 - SIP Proxy Response Overflow CVSS Base Score - 7.3 Access Vector - Network Access Complexity - High Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 6.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities may cause vulnerable IP phone devices to reboot which will interrupt client voice services and, in some cases, allow the execution of arbitrary code. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance. Workarounds =========== Workarounds are available for several of the vulnerabilities. Disabling unnecessary internal phone Telnet and HTTP servers will eliminate exposure to the Telnet Server overflow and HTTP Server DoS vulnerabilities. It is possible to mitigate these vulnerabilities with access control lists (ACL). Filters that deny ICMP Echo Request, TCP port 22 (SSH), TCP port 23 (Telnet), TCP port 80 (HTTP), TCP/UDP port 53 (DNS) and TCP/UDP port 5060 (SIP) should be deployed at voice/data network boundaries as part of a tACL policy for protection of traffic which enters the network at ingress access points. This policy should be configured to protect the network device and other devices behind it where the filter is applied. Additional information about tACLs is available in "Transit Access Control Lists: Filtering at Your Edge": http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20080116-phone.shtml Obtaining Fixed Software ======================== Cisco will make free software available to address this vulnerability for affected customers. This advisory will be updated as fixed software becomes available. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found a http://www.cisco.com/public/sw-license-agreement.html , or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades. Fixed firmware for all SCCP-related vulnerabilities can be obtained here: http://www.cisco.com/pcgi-bin/tablebuild.pl/ip-7900ser?psrtdcat20e2 Fixed Firmware for SIP-Related Vulnerabilities All the SIP-related vulnerabilities referenced in this advisory are fixed in SIP firmware version 8.0(6) and later for Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices, which can be obtained here: http://www.cisco.com/pcgi-bin/tablebuild.pl/sip-ip-phone7960?psrtdcat20e2 Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. The SIP MIME Boundary, Telnet Server, DNS Response Parsing and SIP Proxy Response overflows were reported to Cisco by Jon Griffin and Mustaque Ahamad of the School of Computer Science at the Georgia Institute of Technology. The HTTP Server DoS was reported to Cisco by Sven Weizenegger of T-Systems. The Large ICMP Echo Request DoS vulnerability was reported to Cisco by a customer. The SSH Server DoS was discovered internally by Cisco. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080213-phone.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2008-February-13 | public | | | | release. | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFHsxkJ86n/Gc8U/uARAkIXAJ45lC0HwhFYS0qwgFMkWfvvnyeoBgCglw0y ePH+n78tRXxwRSzEPmNJcak= =YQOM -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Successful exploitation may allow execution of arbitrary code but requires e.g. control of a SIP proxy. PROVIDED AND/OR DISCOVERED BY: 1) Reported by the vendor 2-5) Jon Griffin and Mustaque Ahamad, School of Computer Science, Georgia Institute of Technology 6) Reported by a Cisco customer 7) Sven Weizenegger, T-Systems ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080213-phone.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-200802-0045 CVE-2008-0530 Cisco Unified IP Phone of SCCP as well as SIP Protocol Multiple remote vulnerabilities in CVSS V2: 10.0
CVSS V3: -
Severity: HIGH
Buffer overflow in Cisco Unified IP Phone 7940, 7940G, 7960, and 7960G running SCCP and SIP firmware might allow remote attackers to execute arbitrary code via a crafted DNS response. Created by a remote attacker DNS Arbitrary code may be executed via the response.Please refer to the “Overview” for the impact of this vulnerability. An attacker can exploit these issues to execute arbitrary code with superuser privileges or crash the affected device, denying service to legitimate users. There are workarounds for several of these vulnerabilities. Cisco has made free software available to address this issue for affected customers. Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are known to be vulnerable. This vulnerability is corrected in SCCP firmware version 8.0(8) and SIP firmware version 8.8(0). This vulnerability is documented in CVE-2008-0530 leavingcisco.com and Cisco Bug IDs CSCsj74818 and CSCsk21863. It is possible to cause a vulnerable device to reboot by sending a large ICMP echo request packet. This vulnerability is corrected in SCCP firmware version 8.0(6). This vulnerability is documented in CVE-2008-0526 leavingcisco.com and Cisco Bug ID CSCsh71110. By sending a specially crafted HTTP request to TCP port 80 on a vulnerable phone, it may be possible to cause the phone to reboot. It is possible to workaround this issue by disabling the internal HTTP server on vulnerable phones. The internal HTTP server only listens to TCP port 80. This vulnerability is corrected in SCCP firmware version 3.2(17) for 7935 devices and SCCP firmware version 3.3(15) for 7936 devices. This vulnerability is documented in CVE-2008-0527 leavingcisco.com and Cisco Bug ID CSCsk20026. By sending a specially crafted to packet to TCP port 22 on a vulnerable phone, it may be possible for an unauthenticated attacker to cause the phone to reboot. It is possible to workaround this issue by disabling the internal SSH server on vulnerable phones. The internal SSH server only listens to TCP port 22. This vulnerability is corrected in SCCP firmware version 8.2(2)SR2. This vulnerability is documented in CVE-2004-2486 leavingcisco.com and Cisco Bug ID CSCsh79629. This vulnerability is corrected in SIP firmware version 8.8(0). This vulnerability is documented in CVE-2008-0528 leavingcisco.com and Cisco Bug ID CSCsj74786. The telnet server is disabled by default and can be configured to allow either privileged or unprivileged user-level access. If the telnet server is enabled for privileged or unprivileged access, the phone password parameter must additionally be configured to permit telnet access. By entering a specially crafted command on a phone configured to permit unprivileged access, it may be possible for an unprivileged-level, authenticated user to trigger a buffer overflow and obtain privileged-level access to the phone. It is possible to workaround this issue by disabling the internal telnet server on vulnerable phones. This vulnerability is corrected in SIP firmware version 8.8(0). This vulnerability is documented in CVE-2008-0529 leavingcisco.com and Cisco Bug ID CSCsj78359. If an attacker controls the SIP proxy to which a vulnerable phone is registered, attempts to register, or the attacker can act as a man-in-the-middle, it may be possible to send a malicious challenge/response message to a phone and execute arbitrary code. This vulnerability is corrected in SIP firmware version 8.8(0). This vulnerability is documented in CVE-2008-0531 leavingcisco.com and Cisco Bug ID CSCsj74765. Vulnerability Scoring Details ============================= Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. CVSS is a standards based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCsj74818 - DNS Response Parsing Stack Overflow CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsk21863 - DNS Response Parsing Stack Overflow CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsh71110 - 7940/7960 IP Phone ICMP Denial of Service CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsk20026 - IP Phone HTTP Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsh79629 - TNP Phone SSH Vulnerability CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsj74786 - SIP Mime Boundary Overflow CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsj78359 - SIP 40/60:Telnet access stack overflow CVSS Base Score - 8.5 Access Vector - Network Access Complexity - Medium Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsj74765 - SIP Proxy Response Overflow CVSS Base Score - 7.3 Access Vector - Network Access Complexity - High Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 6.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities may cause vulnerable IP phone devices to reboot which will interrupt client voice services and, in some cases, allow the execution of arbitrary code. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance. Workarounds =========== Workarounds are available for several of the vulnerabilities. Disabling unnecessary internal phone Telnet and HTTP servers will eliminate exposure to the Telnet Server overflow and HTTP Server DoS vulnerabilities. It is possible to mitigate these vulnerabilities with access control lists (ACL). Filters that deny ICMP Echo Request, TCP port 22 (SSH), TCP port 23 (Telnet), TCP port 80 (HTTP), TCP/UDP port 53 (DNS) and TCP/UDP port 5060 (SIP) should be deployed at voice/data network boundaries as part of a tACL policy for protection of traffic which enters the network at ingress access points. This policy should be configured to protect the network device and other devices behind it where the filter is applied. Additional information about tACLs is available in "Transit Access Control Lists: Filtering at Your Edge": http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20080116-phone.shtml Obtaining Fixed Software ======================== Cisco will make free software available to address this vulnerability for affected customers. This advisory will be updated as fixed software becomes available. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found a http://www.cisco.com/public/sw-license-agreement.html , or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades. Fixed firmware for all SCCP-related vulnerabilities can be obtained here: http://www.cisco.com/pcgi-bin/tablebuild.pl/ip-7900ser?psrtdcat20e2 Fixed Firmware for SIP-Related Vulnerabilities All the SIP-related vulnerabilities referenced in this advisory are fixed in SIP firmware version 8.0(6) and later for Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices, which can be obtained here: http://www.cisco.com/pcgi-bin/tablebuild.pl/sip-ip-phone7960?psrtdcat20e2 Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. The SIP MIME Boundary, Telnet Server, DNS Response Parsing and SIP Proxy Response overflows were reported to Cisco by Jon Griffin and Mustaque Ahamad of the School of Computer Science at the Georgia Institute of Technology. The HTTP Server DoS was reported to Cisco by Sven Weizenegger of T-Systems. The Large ICMP Echo Request DoS vulnerability was reported to Cisco by a customer. The SSH Server DoS was discovered internally by Cisco. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080213-phone.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2008-February-13 | public | | | | release. | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFHsxkJ86n/Gc8U/uARAkIXAJ45lC0HwhFYS0qwgFMkWfvvnyeoBgCglw0y ePH+n78tRXxwRSzEPmNJcak= =YQOM -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Successful exploitation may allow execution of arbitrary code but requires e.g. control of a SIP proxy. PROVIDED AND/OR DISCOVERED BY: 1) Reported by the vendor 2-5) Jon Griffin and Mustaque Ahamad, School of Computer Science, Georgia Institute of Technology 6) Reported by a Cisco customer 7) Sven Weizenegger, T-Systems ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080213-phone.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-200802-0042 CVE-2008-0527 Cisco Unified IP Phone of SCCP as well as SIP Protocol Multiple remote vulnerabilities in CVSS V2: 7.8
CVSS V3: -
Severity: HIGH
The HTTP server in Cisco Unified IP Phone 7935 and 7936 running SCCP firmware allows remote attackers to cause a denial of service (reboot) via a crafted HTTP request. A remote attacker HTTP Service disruption via request (DoS) There is a possibility of being put into a state.Please refer to the “Overview” for the impact of this vulnerability. An attacker can exploit these issues to execute arbitrary code with superuser privileges or crash the affected device, denying service to legitimate users. There are workarounds for several of these vulnerabilities. Cisco has made free software available to address this issue for affected customers. Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are known to be vulnerable. A specially-crafted DNS response may be able to trigger a buffer overflow and execute arbitrary code on a vulnerable phone. This vulnerability is corrected in SCCP firmware version 8.0(8) and SIP firmware version 8.8(0). This vulnerability is documented in CVE-2008-0530 leavingcisco.com and Cisco Bug IDs CSCsj74818 and CSCsk21863. It is possible to cause a vulnerable device to reboot by sending a large ICMP echo request packet. This vulnerability is corrected in SCCP firmware version 8.0(6). This vulnerability is documented in CVE-2008-0526 leavingcisco.com and Cisco Bug ID CSCsh71110. It is possible to workaround this issue by disabling the internal HTTP server on vulnerable phones. The internal HTTP server only listens to TCP port 80. This vulnerability is corrected in SCCP firmware version 3.2(17) for 7935 devices and SCCP firmware version 3.3(15) for 7936 devices. This vulnerability is documented in CVE-2008-0527 leavingcisco.com and Cisco Bug ID CSCsk20026. By sending a specially crafted to packet to TCP port 22 on a vulnerable phone, it may be possible for an unauthenticated attacker to cause the phone to reboot. It is possible to workaround this issue by disabling the internal SSH server on vulnerable phones. The internal SSH server only listens to TCP port 22. This vulnerability is corrected in SCCP firmware version 8.2(2)SR2. This vulnerability is documented in CVE-2004-2486 leavingcisco.com and Cisco Bug ID CSCsh79629. SIP-Only Related Vulnerabilities * SIP MIME Boundary Overflow Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices running SIP firmware contain a buffer overflow vulnerability in the handling of Multipurpose Internet Mail Extensions (MIME) encoded data. By sending a specially crafted SIP message to a vulnerable phone, it may be possible to trigger a buffer overflow and execute arbitrary code on the phone. This vulnerability is corrected in SIP firmware version 8.8(0). This vulnerability is documented in CVE-2008-0528 leavingcisco.com and Cisco Bug ID CSCsj74786. The telnet server is disabled by default and can be configured to allow either privileged or unprivileged user-level access. If the telnet server is enabled for privileged or unprivileged access, the phone password parameter must additionally be configured to permit telnet access. By entering a specially crafted command on a phone configured to permit unprivileged access, it may be possible for an unprivileged-level, authenticated user to trigger a buffer overflow and obtain privileged-level access to the phone. It is possible to workaround this issue by disabling the internal telnet server on vulnerable phones. This vulnerability is corrected in SIP firmware version 8.8(0). This vulnerability is documented in CVE-2008-0529 leavingcisco.com and Cisco Bug ID CSCsj78359. If an attacker controls the SIP proxy to which a vulnerable phone is registered, attempts to register, or the attacker can act as a man-in-the-middle, it may be possible to send a malicious challenge/response message to a phone and execute arbitrary code. This vulnerability is corrected in SIP firmware version 8.8(0). This vulnerability is documented in CVE-2008-0531 leavingcisco.com and Cisco Bug ID CSCsj74765. Vulnerability Scoring Details ============================= Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. CVSS is a standards based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCsj74818 - DNS Response Parsing Stack Overflow CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsk21863 - DNS Response Parsing Stack Overflow CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsh71110 - 7940/7960 IP Phone ICMP Denial of Service CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsk20026 - IP Phone HTTP Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsh79629 - TNP Phone SSH Vulnerability CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsj74786 - SIP Mime Boundary Overflow CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsj78359 - SIP 40/60:Telnet access stack overflow CVSS Base Score - 8.5 Access Vector - Network Access Complexity - Medium Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsj74765 - SIP Proxy Response Overflow CVSS Base Score - 7.3 Access Vector - Network Access Complexity - High Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 6.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities may cause vulnerable IP phone devices to reboot which will interrupt client voice services and, in some cases, allow the execution of arbitrary code. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance. Workarounds =========== Workarounds are available for several of the vulnerabilities. It is possible to mitigate these vulnerabilities with access control lists (ACL). Filters that deny ICMP Echo Request, TCP port 22 (SSH), TCP port 23 (Telnet), TCP port 80 (HTTP), TCP/UDP port 53 (DNS) and TCP/UDP port 5060 (SIP) should be deployed at voice/data network boundaries as part of a tACL policy for protection of traffic which enters the network at ingress access points. This policy should be configured to protect the network device and other devices behind it where the filter is applied. Additional information about tACLs is available in "Transit Access Control Lists: Filtering at Your Edge": http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20080116-phone.shtml Obtaining Fixed Software ======================== Cisco will make free software available to address this vulnerability for affected customers. This advisory will be updated as fixed software becomes available. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found a http://www.cisco.com/public/sw-license-agreement.html , or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades. Fixed firmware for all SCCP-related vulnerabilities can be obtained here: http://www.cisco.com/pcgi-bin/tablebuild.pl/ip-7900ser?psrtdcat20e2 Fixed Firmware for SIP-Related Vulnerabilities All the SIP-related vulnerabilities referenced in this advisory are fixed in SIP firmware version 8.0(6) and later for Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices, which can be obtained here: http://www.cisco.com/pcgi-bin/tablebuild.pl/sip-ip-phone7960?psrtdcat20e2 Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. The SIP MIME Boundary, Telnet Server, DNS Response Parsing and SIP Proxy Response overflows were reported to Cisco by Jon Griffin and Mustaque Ahamad of the School of Computer Science at the Georgia Institute of Technology. The HTTP Server DoS was reported to Cisco by Sven Weizenegger of T-Systems. The Large ICMP Echo Request DoS vulnerability was reported to Cisco by a customer. The SSH Server DoS was discovered internally by Cisco. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080213-phone.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2008-February-13 | public | | | | release. | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFHsxkJ86n/Gc8U/uARAkIXAJ45lC0HwhFYS0qwgFMkWfvvnyeoBgCglw0y ePH+n78tRXxwRSzEPmNJcak= =YQOM -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Successful exploitation may allow execution of arbitrary code but requires e.g. control of a SIP proxy. PROVIDED AND/OR DISCOVERED BY: 1) Reported by the vendor 2-5) Jon Griffin and Mustaque Ahamad, School of Computer Science, Georgia Institute of Technology 6) Reported by a Cisco customer 7) Sven Weizenegger, T-Systems ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080213-phone.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------
VAR-200802-0510 CVE-2008-0779 Fortinet FortiClient Host Security MR5 Patch 3 of fortimon.sys Vulnerability to execute arbitrary code in device driver CVSS V2: 7.2
CVSS V3: -
Severity: HIGH
The fortimon.sys device driver in Fortinet FortiClient Host Security 3.0 MR5 Patch 3 and earlier does not properly initialize its DeviceExtension, which allows local users to access kernel memory and execute arbitrary code via a crafted request. Fortinet FortiClient is prone to a local privilege-escalation vulnerability because it fails to perform adequate device filtering. Attackers can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successful attacks will completely compromise affected computers. Versions prior to FortiClient 3.0 MR5 Patch 4 are vulnerable. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Fortinet FortiClient Privilege Escalation Vulnerability SECUNIA ADVISORY ID: SA28975 VERIFY ADVISORY: http://secunia.com/advisories/28975/ CRITICAL: Less critical IMPACT: Privilege escalation WHERE: Local system SOFTWARE: Fortinet FortiClient 3.x http://secunia.com/product/11276/ DESCRIPTION: Ruben Santamarta has reported a vulnerability in Fortinet FortiClient, which can be exploited by malicious, local users to gain escalated privileges. SOLUTION: Update to version 3.0 MR5 Patch 4 or version 3.0 MR6. PROVIDED AND/OR DISCOVERED BY: Ruben Santamarta, Reverse Mode ORIGINAL ADVISORY: Fortinet: http://kc.forticare.com/default.asp?id=3618 Reverse Mode: http://www.reversemode.com/index.php?option=com_mamblog&Itemid=15&task=show&action=view&id=47&Itemid=15 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------