VARIoT IoT vulnerabilities database

Unspecified vulnerability in the Web Server in Cisco Unified MeetingPlace Web Conferencing 6.0 before 6.0(517.0) (aka 6.0 MR4) and 7.0 before 7.0(2) (aka 7.0 MR1) allows remote attackers to bypass authentication and obtain administrative access via a crafted URL. An attacker can exploit this issue to gain administrative access to the affected application. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible. This issue is tracked by Cisco Bug ID CSCsv65815. Unified MeetingPlace Web Conferencing 6.0 and 7.0 are vulnerable. Cisco has released free software updates that address this vulnerability. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20090225-mtgplace.shtml Affected Products ================= Cisco Unified MeetingPlace conferencing solution provides functionality that allows organizations to host integrated voice, video, and web conferencing. The solution is deployed on-network, behind the firewall and integrated directly into an organization's private voice/data networks and enterprise applications. Cisco Unified MeetingPlace servers can be deployed so that the server is accessible from the Internet, allowing external parties to participate in meetings. No other Cisco products are currently known to be affected by this vulnerability. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCsv65815 - Authentication Bypass in MeetingPlace Web Server CVSS Base Score - 9 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Partial Integrity Impact - Partial Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability may result in unauthorized access to the administrative functions of the Cisco Unified MeetingPlace application. Software Versions and Fixes =========================== This vulnerability is fixed in Cisco Unified MeetingPlace Web Conferencing software version 6.0(517.0) also known as Maintenance Release 4 (MR4) for the 6.0 release, and version 7.0(2) also known as Maintenance Release 1 (MR1) for the 7.0 release. The latest versions of Cisco MeetingPlace software can be downloaded from: http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=278875240 The Cisco Unified MeetingPlace Web Server software is available at: http://tools.cisco.com/support/downloads/go/Model.x?mdfid=278816725&mdfLevel=Software%20Version/Option&treeName=Voice%20and%20Unified%20Communications&modelName=Cisco%20Unified%20MeetingPlace%20Web%20Conferencing&treeMdfId=278875240 When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Workarounds =========== There are no workarounds for this vulnerability. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== This vulnerability was reported to Cisco by National Australia Bank's Security Assurance team. Cisco would like to thank the National Australia Bank's Security Assurance team for the discovery and reporting of the vulnerability. The Cisco PSIRT is not aware of any malicious use of the vulnerability described in this advisory. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20090225-mtgplace.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-February-25 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iD8DBQFJpWeb86n/Gc8U/uARAty+AKCIt9MQ0A+BzIMX+MBZHjiod59WBACeMUgH rPsjG9qKmCDQlA6XlaLFMr0= =6x6Q -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Directory traversal vulnerability in Cisco Application Networking Manager (ANM) before 2.0 and Application Control Engine (ACE) Device Manager before A3(2.1) allows remote authenticated users to read or modify arbitrary files via unspecified vectors, related to "invalid directory permissions.". A successful exploit may allow attackers to obtain sensitive information, view or modify files, cause denial-of-service conditions, or gain unauthorized access to the affected application. This may aid in the complete compromise of the underlying computer. These vulnerabilities are independent of each other. Successful exploitation of these vulnerabilities may result in unauthorized system or host operating system access. A workaround that mitigates one of the issues is available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090225-anm.shtml. Note: This advisory is being released simultaneously with a multiple vulnerabilities advisory impacting the ACE appliance and module software, which is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090225-ace.shtml. Affected Products ================= Vulnerable Products - ------------------- The following are the products and versions affected by each vulnerability described within this advisory. +---------------------------------------+ | Vulnerability | Product | Version | | | Affected | Affected | |---------------+----------+------------| | Invalid | ACE | All | | Directory | Device | versions | | Permissions | Manager | prior to | | | | A3(2.1) | |---------------+----------+------------| | Invalid | | All | | Directory | ANM | versions | | Permissions | | prior to | | | | ANM 2.0 | |---------------+----------+------------| | | | All | | Default User | ANM | versions | | Credentials | | prior to | | | | ANM 2.0 | |---------------+----------+------------| | | | All | | MySQL Default | ANM | versions | | Credentials | | prior to | | | | ANM 2.0 | |---------------+----------+------------| | | | All | | Java Agent | | versions | | Privilege | ANM | prior to | | Escalation | | ANM 2.0 | | | | Update A | +---------------------------------------+ Determining ACE Device Manager Software Version +---------------------------------------------- The ACE Device Manager is embedded with the ACE appliance software. To display the version of system software that is currently running on the device, use the "show version" command. The following example includes the output of the "show version" command on a Cisco ACE appliance running software version A3(2.1): ACE-4710/Admin# show version Cisco Application Control Software (ACSW) TAC support: http://www.cisco.com/tac Copyright (c) 1985-2008 by Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license. Some parts of this software are covered under the GNU Public License. A copy of the license is available at http://www.gnu.org/licenses/gpl.html. Software loader: Version 0.95 system: Version A3(2.1) [build 3.0(0)A3(2.1) adbuild_14:33:29-2008/11/19_/auto/adbu-rel4/rel_a3_2_1_throttle_build/REL_3_0_0_A3_2_1] system image file: (nd)/192.168.65.32/scimitar.bin Device Manager version 1.1 (0) 20081113:2052 --- Determining ANM Software Version +------------------------------- To display the version of ANM software that is currently installed, login to the ANM server and select the "About" keyword in the upper right. An informational pop up window will be displayed. ANM Version 2.0 Update A is indicated in the example output below. Version: 2.0(0), Update: A Build Number: 709 Build Timestamp: 20081031:1226 Products Confirmed Not Vulnerable - --------------------------------- The Cisco ACE XML Gateway, Cisco ACE GSS (Global Site Selector) 4400 Series and Cisco ACE Web Application Firewall are not affected by any of these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= ANM is a network management application that manages Cisco ACE modules or appliances. ANM is installed on customer provided servers with a Red Hat Enterprise Linux operating system. The ACE Device Manager provides a browser-based interface for configuring and managing a single ACE appliance. The ACE Device Manager resides in flash memory on the ACE appliance. The following details are provided for each vulnerability addressed in this security advisory. These vulnerabilities could allow unauthorized access to ACE operating system and host operating system files. To exploit these vulnerabilities authentication is required to initially access either product. This vulnerability is documented in the following Cisco Bug IDs: * CSCsv66063 * CSCsv70130 This vulnerability has been assigned the Common Vulnerability and Exposures (CVE) ID CVE-2009-0615. Default User Credentials +----------------------- Versions of Cisco ANM prior to software version ANM 2.0 do not force credential changes during installation. This vulnerability is documented in the following Cisco Bug ID: * CSCsu52724 This vulnerability has been assigned the Common Vulnerability and Exposures (CVE) ID CVE-2009-0616. MySQL Default Credentials +------------------------ ANM versions prior to ANM 2.0 use a default MySQL root user password during installation. The MySQL database is installed by default when ANM is initially installed. This vulnerability can be exploited remotely with default credential authentication and without end-user interaction. Unauthorized access to the database may allow modification of system files that could impact the function of ANM or allow execution of commands on the underlying host operating system. The ACE appliance and module device configuration files in the MySQL database are encrypted. This vulnerability is documented in the following Cisco Bug ID: * CSCsu52632 This vulnerability has been assigned the Common Vulnerability and Exposures (CVE) ID CVE-2009-0617. Java Agent Privilege Escalation +------------------------------ ANM versions prior to ANM 2.0 Update A contain a remotely exploitable vulnerability that could allow an attacker to view configuration files and modify ANM processes including the capability to stop services. Exploitation of this issue could result in system information disclosure or denial of services. This vulnerability is documented in the following Cisco Bug ID: * CSCsu73001 This vulnerability has been assigned the Common Vulnerability and Exposures (CVE) ID CVE-2009-0618. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * ACE Device Manager invalid directory permissions (CSCsv66063) CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * ANM invalid directory permissions (CSCsv70130) CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * ANM default user credentials during installation (CSCsu52724) CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.7 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed * ANM embedded MySQL default credentials (CSCsu52632) CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.7 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed * ANM Java agent privilege escalation (CSCsu73001) CVSS Base Score - 8.5 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Partial Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the ACE Device Manager and ANM invalid directory permission vulnerabilities may allow unauthorized access to view or modify the ACE Device Manager or ANM file system, including host operating system files. Modification of some system files could result in a denial of service condition. Exploitation of the ANM default user credential and ANM MySQL database default credential vulnerabilities may allow an attacker to gain unauthorized system access. Modification of ANM settings with the default user credentials could result in a denial of service condition. Unauthorized access to the MySQL database may allow modification of system files that could impact the function of ANM or allow execution of commands on the underlying host operating system. Successful exploitation of the ANM privilege escalation vulnerability may result in unauthorized remote access to system processes and services with the ability to modify. Modification of these services could result in a denial of service condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the following software table identifies the earliest possible software release that contains the fix listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the release which have fixes for all the published vulnerabilities at the time of this Advisory. +---------------------------------------+ | | First | Recommended | | Vulnerability | Fixed | Release | | | Release | | |---------------+---------+-------------| | ACE Device | | | | Manager | | | | Invalid | A3(2.1) | A3(2.1) | | Directory | | | | Permissions | | | |---------------+---------+-------------| | ANM Invalid | | ANM 2.0 | | Directory | ANM 2.0 | Update A | | Permissions | | | |---------------+---------+-------------| | ANM Default | | ANM 2.0 | | User | ANM 2.0 | Update A | | Credentials | | | |---------------+---------+-------------| | ANM MySQL | | ANM 2.0 | | Default | ANM 2.0 | Update A | | Credentials | | | |---------------+---------+-------------| | ANM Java | ANM 2.0 | | | Agent | Update | ANM 2.0 | | Privilege | A | Update A | | Escalation | | | +---------------------------------------+ ANM 2.0 Update A can be downloaded from: http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=/cisco/crypto/3DES/netmgmt/anm/1.2/anm2.0-update-A.bin ACE Device Manager A3(2.1) can be downloaded from: http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=/cisco/crypto/3DES/ans/DNSS/ace4710/c4710ace-mz.A3_2_1.bin Workarounds =========== While this Security Advisory describes multiple distinct vulnerabilities, a workaround exists for only the following vulnerability. ANM Default User Credentials +--------------------------- The ANM user "admin" account password may be modified after installation by following the procedures documented for "Changing the Admin Password" located in the ANM User Guide at: http://www.cisco.com/en/US/docs/net_mgmt/application_networking_manager/2.0/user/guide/UG_admin.html#wp1053216 Applied Mitigation Bulletin +-------------------------- Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20090225-anm.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts - -------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations - ------------------------------------------------- Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts - ----------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. Acknowledgement to the National Australia Bank's Security Assurance team for the discovery and reporting of the ACE Device Manager directory permissions vulnerability. The remaining vulnerabilities were identified through internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20090225-anm.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2009 February 25 | Initial public release | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2008 - 2009 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Feb 25, 2009 Document ID: 109451 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkmlezoACgkQ86n/Gc8U/uAexwCfYI7DnCQWq4XF2Id8o6bO4+zJ a6IAn0r51YyfdsXPFgYII7OPUWLzJHLU =xUPr -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Cisco Application Networking Manager (ANM) before 2.0 uses default usernames and passwords, which makes it easier for remote attackers to access the application, or cause a denial of service via configuration changes, related to "default user credentials during installation.". A successful exploit may allow attackers to obtain sensitive information, view or modify files, cause denial-of-service conditions, or gain unauthorized access to the affected application. This may aid in the complete compromise of the underlying computer. These vulnerabilities are independent of each other. Successful exploitation of these vulnerabilities may result in unauthorized system or host operating system access. A workaround that mitigates one of the issues is available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090225-anm.shtml. Note: This advisory is being released simultaneously with a multiple vulnerabilities advisory impacting the ACE appliance and module software, which is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090225-ace.shtml. Affected Products ================= Vulnerable Products - ------------------- The following are the products and versions affected by each vulnerability described within this advisory. +---------------------------------------+ | Vulnerability | Product | Version | | | Affected | Affected | |---------------+----------+------------| | Invalid | ACE | All | | Directory | Device | versions | | Permissions | Manager | prior to | | | | A3(2.1) | |---------------+----------+------------| | Invalid | | All | | Directory | ANM | versions | | Permissions | | prior to | | | | ANM 2.0 | |---------------+----------+------------| | | | All | | Default User | ANM | versions | | Credentials | | prior to | | | | ANM 2.0 | |---------------+----------+------------| | | | All | | MySQL Default | ANM | versions | | Credentials | | prior to | | | | ANM 2.0 | |---------------+----------+------------| | | | All | | Java Agent | | versions | | Privilege | ANM | prior to | | Escalation | | ANM 2.0 | | | | Update A | +---------------------------------------+ Determining ACE Device Manager Software Version +---------------------------------------------- The ACE Device Manager is embedded with the ACE appliance software. To display the version of system software that is currently running on the device, use the "show version" command. The following example includes the output of the "show version" command on a Cisco ACE appliance running software version A3(2.1): ACE-4710/Admin# show version Cisco Application Control Software (ACSW) TAC support: http://www.cisco.com/tac Copyright (c) 1985-2008 by Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license. Some parts of this software are covered under the GNU Public License. A copy of the license is available at http://www.gnu.org/licenses/gpl.html. Software loader: Version 0.95 system: Version A3(2.1) [build 3.0(0)A3(2.1) adbuild_14:33:29-2008/11/19_/auto/adbu-rel4/rel_a3_2_1_throttle_build/REL_3_0_0_A3_2_1] system image file: (nd)/192.168.65.32/scimitar.bin Device Manager version 1.1 (0) 20081113:2052 --- Determining ANM Software Version +------------------------------- To display the version of ANM software that is currently installed, login to the ANM server and select the "About" keyword in the upper right. An informational pop up window will be displayed. ANM Version 2.0 Update A is indicated in the example output below. Version: 2.0(0), Update: A Build Number: 709 Build Timestamp: 20081031:1226 Products Confirmed Not Vulnerable - --------------------------------- The Cisco ACE XML Gateway, Cisco ACE GSS (Global Site Selector) 4400 Series and Cisco ACE Web Application Firewall are not affected by any of these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= ANM is a network management application that manages Cisco ACE modules or appliances. ANM is installed on customer provided servers with a Red Hat Enterprise Linux operating system. The ACE Device Manager provides a browser-based interface for configuring and managing a single ACE appliance. The ACE Device Manager resides in flash memory on the ACE appliance. The following details are provided for each vulnerability addressed in this security advisory. Invalid Directory Permissions +---------------------------- Versions of the Cisco ACE Device Manager prior to software version A3(2.1) and Cisco ANM prior software version ANM 2.0 contain directory traversal vulnerabilities. These vulnerabilities could allow unauthorized access to ACE operating system and host operating system files. To exploit these vulnerabilities authentication is required to initially access either product. This vulnerability is documented in the following Cisco Bug IDs: * CSCsv66063 * CSCsv70130 This vulnerability has been assigned the Common Vulnerability and Exposures (CVE) ID CVE-2009-0615. This vulnerability is documented in the following Cisco Bug ID: * CSCsu52724 This vulnerability has been assigned the Common Vulnerability and Exposures (CVE) ID CVE-2009-0616. MySQL Default Credentials +------------------------ ANM versions prior to ANM 2.0 use a default MySQL root user password during installation. The MySQL database is installed by default when ANM is initially installed. This vulnerability can be exploited remotely with default credential authentication and without end-user interaction. Unauthorized access to the database may allow modification of system files that could impact the function of ANM or allow execution of commands on the underlying host operating system. The ACE appliance and module device configuration files in the MySQL database are encrypted. This vulnerability is documented in the following Cisco Bug ID: * CSCsu52632 This vulnerability has been assigned the Common Vulnerability and Exposures (CVE) ID CVE-2009-0617. Java Agent Privilege Escalation +------------------------------ ANM versions prior to ANM 2.0 Update A contain a remotely exploitable vulnerability that could allow an attacker to view configuration files and modify ANM processes including the capability to stop services. Exploitation of this issue could result in system information disclosure or denial of services. This vulnerability is documented in the following Cisco Bug ID: * CSCsu73001 This vulnerability has been assigned the Common Vulnerability and Exposures (CVE) ID CVE-2009-0618. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * ACE Device Manager invalid directory permissions (CSCsv66063) CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * ANM invalid directory permissions (CSCsv70130) CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * ANM default user credentials during installation (CSCsu52724) CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.7 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed * ANM embedded MySQL default credentials (CSCsu52632) CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.7 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed * ANM Java agent privilege escalation (CSCsu73001) CVSS Base Score - 8.5 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Partial Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the ACE Device Manager and ANM invalid directory permission vulnerabilities may allow unauthorized access to view or modify the ACE Device Manager or ANM file system, including host operating system files. Modification of some system files could result in a denial of service condition. Exploitation of the ANM default user credential and ANM MySQL database default credential vulnerabilities may allow an attacker to gain unauthorized system access. Unauthorized access to the MySQL database may allow modification of system files that could impact the function of ANM or allow execution of commands on the underlying host operating system. Successful exploitation of the ANM privilege escalation vulnerability may result in unauthorized remote access to system processes and services with the ability to modify. Modification of these services could result in a denial of service condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the following software table identifies the earliest possible software release that contains the fix listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the release which have fixes for all the published vulnerabilities at the time of this Advisory. +---------------------------------------+ | | First | Recommended | | Vulnerability | Fixed | Release | | | Release | | |---------------+---------+-------------| | ACE Device | | | | Manager | | | | Invalid | A3(2.1) | A3(2.1) | | Directory | | | | Permissions | | | |---------------+---------+-------------| | ANM Invalid | | ANM 2.0 | | Directory | ANM 2.0 | Update A | | Permissions | | | |---------------+---------+-------------| | ANM Default | | ANM 2.0 | | User | ANM 2.0 | Update A | | Credentials | | | |---------------+---------+-------------| | ANM MySQL | | ANM 2.0 | | Default | ANM 2.0 | Update A | | Credentials | | | |---------------+---------+-------------| | ANM Java | ANM 2.0 | | | Agent | Update | ANM 2.0 | | Privilege | A | Update A | | Escalation | | | +---------------------------------------+ ANM 2.0 Update A can be downloaded from: http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=/cisco/crypto/3DES/netmgmt/anm/1.2/anm2.0-update-A.bin ACE Device Manager A3(2.1) can be downloaded from: http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=/cisco/crypto/3DES/ans/DNSS/ace4710/c4710ace-mz.A3_2_1.bin Workarounds =========== While this Security Advisory describes multiple distinct vulnerabilities, a workaround exists for only the following vulnerability. ANM Default User Credentials +--------------------------- The ANM user "admin" account password may be modified after installation by following the procedures documented for "Changing the Admin Password" located in the ANM User Guide at: http://www.cisco.com/en/US/docs/net_mgmt/application_networking_manager/2.0/user/guide/UG_admin.html#wp1053216 Applied Mitigation Bulletin +-------------------------- Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20090225-anm.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts - -------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations - ------------------------------------------------- Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts - ----------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. Acknowledgement to the National Australia Bank's Security Assurance team for the discovery and reporting of the ACE Device Manager directory permissions vulnerability. The remaining vulnerabilities were identified through internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20090225-anm.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2009 February 25 | Initial public release | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2008 - 2009 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Feb 25, 2009 Document ID: 109451 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkmlezoACgkQ86n/Gc8U/uAexwCfYI7DnCQWq4XF2Id8o6bO4+zJ a6IAn0r51YyfdsXPFgYII7OPUWLzJHLU =xUPr -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Cisco Application Networking Manager (ANM) before 2.0 uses a default MySQL root password, which makes it easier for remote attackers to execute arbitrary operating-system commands or change system files. Cisco Application Network Manager (ANM) and Application Control Engine (ACE) Device Manager are prone to multiple security vulnerabilities, including directory-traversal issues, unauthorized access via default credentials, and a privilege-escalation issue. A successful exploit may allow attackers to obtain sensitive information, view or modify files, cause denial-of-service conditions, or gain unauthorized access to the affected application. This may aid in the complete compromise of the underlying computer. These vulnerabilities are independent of each other. Successful exploitation of these vulnerabilities may result in unauthorized system or host operating system access. A workaround that mitigates one of the issues is available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090225-anm.shtml. Note: This advisory is being released simultaneously with a multiple vulnerabilities advisory impacting the ACE appliance and module software, which is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090225-ace.shtml. Affected Products ================= Vulnerable Products - ------------------- The following are the products and versions affected by each vulnerability described within this advisory. +---------------------------------------+ | Vulnerability | Product | Version | | | Affected | Affected | |---------------+----------+------------| | Invalid | ACE | All | | Directory | Device | versions | | Permissions | Manager | prior to | | | | A3(2.1) | |---------------+----------+------------| | Invalid | | All | | Directory | ANM | versions | | Permissions | | prior to | | | | ANM 2.0 | |---------------+----------+------------| | | | All | | Default User | ANM | versions | | Credentials | | prior to | | | | ANM 2.0 | |---------------+----------+------------| | | | All | | MySQL Default | ANM | versions | | Credentials | | prior to | | | | ANM 2.0 | |---------------+----------+------------| | | | All | | Java Agent | | versions | | Privilege | ANM | prior to | | Escalation | | ANM 2.0 | | | | Update A | +---------------------------------------+ Determining ACE Device Manager Software Version +---------------------------------------------- The ACE Device Manager is embedded with the ACE appliance software. To display the version of system software that is currently running on the device, use the "show version" command. The following example includes the output of the "show version" command on a Cisco ACE appliance running software version A3(2.1): ACE-4710/Admin# show version Cisco Application Control Software (ACSW) TAC support: http://www.cisco.com/tac Copyright (c) 1985-2008 by Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license. Some parts of this software are covered under the GNU Public License. A copy of the license is available at http://www.gnu.org/licenses/gpl.html. Software loader: Version 0.95 system: Version A3(2.1) [build 3.0(0)A3(2.1) adbuild_14:33:29-2008/11/19_/auto/adbu-rel4/rel_a3_2_1_throttle_build/REL_3_0_0_A3_2_1] system image file: (nd)/192.168.65.32/scimitar.bin Device Manager version 1.1 (0) 20081113:2052 --- Determining ANM Software Version +------------------------------- To display the version of ANM software that is currently installed, login to the ANM server and select the "About" keyword in the upper right. An informational pop up window will be displayed. ANM Version 2.0 Update A is indicated in the example output below. Version: 2.0(0), Update: A Build Number: 709 Build Timestamp: 20081031:1226 Products Confirmed Not Vulnerable - --------------------------------- The Cisco ACE XML Gateway, Cisco ACE GSS (Global Site Selector) 4400 Series and Cisco ACE Web Application Firewall are not affected by any of these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= ANM is a network management application that manages Cisco ACE modules or appliances. ANM is installed on customer provided servers with a Red Hat Enterprise Linux operating system. The ACE Device Manager provides a browser-based interface for configuring and managing a single ACE appliance. The ACE Device Manager resides in flash memory on the ACE appliance. The following details are provided for each vulnerability addressed in this security advisory. Invalid Directory Permissions +---------------------------- Versions of the Cisco ACE Device Manager prior to software version A3(2.1) and Cisco ANM prior software version ANM 2.0 contain directory traversal vulnerabilities. These vulnerabilities could allow unauthorized access to ACE operating system and host operating system files. To exploit these vulnerabilities authentication is required to initially access either product. This vulnerability is documented in the following Cisco Bug IDs: * CSCsv66063 * CSCsv70130 This vulnerability has been assigned the Common Vulnerability and Exposures (CVE) ID CVE-2009-0615. Default User Credentials +----------------------- Versions of Cisco ANM prior to software version ANM 2.0 do not force credential changes during installation. This vulnerability is documented in the following Cisco Bug ID: * CSCsu52724 This vulnerability has been assigned the Common Vulnerability and Exposures (CVE) ID CVE-2009-0616. MySQL Default Credentials +------------------------ ANM versions prior to ANM 2.0 use a default MySQL root user password during installation. The MySQL database is installed by default when ANM is initially installed. This vulnerability can be exploited remotely with default credential authentication and without end-user interaction. The ACE appliance and module device configuration files in the MySQL database are encrypted. This vulnerability is documented in the following Cisco Bug ID: * CSCsu52632 This vulnerability has been assigned the Common Vulnerability and Exposures (CVE) ID CVE-2009-0617. Java Agent Privilege Escalation +------------------------------ ANM versions prior to ANM 2.0 Update A contain a remotely exploitable vulnerability that could allow an attacker to view configuration files and modify ANM processes including the capability to stop services. Exploitation of this issue could result in system information disclosure or denial of services. This vulnerability is documented in the following Cisco Bug ID: * CSCsu73001 This vulnerability has been assigned the Common Vulnerability and Exposures (CVE) ID CVE-2009-0618. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * ACE Device Manager invalid directory permissions (CSCsv66063) CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * ANM invalid directory permissions (CSCsv70130) CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * ANM default user credentials during installation (CSCsu52724) CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.7 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed * ANM embedded MySQL default credentials (CSCsu52632) CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.7 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed * ANM Java agent privilege escalation (CSCsu73001) CVSS Base Score - 8.5 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Partial Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the ACE Device Manager and ANM invalid directory permission vulnerabilities may allow unauthorized access to view or modify the ACE Device Manager or ANM file system, including host operating system files. Modification of some system files could result in a denial of service condition. Exploitation of the ANM default user credential and ANM MySQL database default credential vulnerabilities may allow an attacker to gain unauthorized system access. Modification of ANM settings with the default user credentials could result in a denial of service condition. Successful exploitation of the ANM privilege escalation vulnerability may result in unauthorized remote access to system processes and services with the ability to modify. Modification of these services could result in a denial of service condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the following software table identifies the earliest possible software release that contains the fix listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the release which have fixes for all the published vulnerabilities at the time of this Advisory. +---------------------------------------+ | | First | Recommended | | Vulnerability | Fixed | Release | | | Release | | |---------------+---------+-------------| | ACE Device | | | | Manager | | | | Invalid | A3(2.1) | A3(2.1) | | Directory | | | | Permissions | | | |---------------+---------+-------------| | ANM Invalid | | ANM 2.0 | | Directory | ANM 2.0 | Update A | | Permissions | | | |---------------+---------+-------------| | ANM Default | | ANM 2.0 | | User | ANM 2.0 | Update A | | Credentials | | | |---------------+---------+-------------| | ANM MySQL | | ANM 2.0 | | Default | ANM 2.0 | Update A | | Credentials | | | |---------------+---------+-------------| | ANM Java | ANM 2.0 | | | Agent | Update | ANM 2.0 | | Privilege | A | Update A | | Escalation | | | +---------------------------------------+ ANM 2.0 Update A can be downloaded from: http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=/cisco/crypto/3DES/netmgmt/anm/1.2/anm2.0-update-A.bin ACE Device Manager A3(2.1) can be downloaded from: http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=/cisco/crypto/3DES/ans/DNSS/ace4710/c4710ace-mz.A3_2_1.bin Workarounds =========== While this Security Advisory describes multiple distinct vulnerabilities, a workaround exists for only the following vulnerability. ANM Default User Credentials +--------------------------- The ANM user "admin" account password may be modified after installation by following the procedures documented for "Changing the Admin Password" located in the ANM User Guide at: http://www.cisco.com/en/US/docs/net_mgmt/application_networking_manager/2.0/user/guide/UG_admin.html#wp1053216 Applied Mitigation Bulletin +-------------------------- Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20090225-anm.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts - -------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations - ------------------------------------------------- Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts - ----------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. Acknowledgement to the National Australia Bank's Security Assurance team for the discovery and reporting of the ACE Device Manager directory permissions vulnerability. The remaining vulnerabilities were identified through internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20090225-anm.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2009 February 25 | Initial public release | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2008 - 2009 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Feb 25, 2009 Document ID: 109451 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkmlezoACgkQ86n/Gc8U/uAexwCfYI7DnCQWq4XF2Id8o6bO4+zJ a6IAn0r51YyfdsXPFgYII7OPUWLzJHLU =xUPr -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Unspecified vulnerability in the Java agent in Cisco Application Networking Manager (ANM) before 2.0 Update A allows remote attackers to gain privileges, and cause a denial of service (service outage) by stopping processes, or obtain sensitive information by reading configuration files. Cisco Application Network Manager (ANM) and Application Control Engine (ACE) Device Manager are prone to multiple security vulnerabilities, including directory-traversal issues, unauthorized access via default credentials, and a privilege-escalation issue. This may aid in the complete compromise of the underlying computer. These vulnerabilities are independent of each other. Successful exploitation of these vulnerabilities may result in unauthorized system or host operating system access. A workaround that mitigates one of the issues is available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090225-anm.shtml. Note: This advisory is being released simultaneously with a multiple vulnerabilities advisory impacting the ACE appliance and module software, which is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090225-ace.shtml. Affected Products ================= Vulnerable Products - ------------------- The following are the products and versions affected by each vulnerability described within this advisory. +---------------------------------------+ | Vulnerability | Product | Version | | | Affected | Affected | |---------------+----------+------------| | Invalid | ACE | All | | Directory | Device | versions | | Permissions | Manager | prior to | | | | A3(2.1) | |---------------+----------+------------| | Invalid | | All | | Directory | ANM | versions | | Permissions | | prior to | | | | ANM 2.0 | |---------------+----------+------------| | | | All | | Default User | ANM | versions | | Credentials | | prior to | | | | ANM 2.0 | |---------------+----------+------------| | | | All | | MySQL Default | ANM | versions | | Credentials | | prior to | | | | ANM 2.0 | |---------------+----------+------------| | | | All | | Java Agent | | versions | | Privilege | ANM | prior to | | Escalation | | ANM 2.0 | | | | Update A | +---------------------------------------+ Determining ACE Device Manager Software Version +---------------------------------------------- The ACE Device Manager is embedded with the ACE appliance software. To display the version of system software that is currently running on the device, use the "show version" command. The following example includes the output of the "show version" command on a Cisco ACE appliance running software version A3(2.1): ACE-4710/Admin# show version Cisco Application Control Software (ACSW) TAC support: http://www.cisco.com/tac Copyright (c) 1985-2008 by Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license. Some parts of this software are covered under the GNU Public License. A copy of the license is available at http://www.gnu.org/licenses/gpl.html. Software loader: Version 0.95 system: Version A3(2.1) [build 3.0(0)A3(2.1) adbuild_14:33:29-2008/11/19_/auto/adbu-rel4/rel_a3_2_1_throttle_build/REL_3_0_0_A3_2_1] system image file: (nd)/192.168.65.32/scimitar.bin Device Manager version 1.1 (0) 20081113:2052 --- Determining ANM Software Version +------------------------------- To display the version of ANM software that is currently installed, login to the ANM server and select the "About" keyword in the upper right. An informational pop up window will be displayed. ANM Version 2.0 Update A is indicated in the example output below. Version: 2.0(0), Update: A Build Number: 709 Build Timestamp: 20081031:1226 Products Confirmed Not Vulnerable - --------------------------------- The Cisco ACE XML Gateway, Cisco ACE GSS (Global Site Selector) 4400 Series and Cisco ACE Web Application Firewall are not affected by any of these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= ANM is a network management application that manages Cisco ACE modules or appliances. ANM is installed on customer provided servers with a Red Hat Enterprise Linux operating system. The ACE Device Manager provides a browser-based interface for configuring and managing a single ACE appliance. The ACE Device Manager resides in flash memory on the ACE appliance. The following details are provided for each vulnerability addressed in this security advisory. Invalid Directory Permissions +---------------------------- Versions of the Cisco ACE Device Manager prior to software version A3(2.1) and Cisco ANM prior software version ANM 2.0 contain directory traversal vulnerabilities. These vulnerabilities could allow unauthorized access to ACE operating system and host operating system files. To exploit these vulnerabilities authentication is required to initially access either product. This vulnerability is documented in the following Cisco Bug IDs: * CSCsv66063 * CSCsv70130 This vulnerability has been assigned the Common Vulnerability and Exposures (CVE) ID CVE-2009-0615. Default User Credentials +----------------------- Versions of Cisco ANM prior to software version ANM 2.0 do not force credential changes during installation. This vulnerability is documented in the following Cisco Bug ID: * CSCsu52724 This vulnerability has been assigned the Common Vulnerability and Exposures (CVE) ID CVE-2009-0616. MySQL Default Credentials +------------------------ ANM versions prior to ANM 2.0 use a default MySQL root user password during installation. The MySQL database is installed by default when ANM is initially installed. This vulnerability can be exploited remotely with default credential authentication and without end-user interaction. Unauthorized access to the database may allow modification of system files that could impact the function of ANM or allow execution of commands on the underlying host operating system. The ACE appliance and module device configuration files in the MySQL database are encrypted. This vulnerability is documented in the following Cisco Bug ID: * CSCsu52632 This vulnerability has been assigned the Common Vulnerability and Exposures (CVE) ID CVE-2009-0617. Exploitation of this issue could result in system information disclosure or denial of services. This vulnerability is documented in the following Cisco Bug ID: * CSCsu73001 This vulnerability has been assigned the Common Vulnerability and Exposures (CVE) ID CVE-2009-0618. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * ACE Device Manager invalid directory permissions (CSCsv66063) CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * ANM invalid directory permissions (CSCsv70130) CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * ANM default user credentials during installation (CSCsu52724) CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.7 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed * ANM embedded MySQL default credentials (CSCsu52632) CVSS Base Score - 10.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.7 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed * ANM Java agent privilege escalation (CSCsu73001) CVSS Base Score - 8.5 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Partial Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the ACE Device Manager and ANM invalid directory permission vulnerabilities may allow unauthorized access to view or modify the ACE Device Manager or ANM file system, including host operating system files. Modification of some system files could result in a denial of service condition. Exploitation of the ANM default user credential and ANM MySQL database default credential vulnerabilities may allow an attacker to gain unauthorized system access. Modification of ANM settings with the default user credentials could result in a denial of service condition. Unauthorized access to the MySQL database may allow modification of system files that could impact the function of ANM or allow execution of commands on the underlying host operating system. Successful exploitation of the ANM privilege escalation vulnerability may result in unauthorized remote access to system processes and services with the ability to modify. Modification of these services could result in a denial of service condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the following software table identifies the earliest possible software release that contains the fix listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the release which have fixes for all the published vulnerabilities at the time of this Advisory. +---------------------------------------+ | | First | Recommended | | Vulnerability | Fixed | Release | | | Release | | |---------------+---------+-------------| | ACE Device | | | | Manager | | | | Invalid | A3(2.1) | A3(2.1) | | Directory | | | | Permissions | | | |---------------+---------+-------------| | ANM Invalid | | ANM 2.0 | | Directory | ANM 2.0 | Update A | | Permissions | | | |---------------+---------+-------------| | ANM Default | | ANM 2.0 | | User | ANM 2.0 | Update A | | Credentials | | | |---------------+---------+-------------| | ANM MySQL | | ANM 2.0 | | Default | ANM 2.0 | Update A | | Credentials | | | |---------------+---------+-------------| | ANM Java | ANM 2.0 | | | Agent | Update | ANM 2.0 | | Privilege | A | Update A | | Escalation | | | +---------------------------------------+ ANM 2.0 Update A can be downloaded from: http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=/cisco/crypto/3DES/netmgmt/anm/1.2/anm2.0-update-A.bin ACE Device Manager A3(2.1) can be downloaded from: http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=/cisco/crypto/3DES/ans/DNSS/ace4710/c4710ace-mz.A3_2_1.bin Workarounds =========== While this Security Advisory describes multiple distinct vulnerabilities, a workaround exists for only the following vulnerability. ANM Default User Credentials +--------------------------- The ANM user "admin" account password may be modified after installation by following the procedures documented for "Changing the Admin Password" located in the ANM User Guide at: http://www.cisco.com/en/US/docs/net_mgmt/application_networking_manager/2.0/user/guide/UG_admin.html#wp1053216 Applied Mitigation Bulletin +-------------------------- Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20090225-anm.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts - -------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations - ------------------------------------------------- Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts - ----------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. Acknowledgement to the National Australia Bank's Security Assurance team for the discovery and reporting of the ACE Device Manager directory permissions vulnerability. The remaining vulnerabilities were identified through internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20090225-anm.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2009 February 25 | Initial public release | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2008 - 2009 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Feb 25, 2009 Document ID: 109451 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkmlezoACgkQ86n/Gc8U/uAexwCfYI7DnCQWq4XF2Id8o6bO4+zJ a6IAn0r51YyfdsXPFgYII7OPUWLzJHLU =xUPr -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Cisco ACE Application Control Engine Module for Catalyst 6500 Switches and 7600 Routers before A2(1.1) uses default (1) usernames and (2) passwords for (a) the administrator and (b) web management, which makes it easier for remote attackers to perform configuration changes or obtain operating-system access. Other attacks are also possible. Workarounds that mitigate some of the vulnerabilities are available. Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090225-ace.shtml Note: This advisory is being released simultaneously with a multiple vulnerability disclosure advisory that impacts the Cisco 4700 Series Application Control Engine Device Manager and Application Networking Manager module software. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090225-anm.shtml Affected Products ================= Vulnerable Products +------------------ The following table displays the products that are affected by each vulnerability that is described within this advisory. +-------------------------------------------------------------------+ | | Products and Versions | | | Affected | |Vulnerability |-----------------------------| | | Cisco ACE | Cisco ACE | | | 4710 | Module | | | Appliance | | |-------------------------------------+--------------+--------------| | | All versions | All versions | | Default Usernames and Passwords | prior to A1 | prior to A2 | | | (8a) | (1.1) | |-------------------------------------+--------------+--------------| | | All versions | All versions | | Privilege Escalation Vulnerability | prior to A1 | prior to A2 | | | (8a) | (1.2) | |-------------------------------------+--------------+--------------| | | All versions | All versions | | Crafted SSH Packet Vulnerability | prior to A3 | prior to A2 | | | (2.1) | (1.3) | |-------------------------------------+--------------+--------------| | Crafted Simple Network Management | All versions | All versions | | Protocol version 2 (SNMPv2) Packet | prior to A3 | prior to A2 | | Vulnerability | (2.1) | (1.3) | |-------------------------------------+--------------+--------------| | | All versions | All versions | | Crafted SNMPv3 Packet Vulnerability | prior to A1 | prior to A2 | | | (8.0) | (1.2) | +-------------------------------------------------------------------+ Determining Software Versions +---------------------------- To display the version of system software that is currently running on Cisco ACE Application Control Engine, use the show version command. The following example displays the output of the show version command on the Cisco ACE Application Control Engine software version A3(1.0): ACE-4710/Admin# show version Cisco Application Control Software (ACSW) TAC support: http://www.cisco.com/tac Copyright (c) 1985-2008 by Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license. Some parts of this software are covered under the GNU Public License. A copy of the license is available at http://www.gnu.org/licenses/gpl.html Software loader: Version 0.95 system: Version A3(1.0) [build 3.0(0)A3(0.0.148) adbuild_03:31:25-2008/08/06_/auto/adbure_nightly2/nightly_rel_a3_1_0_throttle/REL_3_0_0_A3_0_0 system image file: (nd)/192.168.65.31/scimitar.bin Device Manager version 1.1 (0) 20080805:0415 ... <output truncated> The following example displays the output of the show version command on a Cisco ACE Application Control Engine module software version A1(1): ACE-mod/Admin# show version Cisco Application Control Software (ACSW) TAC support: http://www.cisco.com/tac Copyright (c) 2002-2006, Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license. Some parts of this software are covered under the GNU Public License. A copy of the license is available at http://www.gnu.org/licenses/gpl.html Software loader: Version 12.2[117] system: Version 3.0(0)A1(1) [build 3.0(0)A1(1) _01:26:21-2006/03/13_/auto/adbu-rel/ws/REL_3_0_0_A1_1] system image file: [LCP] disk0:c6ace-t1k9-mzg.3.0.0_A1_1.bin licensed features: no feature license is installed ... <output truncated> Products Confirmed Not Vulnerable +-------------------------------- The Cisco ACE XML Gateway, the Cisco ACE Web Application Firewall, and the Cisco ACE GSS 4400 Series Global Site Selector Appliances are not affected by any of the vulnerabilities that are described in this advisory. No other Cisco products are currently known to be affected by these vulnerabilities. Multiple vulnerabilities exist in both products. The following information provides the details about each of the vulnerabilities that are addressed in this advisory. The appliance and module do not prompt users to modify system account passwords during the initial configuration process. An attacker with knowledge of these accounts could modify the application configuration and, in certain instances, gain user access to the host operating system. This vulnerability is documented in Cisco Bug ID CSCsq32379 ( registered customers only) and has also been assigned the Common Vulnerability and Exposures (CVE) ID CVE-2009-0621. An authenticated user could exploit this vulnerability to invoke administrative commands via the device command line interface (CLI). An attacker could exploit this vulnerability to cause the device to reload by sending a crafted SSH packet to it. Note: SSH access must be configured on the affected device for it to be vulnerable. SSH access is not enabled by default. A full TCP three-way handshake is not necessary to trigger the effects of this vulnerability. An authenticated attacker could send a crafted SNMPv1 packet to an affected device to cause it to reload. Note: SNMPv2c must be explicitly configured in an affected device in order to process any SNMPv2c transactions. SNMPv2c is not enabled by default. An where an attacker may could cause the a device to reload by sending a crafted SNMPv3 packet to it. Note: SNMPv3 must be explicitly configured in an affected device in order to process any SNMPv3 transactions. SNMPv3 is not enabled by default. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsq43828 and CSCsq43229 - Default users and passwords on ACE module and appliance CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.7 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed CSCsq32379 - DM Default Account Credentials CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.7 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed CSCsq48546 and CSCsq09839 - Privilege escalation issue on ACE Module and ACE Appliance CVSS Base Score - 9 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsv01877 and CSCsv01738 - Crafted SSH packet may cause ACE module or appliance to reload CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsu36038 and CSCsu47876 - Crafted SNMPv2c packet may crash ACE module and appliance CVSS Base Score - 6.8 Access Vector - Network Access Complexity - Single Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.6 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCso83126 and CSCsq45432 - Crafted SNMPv3 packet may crash ACE appliance CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== An attacker with knowledge of the Default Usernames and Passwords Vulnerability accounts could modify the device configuration and, in certain instances, gain user access to the host operating system. An exploit of the Privilege Escalation Vulnerability could allow an authenticated attacker to execute host operating system administrative commands. Successful exploitation of the Crafted SSH Packet Vulnerability, Crafted SNMPv2 Packet Vulnerability, and Crafted SNMPv3 Packet Vulnerability may cause a reload of the affected device. Repeated exploitation could result in a sustained DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the software table (below) describes the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table. +----------------------------------------------------------------------------------------------------------+ | | Products and Versions Affected | | |---------------------------------------------------------------------| | | Cisco ACE 4710 Appliance | Cisco ACE Module | |Vulnerability |----------------------------------+----------------------------------| | | First Fixed | Recommended | First | | | | Release | Release | Fixed | Recommended Release | | | | | Release | | |------------------------------------+---------------+------------------+------------+---------------------| | Default Usernames and Passwords | A1(8a) | A3(2.1) | A2(1.1) | A2(1.3) | |------------------------------------+---------------+------------------+------------+---------------------| | Privilege Escalation Vulnerability | A1(8a) | A3(2.1) | A2(1.2) | A2(1.3) | |------------------------------------+---------------+------------------+------------+---------------------| | Crafted SSH Packet Vulnerability | A3(2.1) | A3(2.1) | A2(1.3) | A2(1.3) | |------------------------------------+---------------+------------------+------------+---------------------| | Crafted SNMPv2 Packet | A3(2.1) | A3(2.1) | A2(1.3) | A2(1.3) | | Vulnerability | | | | | |------------------------------------+---------------+------------------+------------+---------------------| | Crafted SNMPv2 Packet | A1(8.0) | A3(2.1) | A2(1.2) | A2(1.3) | | Vulnerability | | | | | +----------------------------------------------------------------------------------------------------------+ Cisco ACE module software can be downloaded from: http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=280557289 Cisco ACE 4710 Application Control Engine appliance software can be downloaded from: http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=281222179 Workarounds =========== This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities and their respective workarounds are independent of each other. Default Usernames and Passwords +------------------------------ To change the default administrative password, use the username command in configuration mode. The syntax of this command is as follows: username admin [password [0 | 5] {password}] The keywords, arguments, and options are: admin--Specifies the default administrative user name. password--(Optional) Keyword that indicates that a password follows. 0--(Optional) Specifies a clear text password. 5--(Optional) Specifies an MD5-hashed strong encryption password. password--The password in clear text, encrypted text, or MD5 strong encryption, depending on the numbered option (0 or 5) that you enter. If you do not enter a numbered option, the password is in clear text by default. Enter a password as an unquoted text string with a maximum of 64 characters. For example, to create a user named admin that uses the clear text password my_super_secret_88312, enter the following command: ACE(config)# username admin password 0 my_super_secret_88312 Note: This process can also be followed to change the www user account credentials. The dm user is for accessing the Device Manager GUI and cannot be modified or deleted. The dm user is an internal user required by the Device Manager GUI; it is hidden on the ACE CLI. For more information refer to: http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/virtualization/guide/config.html Privilege Escalation Vulnerability +--------------------------------- There are no workarounds for this vulnerability. Crafted SSH Packet Vulnerability +------------------------------- SSH management traffic that can be received by the ACE is controlled through the use of class maps, policy maps, and service policies. This Management Traffic Service example denies unauthorized SSH packets that are sent to an affected device. In the following example, 192.168.100.1 is considered a trusted source that requires SSH access to the affected device. Care should be taken to allow all required management access to the affected device. An attacker could exploit this vulnerability using spoofed packets. This workaround cannot provide complete protection against this vulnerability when the attack comes from a trusted source address. The following example demonstrates how SSH access to the ACE is only allowed from the 192.168.100.1 host: !-- Configure a class to allow SSH from the trusted source ! class-map type management match-all Permit_SSH_Class description Allow SSH from trusted sources Class match protocol ssh source-address 192.168.100.1 255.255.255.255 ! !-- Configure a management policy that allows ssh from the !--trusted source configured in the above class ! policy-map type management first-match Permit_SSH_Policy description Allow SSH from trusted sources Policy class Permit_SSH_Class permit ! !-- Apply the management policy globally ! service-policy input Permit_SSH_Policy Additional information about "Configuring SSH Management Sessions" is available at: http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/access.html#wp1049450 Additional information about "Configuring Class Maps and Policy Maps" is available at: http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/mapolcy.html warning Warning: It is possible to easily spoof the sender's IP address, which may defeat class maps and access control lists (ACLs) that permit communication to the device from trusted IP addresses. Crafted SNMPv2 and SNMPv3 Packet Vulnerabilities +----------------------------------------------- SNMP management traffic that can be received by the ACE is controlled through the use of class maps, policy maps, and service policies. This Management Traffic Service example denies unauthorized SNMP packets on UDP port 161 that are sent to an affected device. In the following example, 192.168.100.1 is considered a trusted source that requires SNMP access to the affected device. Care should be taken to allow all required management access to the affected device. An attacker could exploit this vulnerability using spoofed packets. This workaround cannot provide complete protection against this vulnerability when the attack comes from a trusted source address. !-- Configure a class to allow SNMP from the trusted source ! class-map type management match-all Permit_SNMP_Class description Allow SNMP from trusted sources Class 2 match protocol snmp source-address 192.168.100.1 255.255.255.255 ! !-- Configure a management policy that allows snmp from the !--trusted source configured in the above class ! policy-map type management first-match Permit_SNMP_Policy description Allow SNMP from trusted sources Policy class Permit_SNMP_Class permit !-- Apply the management policy globally ! service-policy input Permit_SNMP_Policy Additional information about "SNMP Management Traffic Services" is available at: http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/snmp.html#wp1034011 Additional information about "Configuring Class Maps and Policy Maps" is available at: http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/mapolcy.html Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20090225-ace.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. These vulnerabilities were found during internal testing. Status of this Notice: FINAL THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20090225-ace.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +-------------------------------------------------------------------+ | Revision 1.0 | 2009-February-25 | Initial public release | +-------------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkmlbsoACgkQ86n/Gc8U/uA9egCgiM1YYI9hZhS8iZ5kbEw6vxaq gM8AnjpFAJaZ/RK593w/5j/mRHxjkLVo =rWBu -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Cisco ACE 4710 Application Control Engine Appliance before A1(8a) uses default (1) usernames and (2) passwords for (a) the administrator, (b) web management, and (c) device management, which makes it easier for remote attackers to perform configuration changes to the Device Manager and other components, or obtain operating-system access. Cisco ACE Application Control Engine Module and Cisco ACE 4710 Application Control Engine are prone to multiple remote vulnerabilities: - Multiple authentication-bypass issues - A remote privilege-escalation issue - Multiple denial-of-service issues Attackers can exploit these issues to execute arbitrary commands, gain administrative access, and cause denial-of-service conditions. Other attacks are also possible. Workarounds that mitigate some of the vulnerabilities are available. Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090225-ace.shtml Note: This advisory is being released simultaneously with a multiple vulnerability disclosure advisory that impacts the Cisco 4700 Series Application Control Engine Device Manager and Application Networking Manager module software. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090225-anm.shtml Affected Products ================= Vulnerable Products +------------------ The following table displays the products that are affected by each vulnerability that is described within this advisory. +-------------------------------------------------------------------+ | | Products and Versions | | | Affected | |Vulnerability |-----------------------------| | | Cisco ACE | Cisco ACE | | | 4710 | Module | | | Appliance | | |-------------------------------------+--------------+--------------| | | All versions | All versions | | Default Usernames and Passwords | prior to A1 | prior to A2 | | | (8a) | (1.1) | |-------------------------------------+--------------+--------------| | | All versions | All versions | | Privilege Escalation Vulnerability | prior to A1 | prior to A2 | | | (8a) | (1.2) | |-------------------------------------+--------------+--------------| | | All versions | All versions | | Crafted SSH Packet Vulnerability | prior to A3 | prior to A2 | | | (2.1) | (1.3) | |-------------------------------------+--------------+--------------| | Crafted Simple Network Management | All versions | All versions | | Protocol version 2 (SNMPv2) Packet | prior to A3 | prior to A2 | | Vulnerability | (2.1) | (1.3) | |-------------------------------------+--------------+--------------| | | All versions | All versions | | Crafted SNMPv3 Packet Vulnerability | prior to A1 | prior to A2 | | | (8.0) | (1.2) | +-------------------------------------------------------------------+ Determining Software Versions +---------------------------- To display the version of system software that is currently running on Cisco ACE Application Control Engine, use the show version command. The following example displays the output of the show version command on the Cisco ACE Application Control Engine software version A3(1.0): ACE-4710/Admin# show version Cisco Application Control Software (ACSW) TAC support: http://www.cisco.com/tac Copyright (c) 1985-2008 by Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license. Some parts of this software are covered under the GNU Public License. A copy of the license is available at http://www.gnu.org/licenses/gpl.html Software loader: Version 0.95 system: Version A3(1.0) [build 3.0(0)A3(0.0.148) adbuild_03:31:25-2008/08/06_/auto/adbure_nightly2/nightly_rel_a3_1_0_throttle/REL_3_0_0_A3_0_0 system image file: (nd)/192.168.65.31/scimitar.bin Device Manager version 1.1 (0) 20080805:0415 ... <output truncated> The following example displays the output of the show version command on a Cisco ACE Application Control Engine module software version A1(1): ACE-mod/Admin# show version Cisco Application Control Software (ACSW) TAC support: http://www.cisco.com/tac Copyright (c) 2002-2006, Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license. Some parts of this software are covered under the GNU Public License. A copy of the license is available at http://www.gnu.org/licenses/gpl.html Software loader: Version 12.2[117] system: Version 3.0(0)A1(1) [build 3.0(0)A1(1) _01:26:21-2006/03/13_/auto/adbu-rel/ws/REL_3_0_0_A1_1] system image file: [LCP] disk0:c6ace-t1k9-mzg.3.0.0_A1_1.bin licensed features: no feature license is installed ... <output truncated> Products Confirmed Not Vulnerable +-------------------------------- The Cisco ACE XML Gateway, the Cisco ACE Web Application Firewall, and the Cisco ACE GSS 4400 Series Global Site Selector Appliances are not affected by any of the vulnerabilities that are described in this advisory. No other Cisco products are currently known to be affected by these vulnerabilities. Multiple vulnerabilities exist in both products. The following information provides the details about each of the vulnerabilities that are addressed in this advisory. The appliance and module do not prompt users to modify system account passwords during the initial configuration process. An attacker with knowledge of these accounts could modify the application configuration and, in certain instances, gain user access to the host operating system. This vulnerability is documented in Cisco Bug ID CSCsq32379 ( registered customers only) and has also been assigned the Common Vulnerability and Exposures (CVE) ID CVE-2009-0621. An authenticated user could exploit this vulnerability to invoke administrative commands via the device command line interface (CLI). An attacker could exploit this vulnerability to cause the device to reload by sending a crafted SSH packet to it. Note: SSH access must be configured on the affected device for it to be vulnerable. SSH access is not enabled by default. A full TCP three-way handshake is not necessary to trigger the effects of this vulnerability. An authenticated attacker could send a crafted SNMPv1 packet to an affected device to cause it to reload. Note: SNMPv2c must be explicitly configured in an affected device in order to process any SNMPv2c transactions. SNMPv2c is not enabled by default. An where an attacker may could cause the a device to reload by sending a crafted SNMPv3 packet to it. Note: SNMPv3 must be explicitly configured in an affected device in order to process any SNMPv3 transactions. SNMPv3 is not enabled by default. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsq43828 and CSCsq43229 - Default users and passwords on ACE module and appliance CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.7 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed CSCsq32379 - DM Default Account Credentials CVSS Base Score - 10 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.7 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed CSCsq48546 and CSCsq09839 - Privilege escalation issue on ACE Module and ACE Appliance CVSS Base Score - 9 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsv01877 and CSCsv01738 - Crafted SSH packet may cause ACE module or appliance to reload CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsu36038 and CSCsu47876 - Crafted SNMPv2c packet may crash ACE module and appliance CVSS Base Score - 6.8 Access Vector - Network Access Complexity - Single Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.6 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCso83126 and CSCsq45432 - Crafted SNMPv3 packet may crash ACE appliance CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== An attacker with knowledge of the Default Usernames and Passwords Vulnerability accounts could modify the device configuration and, in certain instances, gain user access to the host operating system. An exploit of the Privilege Escalation Vulnerability could allow an authenticated attacker to execute host operating system administrative commands. Successful exploitation of the Crafted SSH Packet Vulnerability, Crafted SNMPv2 Packet Vulnerability, and Crafted SNMPv3 Packet Vulnerability may cause a reload of the affected device. Repeated exploitation could result in a sustained DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Each row of the software table (below) describes the earliest possible releases that contain the fix (along with the anticipated date of availability for each, if applicable) are listed in the "First Fixed Release" column of the table. The "Recommended Release" column indicates the releases which have fixes for all the published vulnerabilities at the time of this Advisory. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. Cisco recommends upgrading to a release equal to or later than the release in the "Recommended Releases" column of the table. +----------------------------------------------------------------------------------------------------------+ | | Products and Versions Affected | | |---------------------------------------------------------------------| | | Cisco ACE 4710 Appliance | Cisco ACE Module | |Vulnerability |----------------------------------+----------------------------------| | | First Fixed | Recommended | First | | | | Release | Release | Fixed | Recommended Release | | | | | Release | | |------------------------------------+---------------+------------------+------------+---------------------| | Default Usernames and Passwords | A1(8a) | A3(2.1) | A2(1.1) | A2(1.3) | |------------------------------------+---------------+------------------+------------+---------------------| | Privilege Escalation Vulnerability | A1(8a) | A3(2.1) | A2(1.2) | A2(1.3) | |------------------------------------+---------------+------------------+------------+---------------------| | Crafted SSH Packet Vulnerability | A3(2.1) | A3(2.1) | A2(1.3) | A2(1.3) | |------------------------------------+---------------+------------------+------------+---------------------| | Crafted SNMPv2 Packet | A3(2.1) | A3(2.1) | A2(1.3) | A2(1.3) | | Vulnerability | | | | | |------------------------------------+---------------+------------------+------------+---------------------| | Crafted SNMPv2 Packet | A1(8.0) | A3(2.1) | A2(1.2) | A2(1.3) | | Vulnerability | | | | | +----------------------------------------------------------------------------------------------------------+ Cisco ACE module software can be downloaded from: http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=280557289 Cisco ACE 4710 Application Control Engine appliance software can be downloaded from: http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=281222179 Workarounds =========== This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities and their respective workarounds are independent of each other. Default Usernames and Passwords +------------------------------ To change the default administrative password, use the username command in configuration mode. The syntax of this command is as follows: username admin [password [0 | 5] {password}] The keywords, arguments, and options are: admin--Specifies the default administrative user name. password--(Optional) Keyword that indicates that a password follows. 0--(Optional) Specifies a clear text password. 5--(Optional) Specifies an MD5-hashed strong encryption password. password--The password in clear text, encrypted text, or MD5 strong encryption, depending on the numbered option (0 or 5) that you enter. If you do not enter a numbered option, the password is in clear text by default. Enter a password as an unquoted text string with a maximum of 64 characters. For example, to create a user named admin that uses the clear text password my_super_secret_88312, enter the following command: ACE(config)# username admin password 0 my_super_secret_88312 Note: This process can also be followed to change the www user account credentials. The dm user is for accessing the Device Manager GUI and cannot be modified or deleted. The dm user is an internal user required by the Device Manager GUI; it is hidden on the ACE CLI. For more information refer to: http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/virtualization/guide/config.html Privilege Escalation Vulnerability +--------------------------------- There are no workarounds for this vulnerability. Crafted SSH Packet Vulnerability +------------------------------- SSH management traffic that can be received by the ACE is controlled through the use of class maps, policy maps, and service policies. This Management Traffic Service example denies unauthorized SSH packets that are sent to an affected device. In the following example, 192.168.100.1 is considered a trusted source that requires SSH access to the affected device. Care should be taken to allow all required management access to the affected device. An attacker could exploit this vulnerability using spoofed packets. This workaround cannot provide complete protection against this vulnerability when the attack comes from a trusted source address. The following example demonstrates how SSH access to the ACE is only allowed from the 192.168.100.1 host: !-- Configure a class to allow SSH from the trusted source ! class-map type management match-all Permit_SSH_Class description Allow SSH from trusted sources Class match protocol ssh source-address 192.168.100.1 255.255.255.255 ! !-- Configure a management policy that allows ssh from the !--trusted source configured in the above class ! policy-map type management first-match Permit_SSH_Policy description Allow SSH from trusted sources Policy class Permit_SSH_Class permit ! !-- Apply the management policy globally ! service-policy input Permit_SSH_Policy Additional information about "Configuring SSH Management Sessions" is available at: http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/access.html#wp1049450 Additional information about "Configuring Class Maps and Policy Maps" is available at: http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/mapolcy.html warning Warning: It is possible to easily spoof the sender's IP address, which may defeat class maps and access control lists (ACLs) that permit communication to the device from trusted IP addresses. Crafted SNMPv2 and SNMPv3 Packet Vulnerabilities +----------------------------------------------- SNMP management traffic that can be received by the ACE is controlled through the use of class maps, policy maps, and service policies. This Management Traffic Service example denies unauthorized SNMP packets on UDP port 161 that are sent to an affected device. In the following example, 192.168.100.1 is considered a trusted source that requires SNMP access to the affected device. Care should be taken to allow all required management access to the affected device. An attacker could exploit this vulnerability using spoofed packets. This workaround cannot provide complete protection against this vulnerability when the attack comes from a trusted source address. !-- Configure a class to allow SNMP from the trusted source ! class-map type management match-all Permit_SNMP_Class description Allow SNMP from trusted sources Class 2 match protocol snmp source-address 192.168.100.1 255.255.255.255 ! !-- Configure a management policy that allows snmp from the !--trusted source configured in the above class ! policy-map type management first-match Permit_SNMP_Policy description Allow SNMP from trusted sources Policy class Permit_SNMP_Class permit !-- Apply the management policy globally ! service-policy input Permit_SNMP_Policy Additional information about "SNMP Management Traffic Services" is available at: http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/snmp.html#wp1034011 Additional information about "Configuring Class Maps and Policy Maps" is available at: http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/mapolcy.html Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20090225-ace.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. These vulnerabilities were found during internal testing. Status of this Notice: FINAL THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20090225-ace.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +-------------------------------------------------------------------+ | Revision 1.0 | 2009-February-25 | Initial public release | +-------------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkmlbsoACgkQ86n/Gc8U/uA9egCgiM1YYI9hZhS8iZ5kbEw6vxaq gM8AnjpFAJaZ/RK593w/5j/mRHxjkLVo =rWBu -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Unspecified vulnerability in Cisco ACE Application Control Engine Module for Catalyst 6500 Switches and 7600 Routers before A2(1.2) and Cisco ACE 4710 Application Control Engine Appliance before A1(8a) allows remote authenticated users to execute arbitrary operating-system commands through a command line interface (CLI). Other attacks are also possible. Remote authentication users can execute arbitrary system commands through the command line interface

Unspecified vulnerability in Cisco ACE Application Control Engine Module for Catalyst 6500 Switches and 7600 Routers before A2(1.3) and Cisco ACE 4710 Application Control Engine Appliance before A3(2.1) allows remote attackers to cause a denial of service (device reload) via a crafted SSH packet. Other attacks are also possible. Remote authentication users can cause denial of service by constructing SSH packets

Apple Safari 4 Beta build 528.16 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a feeds: URI beginning with a (1) % (percent), (2) { (open curly bracket), (3) } (close curly bracket), (4) ^ (caret), (5) ` (backquote), or (6) | (pipe) character, followed by an & (ampersand) character. Apple Safari is prone to a denial-of-service vulnerability that stems from a NULL-pointer dereference. Attackers can exploit this issue to crash the affected application, denying service to legitimate users. Apple Safari 4 Beta is vulnerable; other versions may also be affected. Safari is the web browser bundled by default in the Apple family operating system. Malformed feeds in Apple Safari: URI Null Pointer Reference Denial of Service Vulnerability. Since the user input provided in the feeds: URI is not adequately filtered, if the user is tricked into following a malicious link, a null pointer dereference will be triggered, causing the Safari process to crash

The doRead method in Apache Tomcat 4.1.32 through 4.1.34 and 5.5.10 through 5.5.20 does not return a -1 to indicate when a certain error condition has occurred, which can cause Tomcat to send POST content from one request to a different request. Apache Tomcat from The Apache Software Foundation contains an information disclosure vulnerability. Apache Tomcat from the Apache Software Foundation is an implementation of the Java Servlet and JavaServer Page (JSP) technologies. This vulnerability was addressed and solved in ASF Bugzilla - Bug 40771. However there was no description regarding this vulnerability in ASF Bugzilla - Bug 40771. Therefore, The Apache Tomcat Development Team has decided to publish an advisory regarding this issue.A remote attacker could possibly obtain user credentials such as password, session ID, user ID, etc. According to the developer, unsupported Apache Tomcat 3.x, 4.0.x, and 5.0.x may also be affected. They have confirmed that Apache Tomcat 6.0.x is not affected. Remote attackers can exploit this issue to obtain sensitive data stored on the server. Information obtained may lead to further attacks. Publication of this issue was then postponed until now at the request of the reporter. For a vulnerability to exist the content read from the input stream must be disclosed, eg via writing it to the response and committing the response, before the ArrayIndexOutOfBoundsException occurs which will halt processing of the request. Mitigation: Upgrade to: 4.1.35 or later 5.5.21 or later 6.0.0 or later Example: See original bug report for example of how to create the error condition. Credit: This issue was discovered by Fujitsu and reported to the Tomcat Security Team via JPCERT. References: http://tomcat.apache.org/security.html Mark Thomas -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJpdGRb7IeiTPGAkMRAkK+AKC1m5WunqOmwuFYSYEoASF/AokgDQCffmxM U3IdbfYNVtRIzCW5XTvhv2E= =rJGg -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Did you know? Our assessment and impact rating along with detailed information such as exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more about our commercial solutions: http://secunia.com/advisories/business_solutions/ Click here to trial our solutions: http://secunia.com/advisories/try_vi/ ---------------------------------------------------------------------- TITLE: Apache Tomcat POST Content Disclosure Vulnerability SECUNIA ADVISORY ID: SA34057 VERIFY ADVISORY: http://secunia.com/advisories/34057/ DESCRIPTION: A vulnerability has been reported in Apache Tomcat, which can be exploited by malicious people to potentially disclose sensitive information. The vulnerability is reported in versions 4.1.32 through 4.1.34 and 5.5.10 through 5.5.20. PROVIDED AND/OR DISCOVERED BY: The vendor credits Fujitsu, reporting via JPCERT. ORIGINAL ADVISORY: Apache Tomcat: http://tomcat.apache.org/security-4.html http://tomcat.apache.org/security-5.html http://www.mail-archive.com/users@tomcat.apache.org/msg57428.html JVN: http://jvn.jp/jp/JVN66905322/index.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in Adobe RoboHelp Server 6 and 7 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, which is not properly handled when displaying the Help Errors log. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Adobe RoboHelp Server 6 and 7 are vulnerable. ---------------------------------------------------------------------- Did you know? Our assessment and impact rating along with detailed information such as exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more about our commercial solutions: http://secunia.com/advisories/business_solutions/ Click here to trial our solutions: http://secunia.com/advisories/try_vi/ ---------------------------------------------------------------------- TITLE: Adobe RoboHelp Server Cross-Site Scripting Vulnerabilities SECUNIA ADVISORY ID: SA34048 VERIFY ADVISORY: http://secunia.com/advisories/34048/ DESCRIPTION: Some vulnerabilities have been reported in Adobe RoboHelp Server, which can be exploited by malicious people to conduct cross-site scripting attacks. 1) Certain unspecified input is not properly sanitised before being returned to the user. Successful exploitation requires that the attacker has access to the RoboHelp Help Errors log or is able to trick a victim possessing the required permissions into following a malicious URL. 2) Input passed to unspecified parameters is not properly sanitised before being returned to the user. SOLUTION: Apply patches and regenerate the RoboHelp content. See vendor's advisory for additional details. PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Greg Patton, PropertyInfo Corporation 2) The vendor credits Robert Fly, SalesForce.com ORIGINAL ADVISORY: Adobe APSB09-02: http://www.adobe.com/support/security/bulletins/apsb09-02.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in Adobe RoboHelp 6 and 7, and RoboHelp Server 6 and 7, allows remote attackers to inject arbitrary web script or HTML via vectors involving files produced by RoboHelp. Adobe RoboHelp is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of a site that includes content generated by the affected application. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Adobe RoboHelp 6 and 7 are vulnerable. ---------------------------------------------------------------------- Did you know? Our assessment and impact rating along with detailed information such as exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more about our commercial solutions: http://secunia.com/advisories/business_solutions/ Click here to trial our solutions: http://secunia.com/advisories/try_vi/ ---------------------------------------------------------------------- TITLE: Adobe RoboHelp Server Cross-Site Scripting Vulnerabilities SECUNIA ADVISORY ID: SA34048 VERIFY ADVISORY: http://secunia.com/advisories/34048/ DESCRIPTION: Some vulnerabilities have been reported in Adobe RoboHelp Server, which can be exploited by malicious people to conduct cross-site scripting attacks. 1) Certain unspecified input is not properly sanitised before being returned to the user. Successful exploitation requires that the attacker has access to the RoboHelp Help Errors log or is able to trick a victim possessing the required permissions into following a malicious URL. 2) Input passed to unspecified parameters is not properly sanitised before being returned to the user. SOLUTION: Apply patches and regenerate the RoboHelp content. See vendor's advisory for additional details. PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Greg Patton, PropertyInfo Corporation 2) The vendor credits Robert Fly, SalesForce.com ORIGINAL ADVISORY: Adobe APSB09-02: http://www.adobe.com/support/security/bulletins/apsb09-02.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Huawei E960 is a small dual-mode wireless gateway and USB modem. Huawei E960 routers allow sending and receiving text messages through their web interface, but the first 32 characters of each text message are displayed without escaping in the inbox view, so remote attackers can perform cross-sites by sending malicious text messages. Script attack. In addition, the attacker can also merge multiple messages by injecting a javascript commentary by sending multiple text messages to bypass the 32-character limit. After being attacked, you cannot use the Inbox page to delete the received text message because the delete key is no longer valid. You must use the username admin and password admin telnet to the router to move text messages. The Huawei E960 uses the busybox shell, so you can use the standard rm command to move text messages (located at /tmp/sms/inbox_sms) before you can delete them from the inbox page. Huawei E960 HSDPA Router is prone to an HTML-injection vulnerability because the device's web-based interface fails to properly sanitize user-supplied input before using it in dynamically generated content. Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. Huawei E960 HSDPA Router with firmware 246.11.04.11.110sp04 is vulnerable; other versions may also be affected

Squid, when transparent interception mode is enabled, uses the HTTP Host header to determine the remote endpoint, which allows remote attackers to bypass access controls for Flash, Java, Silverlight, and probably other technologies, and possibly communicate with restricted intranet sites, via a crafted web page that causes a client to send HTTP requests with a modified Host header. HTTP of Host A transparent proxy server that relays the connection destination based on the header value may be exploited by an attacker. HTTP of Host Header is RFC 2616 Multiple web sites on a web server IP Used to enable address sharing. The transparent proxy server relays the network connection regardless of the browser settings. Some transparent proxy servers Host Some of them determine the connection destination based on the header value. Flash And Java Browser plug-ins such as these restrict communication by dynamic content executed on the browser to only the site or domain where the content was placed. Attackers use dynamic content, HTTP Host You can craft header values. The proxy server Host When making a decision based on the value of the header, the attacker Host By crafting the header, you can connect to any site. Attackers conduct attacks by directing users to sites with malicious dynamic content or by embedding malicious dynamic content in sites that they believe can be trusted. This issue only affects transparent proxy servers. In addition, browser Same Origin Policy Authentication information by attackers (cookie Such ) Reuse of is considered impossible.An attacker could access websites and resources that can be reached from the proxy. These sites may also include internal resources located on the intranet. Attackers may exploit this issue to obtain sensitive information such as internal intranet webpages. Additional attacks may also be possible. SOLUTION: As a workaround, the vendor recommends to "configure Guardian to block their internal web servers without passwords using hostname and IPaddress". - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201309-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Squid: Multiple vulnerabilities Date: September 27, 2013 Bugs: #261208, #389133, #447596, #452584, #461492, #476562, #476960 ID: 201309-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Squid, possibly resulting in remote Denial of Service. Background ========== Squid is a full-featured web proxy cache. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-proxy/squid < 3.2.13 >= 3.2.13 Description =========== Multiple vulnerabilities have been discovered in Squid. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker may be able to bypass ACL restrictions or cause a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== All Squid users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-proxy/squid-3.2.13" References ========== [ 1 ] CVE-2009-0801 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0801 [ 2 ] CVE-2011-4096 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4096 [ 3 ] CVE-2012-5643 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5643 [ 4 ] CVE-2013-0189 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0189 [ 5 ] CVE-2013-1839 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1839 [ 6 ] CVE-2013-4115 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4115 [ 7 ] CVE-2013-4123 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4123 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201309-22.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2013 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . ---------------------------------------------------------------------- Did you know? Our assessment and impact rating along with detailed information such as exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more about our commercial solutions: http://secunia.com/advisories/business_solutions/ Click here to trial our solutions: http://secunia.com/advisories/try_vi/ ---------------------------------------------------------------------- TITLE: Ziproxy HTTP "Host:" Header Security Bypass SECUNIA ADVISORY ID: SA34018 VERIFY ADVISORY: http://secunia.com/advisories/34018/ DESCRIPTION: A security issue has been reported in Ziproxy, which can be exploited by malicious people to bypass certain security restrictions. This can be exploited to e.g. access restricted websites or bypass a browser's security context protection mechanism by sending HTTP requests with a forged HTTP "Host:" header. via active content). The security issue is reported in version 2.6.0. Other versions may also be affected. SOLUTION: The vendor recommends to use a proxy server with better security capabilities between clients and Ziproxy. Use a firewall to restrict access to untrusted websites. PROVIDED AND/OR DISCOVERED BY: US-CERT credits Robert Auger, PayPal Information Risk Management team. ORIGINAL ADVISORY: US-CERT VU#435052: http://www.kb.cert.org/vuls/id/435052 http://www.kb.cert.org/vuls/id/MAPG-7N9GN8 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . SOLUTION: The vendor has published workarounds

Ziproxy 2.6.0, when transparent interception mode is enabled, uses the HTTP Host header to determine the remote endpoint, which allows remote attackers to bypass access controls for Flash, Java, Silverlight, and probably other technologies, and possibly communicate with restricted intranet sites, via a crafted web page that causes a client to send HTTP requests with a modified Host header. Proxy servers running in interception mode ("transparent" proxies) that make connection decisions based on HTTP header values may be used by an attacker to relay connections. Ziproxy Is used to determine the remote endpoint when transparent blocking mode is enabled. Ziproxy is prone to a security bypass vulnerability. SOLUTION: As a workaround, the vendor recommends to "configure Guardian to block their internal web servers without passwords using hostname and IPaddress". ---------------------------------------------------------------------- Did you know? Our assessment and impact rating along with detailed information such as exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more about our commercial solutions: http://secunia.com/advisories/business_solutions/ Click here to trial our solutions: http://secunia.com/advisories/try_vi/ ---------------------------------------------------------------------- TITLE: Ziproxy HTTP "Host:" Header Security Bypass SECUNIA ADVISORY ID: SA34018 VERIFY ADVISORY: http://secunia.com/advisories/34018/ DESCRIPTION: A security issue has been reported in Ziproxy, which can be exploited by malicious people to bypass certain security restrictions. The security issue is caused due to the application relying on HTTP "Host:" headers when acting as transparent proxy. This can be exploited to e.g. Successful exploitation requires that the attacker can forge the HTTP "Host:" header (e.g. via active content). The security issue is reported in version 2.6.0. Other versions may also be affected. SOLUTION: The vendor recommends to use a proxy server with better security capabilities between clients and Ziproxy. Use a firewall to restrict access to untrusted websites. PROVIDED AND/OR DISCOVERED BY: US-CERT credits Robert Auger, PayPal Information Risk Management team. ORIGINAL ADVISORY: US-CERT VU#435052: http://www.kb.cert.org/vuls/id/435052 http://www.kb.cert.org/vuls/id/MAPG-7N9GN8 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . SOLUTION: The vendor has published workarounds. See the vendor's advisory for additional information

Blue Coat ProxySG, when transparent interception mode is enabled, uses the HTTP Host header to determine the remote endpoint, which allows remote attackers to bypass access controls for Flash, Java, Silverlight, and probably other technologies, and possibly communicate with restricted intranet sites, via a crafted web page that causes a client to send HTTP requests with a modified Host header. Proxy servers running in interception mode ("transparent" proxies) that make connection decisions based on HTTP header values may be used by an attacker to relay connections. Multiple HTTP proxy implementations are prone to an information-disclosure vulnerability related to the interpretation of the 'Host' HTTP header. Specifically, this issue occurs when the proxy makes a forwarding decision based on the 'Host' HTTP header instead of the destination IP address. Attackers may exploit this issue to obtain sensitive information such as internal intranet webpages. Additional attacks may also be possible. SOLUTION: As a workaround, the vendor recommends to "configure Guardian to block their internal web servers without passwords using hostname and IPaddress". ---------------------------------------------------------------------- Did you know? Our assessment and impact rating along with detailed information such as exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more about our commercial solutions: http://secunia.com/advisories/business_solutions/ Click here to trial our solutions: http://secunia.com/advisories/try_vi/ ---------------------------------------------------------------------- TITLE: Ziproxy HTTP "Host:" Header Security Bypass SECUNIA ADVISORY ID: SA34018 VERIFY ADVISORY: http://secunia.com/advisories/34018/ DESCRIPTION: A security issue has been reported in Ziproxy, which can be exploited by malicious people to bypass certain security restrictions. This can be exploited to e.g. access restricted websites or bypass a browser's security context protection mechanism by sending HTTP requests with a forged HTTP "Host:" header. Successful exploitation requires that the attacker can forge the HTTP "Host:" header (e.g. via active content). The security issue is reported in version 2.6.0. Other versions may also be affected. SOLUTION: The vendor recommends to use a proxy server with better security capabilities between clients and Ziproxy. Use a firewall to restrict access to untrusted websites. PROVIDED AND/OR DISCOVERED BY: US-CERT credits Robert Auger, PayPal Information Risk Management team. ORIGINAL ADVISORY: US-CERT VU#435052: http://www.kb.cert.org/vuls/id/435052 http://www.kb.cert.org/vuls/id/MAPG-7N9GN8 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . SOLUTION: The vendor has published workarounds

Help Viewer in Apple Mac OS X 10.4.11 and 10.5 before 10.5.7 does not verify that HTML pathnames are located in a registered help book, which allows remote attackers to execute arbitrary code via a help: URL that triggers invocation of AppleScript files. Apple Mac OS X is prone to a remote code-execution vulnerability. An attacker can exploit this issue by enticing an unsuspecting victim to open a malicious 'help:' URI. A successful exploit will allow the attacker to execute arbitrary AppleScript code. This may lead to the execution of arbitrary code or aid in further attacks. NOTE: This issue was previously covered in BID 34926 (Apple Mac OS X 2009-002 Multiple Security Vulnerabilities), but has been assigned its own record to better document it. The security update addresses new vulnerabilities that affect Apple Type Services, CFNetwork, CoreGraphics, Disk Images, Help Viewer, iChat, ICU, Kernel, Launch Services, QuickDraw Manager, and Spotlight components of Mac OS X. The advisory also contains security updates for 47 previously reported issues. I. II. Impact The impacts of these vulnerabilities vary. Potential consequences include arbitrary code execution, sensitive information disclosure, denial of service, or privilege escalation. III. These and other updates are available via Software Update or via Apple Downloads. IV. References * Apple Security Update 2009-002 - <http://support.apple.com/kb/HT3549> * Safari 3.2.3 - <http://support.apple.com/kb/HT3550> * Apple Downloads - <http://support.apple.com/downloads/> * Software Update - <https://support.apple.com/kb/HT1338?viewlocale=en_US> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA09-133A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA09-133A Feedback VU#175188" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2009 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History May 13, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSgsdiHIHljM+H4irAQIsGAf+IykbS/FD1X/R2ooezndAmZjrcT29XnpV HO4DiMlKmqW+dUffk4mdJLVR7y8pwUuP4TbjwncoT39SDR9UoEankv7+Dao/qkM/ Jp0flkEpb5qtcIm9VnuWvpCE31OZZgwBwJ7f2WWzbBLqoZ5FIWAhCcW6E5v6mjVy J+Z4BmHYUIapPLzGzV8+HT6/7LRNpg+mZoldEBUoXXjik8o78v5A7iGyMSXoaBlV vL8N/3GG9a9xecLqbbv5N6ABsncHA9f/GzBnfJUqVHkUM1xnjqmgd7TZikObw+fJ xcgWvmYmoRdCMzM3b1jPqWPDGJDbo0oHZM3J3hKE+opsLe9xChM1qA== =dQ2L -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Are you missing: SECUNIA ADVISORY ID: Critical: Impact: Where: within the advisory below? This is now part of the Secunia commercial solutions. 1) A vulnerability in Apache when handling FTP proxy requests can be exploited by malicious people to conduct cross-site scripting attacks. For more information: SA31384 2) A boundary error in the handling of Compact Font Format (CFF) fonts in Apple Type Services can be exploited to cause a heap-based buffer overflow when specially crafted document is downloaded or viewed. 3) A vulnerability in BIND can potentially be exploited by malicious people to conduct spoofing attacks. For more information: SA33404 4) An error in the parsing of Set-Cookie headers in CFNetwork can result in applications using CFNetwork sending sensitive information in unencrypted HTTP requests. 5) An unspecified error in the processing of HTTP headers in CFNetwork can be exploited to cause a heap-based buffer overflow when visiting a malicious web site. 6) Multiple errors exist in the processing of PDF files in CoreGraphics, which can be exploited to corrupt memory and execute arbitrary code via a specially crafted PDF file. 7) An integer underflow error in the processing of PDF files in CoreGraphics can be exploited to cause a heap-based buffer overflow when specially crafted PDF files is opened. 8) Multiple vulnerabilities in the processing of JBIG2 streams within PDF files in CoreGraphics can be exploited by malicious people to compromise a user's system. For more information: SA34291 9) Multiple vulnerabilities in cscope can be exploited by malicious people to compromise a user's system. For more information: SA34978: 10) A boundary error in the handling of disk images can be exploited to cause a stack-based buffer overflow when a specially crafted disk image is mounted. 11) Multiple unspecified errors in the handling of disk images can be exploited to cause memory corruptions when a specially crafted disk image is mounted. 12) Multiple vulnerabilities in enscript can be exploited by malicious people to compromise a vulnerable system. For more information: SA13968 SA32137 13) Multiple vulnerabilities in the Flash Player plugin can be exploited by malicious people to compromise a user's system. For more information: SA34012 14) An error in Help Viewer when loading Cascading Style Sheets referenced in URL parameters can be exploited to invoke arbitrary AppleScript files. 16) An error in iChat can result in AIM communication configured for SSL to be sent in plaintext. 17) An error in the handling of certain character encodings in ICU can be exploited to bypass filters on websites that attempt to mitigate cross-site scripting. 18) Some vulnerabilities in IPSec can be exploited by malicious users and malicious people to cause a DoS (Denial of Service). For more information: SA31450 SA31478 19) Multiple vulnerabilities in Kerberos can be exploited by malicious people to potentially disclose sensitive information, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. For more information: SA34347 20) An error in the handling of workqueues within the kernel can be exploited by malicious, local users to cause a DoS or execute arbitrary code with Kernel privileges. 21) An error in Launch Services can cause Finder to repeatedly terminate and relaunch when a specially crafted Mach-O is downloaded. 22) A vulnerability in libxml can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise an application using the library. For more information: SA31558 23) A vulnerability in Net-SNMP can be exploited by malicious people to cause a DoS (Denial of Service). For more information: SA32560 24) A vulnerability in Network Time can be exploited by malicious people to conduct spoofing attacks. For more information: SA33406 25) A vulnerability in Network Time can be exploited by malicious people to potentially compromise a user's system. For more information: SA34608 26) A vulnerability in Networking can be exploited by malicious people to cause a DoS (Denial of Service). For more information: SA31745 27) A vulnerability in OpenSSL can be exploited by malicious people to conduct spoofing attacks. For more information: SA33338 28) Some vulnerabilities in PHP can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system, and by malicious, local users to bypass certain security restrictions. For more information: SA32964 29) An unspecified error in QuickDraw Manager can be exploited to cause a memory corruption and potentially execute arbitrary code via a specially crafted PICT image. 30) An integer underflow error in the handling of PICT images in QuickDraw Manager can be exploited to cause a heap-based buffer overflow via a specially crafted PICT file. 31) Multiple vulnerabilities in ruby can be exploited by malicious people to bypass certain security restrictions, cause a DoS (Denial of Service), and conduct spoofing attacks. For more information: SA31430 SA31602 32) An error in the use of the OpenSSL library in ruby can cause revoked certificates to be accepted. 33) A vulnerability in Safari when handling "feed:" URLs can be exploited to compromise a user's system. For more information: SA35056 34) Multiple unspecified errors in Spotlight can be exploited to cause memory corruptions and execute arbitrary code when a specially crafted Office document is downloaded. 35) An error when invoking the "login" command can result in unexpected high privileges. 36) A boundary error in telnet can be exploited to cause a stack-based buffer overflow when connecting to a server with an overly long canonical name in its DNS address record. For more information: SA35056 38) Multiple vulnerabilities in FreeType can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise applications using the library. For more information: SA20100 SA25350 SA34723 39) A vulnerability in xterm can be exploited by malicious people to compromise a user's system. For more information: SA33318 40) Multiple vulnerabilities in libpng can be exploited by malicious people to cause a DoS (Denial of Service) or to potentially compromise an application using the library. Nathan 8) Alin Rad Pop, Secunia Research and Will Dormann, CERT/CC 10) Tiller Beauchamp, IOActive 14, 15) Brian Mastenbrook 17) Chris Weber of Casaba Security 20) An anonymous researcher working with Verisign iDefense VCP 30) Damian Put and Sebastian Apelt, working with ZDI, and Chris Ries of Carnegie Mellon University Computing Services 38) Tavis Ormandy of the Google Security Team OTHER REFERENCES: SA13968: http://secunia.com/advisories/13968/ SA20100: http://secunia.com/advisories/20100/ SA25350: http://secunia.com/advisories/25350/ SA29792: http://secunia.com/advisories/29792/ SA31384: http://secunia.com/advisories/31384/ SA31430: http://secunia.com/advisories/31430/ SA31450: http://secunia.com/advisories/31450/ SA31478: http://secunia.com/advisories/31478/ SA31558: http://secunia.com/advisories/31558/ SA31602: http://secunia.com/advisories/31602/ SA31745: http://secunia.com/advisories/31745/ SA32137: http://secunia.com/advisories/32137/ SA32560: http://secunia.com/advisories/32560/ SA32964: http://secunia.com/advisories/32964/ SA33318: http://secunia.com/advisories/33318/ SA33338: http://secunia.com/advisories/33338/ SA33404: http://secunia.com/advisories/33404/ SA33406: http://secunia.com/advisories/33406/ SA33970: http://secunia.com/advisories/33970/ SA34012: http://secunia.com/advisories/34012/ SA34291: http://secunia.com/advisories/34291/ SA34347: http://secunia.com/advisories/34347/ SA34608: http://secunia.com/advisories/34608/ SA34723: http://secunia.com/advisories/34723/ SA34978: http://secunia.com/advisories/34978/ SA35056: http://secunia.com/advisories/35056/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Microsoft Office Spotlight Importer in Spotlight in Apple Mac OS X 10.4.11 and 10.5 before 10.5.7 does not properly validate Microsoft Office files, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a file that triggers memory corruption. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2009-002. The security update addresses new vulnerabilities that affect Apple Type Services, CFNetwork, CoreGraphics, Disk Images, Help Viewer, iChat, ICU, Kernel, Launch Services, QuickDraw Manager, and Spotlight components of Mac OS X. The advisory also contains security updates for 47 previously reported issues. The following individual records have been created to better document the new issues: 34932 Apple Mac OS X Launch Services Denial of Service Vulnerability 34937 Apple Mac OS X QuickDraw PICT Handling Memory Corruption Vulnerability 34938 Apple Mac OS X PICT Image Handling Integer Overflow Vulnerability 34939 Apple Mac OS X SpotLight Multiple Memory Corruption Vulnerabilities 34941 Apple Mac OS X Local 'login' Privilege Escalation Vulnerability 34942 Apple Mac OS X Disk Image Multiple Memory Corruption Vulnerabilities 34947 Apple Mac OS X Compact Font Format (CFF) Heap Based Buffer Overflow Vulnerability 34948 Apple Mac OS X Telnet Stack Overflow Vulnerability 34950 Apple Mac OS X Help Viewer Cascading Style Sheets Remote Code Execution Vulnerability 34951 Apple Mac OS X CFNetwork 'Set-Cookie' Headers Information Disclosure Vulnerability 34952 Apple Mac OS X Help Viewer HTML Document Remote Code Execution Vulnerability 34958 Apple Mac OS X CFNetwork HTTP Header Handling Heap Buffer Overflow Vulnerability 34959 Apple Mac OS X Kernel Workqueue Local Privilege Escalation Vulnerability 34962 Apple Mac OS X CoreGraphics PDF Handling Multiple Memory Corruption Vulnerabilities 34965 Apple Mac OS X CoreGraphics PDF Handling Heap Overflow Vulnerability 34972 Apple Mac OS X Disk Image Stack Buffer Overflow Vulnerability 34973 Apple Mac OS X iChat Disabled SSL Connection Information Disclosure Vulnerability 34974 Apple Mac OS X International Components for Unicode Invalid Byte Sequence Handling Vulnerability. An attacker can exploit these issues by tricking a victim into opening a malicious file. A successful exploit will allow attacker-supplied content to execute in the context of the victim running the affected application. I. II. Impact The impacts of these vulnerabilities vary. Potential consequences include arbitrary code execution, sensitive information disclosure, denial of service, or privilege escalation. III. These and other updates are available via Software Update or via Apple Downloads. IV. References * Apple Security Update 2009-002 - <http://support.apple.com/kb/HT3549> * Safari 3.2.3 - <http://support.apple.com/kb/HT3550> * Apple Downloads - <http://support.apple.com/downloads/> * Software Update - <https://support.apple.com/kb/HT1338?viewlocale=en_US> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA09-133A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA09-133A Feedback VU#175188" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2009 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History May 13, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSgsdiHIHljM+H4irAQIsGAf+IykbS/FD1X/R2ooezndAmZjrcT29XnpV HO4DiMlKmqW+dUffk4mdJLVR7y8pwUuP4TbjwncoT39SDR9UoEankv7+Dao/qkM/ Jp0flkEpb5qtcIm9VnuWvpCE31OZZgwBwJ7f2WWzbBLqoZ5FIWAhCcW6E5v6mjVy J+Z4BmHYUIapPLzGzV8+HT6/7LRNpg+mZoldEBUoXXjik8o78v5A7iGyMSXoaBlV vL8N/3GG9a9xecLqbbv5N6ABsncHA9f/GzBnfJUqVHkUM1xnjqmgd7TZikObw+fJ xcgWvmYmoRdCMzM3b1jPqWPDGJDbo0oHZM3J3hKE+opsLe9xChM1qA== =dQ2L -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Are you missing: SECUNIA ADVISORY ID: Critical: Impact: Where: within the advisory below? This is now part of the Secunia commercial solutions. 1) A vulnerability in Apache when handling FTP proxy requests can be exploited by malicious people to conduct cross-site scripting attacks. For more information: SA31384 2) A boundary error in the handling of Compact Font Format (CFF) fonts in Apple Type Services can be exploited to cause a heap-based buffer overflow when specially crafted document is downloaded or viewed. Successful exploitation allows execution of arbitrary code. 3) A vulnerability in BIND can potentially be exploited by malicious people to conduct spoofing attacks. For more information: SA33404 4) An error in the parsing of Set-Cookie headers in CFNetwork can result in applications using CFNetwork sending sensitive information in unencrypted HTTP requests. 5) An unspecified error in the processing of HTTP headers in CFNetwork can be exploited to cause a heap-based buffer overflow when visiting a malicious web site. Successful exploitation allows execution of arbitrary code. 6) Multiple errors exist in the processing of PDF files in CoreGraphics, which can be exploited to corrupt memory and execute arbitrary code via a specially crafted PDF file. 7) An integer underflow error in the processing of PDF files in CoreGraphics can be exploited to cause a heap-based buffer overflow when specially crafted PDF files is opened. Successful exploitation allows execution of arbitrary code. 8) Multiple vulnerabilities in the processing of JBIG2 streams within PDF files in CoreGraphics can be exploited by malicious people to compromise a user's system. For more information: SA34291 9) Multiple vulnerabilities in cscope can be exploited by malicious people to compromise a user's system. For more information: SA34978: 10) A boundary error in the handling of disk images can be exploited to cause a stack-based buffer overflow when a specially crafted disk image is mounted. 11) Multiple unspecified errors in the handling of disk images can be exploited to cause memory corruptions when a specially crafted disk image is mounted. Successful exploitation of vulnerabilities #10 and #11 allows execution of arbitrary code. 12) Multiple vulnerabilities in enscript can be exploited by malicious people to compromise a vulnerable system. For more information: SA13968 SA32137 13) Multiple vulnerabilities in the Flash Player plugin can be exploited by malicious people to compromise a user's system. For more information: SA34012 14) An error in Help Viewer when loading Cascading Style Sheets referenced in URL parameters can be exploited to invoke arbitrary AppleScript files. 15) A vulnerability exists due to Help Viewer not validating that full paths to HTML documents are within registered help books, which can be exploited to invoke arbitrary AppleScript files. Successful exploitation of vulnerabilities #14 and #15 allows execution of arbitrary code. 16) An error in iChat can result in AIM communication configured for SSL to be sent in plaintext. 17) An error in the handling of certain character encodings in ICU can be exploited to bypass filters on websites that attempt to mitigate cross-site scripting. 18) Some vulnerabilities in IPSec can be exploited by malicious users and malicious people to cause a DoS (Denial of Service). For more information: SA31450 SA31478 19) Multiple vulnerabilities in Kerberos can be exploited by malicious people to potentially disclose sensitive information, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. For more information: SA34347 20) An error in the handling of workqueues within the kernel can be exploited by malicious, local users to cause a DoS or execute arbitrary code with Kernel privileges. 21) An error in Launch Services can cause Finder to repeatedly terminate and relaunch when a specially crafted Mach-O is downloaded. 22) A vulnerability in libxml can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise an application using the library. For more information: SA31558 23) A vulnerability in Net-SNMP can be exploited by malicious people to cause a DoS (Denial of Service). For more information: SA32560 24) A vulnerability in Network Time can be exploited by malicious people to conduct spoofing attacks. For more information: SA33406 25) A vulnerability in Network Time can be exploited by malicious people to potentially compromise a user's system. For more information: SA34608 26) A vulnerability in Networking can be exploited by malicious people to cause a DoS (Denial of Service). For more information: SA31745 27) A vulnerability in OpenSSL can be exploited by malicious people to conduct spoofing attacks. For more information: SA33338 28) Some vulnerabilities in PHP can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system, and by malicious, local users to bypass certain security restrictions. For more information: SA32964 29) An unspecified error in QuickDraw Manager can be exploited to cause a memory corruption and potentially execute arbitrary code via a specially crafted PICT image. 30) An integer underflow error in the handling of PICT images in QuickDraw Manager can be exploited to cause a heap-based buffer overflow via a specially crafted PICT file. Successful exploitation allows execution of arbitrary code. 31) Multiple vulnerabilities in ruby can be exploited by malicious people to bypass certain security restrictions, cause a DoS (Denial of Service), and conduct spoofing attacks. For more information: SA31430 SA31602 32) An error in the use of the OpenSSL library in ruby can cause revoked certificates to be accepted. 33) A vulnerability in Safari when handling "feed:" URLs can be exploited to compromise a user's system. 35) An error when invoking the "login" command can result in unexpected high privileges. 36) A boundary error in telnet can be exploited to cause a stack-based buffer overflow when connecting to a server with an overly long canonical name in its DNS address record. Successful exploitation may allow execution of arbitrary code. 37) A vulnerability in WebKit when handling SVGList objects can be exploited to corrupt memory and potentially execute arbitrary code. For more information: SA35056 38) Multiple vulnerabilities in FreeType can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise applications using the library. For more information: SA20100 SA25350 SA34723 39) A vulnerability in xterm can be exploited by malicious people to compromise a user's system. For more information: SA33318 40) Multiple vulnerabilities in libpng can be exploited by malicious people to cause a DoS (Denial of Service) or to potentially compromise an application using the library. Nathan 8) Alin Rad Pop, Secunia Research and Will Dormann, CERT/CC 10) Tiller Beauchamp, IOActive 14, 15) Brian Mastenbrook 17) Chris Weber of Casaba Security 20) An anonymous researcher working with Verisign iDefense VCP 30) Damian Put and Sebastian Apelt, working with ZDI, and Chris Ries of Carnegie Mellon University Computing Services 38) Tavis Ormandy of the Google Security Team OTHER REFERENCES: SA13968: http://secunia.com/advisories/13968/ SA20100: http://secunia.com/advisories/20100/ SA25350: http://secunia.com/advisories/25350/ SA29792: http://secunia.com/advisories/29792/ SA31384: http://secunia.com/advisories/31384/ SA31430: http://secunia.com/advisories/31430/ SA31450: http://secunia.com/advisories/31450/ SA31478: http://secunia.com/advisories/31478/ SA31558: http://secunia.com/advisories/31558/ SA31602: http://secunia.com/advisories/31602/ SA31745: http://secunia.com/advisories/31745/ SA32137: http://secunia.com/advisories/32137/ SA32560: http://secunia.com/advisories/32560/ SA32964: http://secunia.com/advisories/32964/ SA33318: http://secunia.com/advisories/33318/ SA33338: http://secunia.com/advisories/33338/ SA33404: http://secunia.com/advisories/33404/ SA33406: http://secunia.com/advisories/33406/ SA33970: http://secunia.com/advisories/33970/ SA34012: http://secunia.com/advisories/34012/ SA34291: http://secunia.com/advisories/34291/ SA34347: http://secunia.com/advisories/34347/ SA34608: http://secunia.com/advisories/34608/ SA34723: http://secunia.com/advisories/34723/ SA34978: http://secunia.com/advisories/34978/ SA35056: http://secunia.com/advisories/35056/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

QuickDraw Manager in Apple Mac OS X 10.4.11 and 10.5 before 10.5.7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PICT image that triggers memory corruption. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2009-002. The advisory also contains security updates for 47 previously reported issues. The following individual records have been created to better document the new issues: 34932 Apple Mac OS X Launch Services Denial of Service Vulnerability 34937 Apple Mac OS X QuickDraw PICT Handling Memory Corruption Vulnerability 34938 Apple Mac OS X PICT Image Handling Integer Overflow Vulnerability 34939 Apple Mac OS X SpotLight Multiple Memory Corruption Vulnerabilities 34941 Apple Mac OS X Local 'login' Privilege Escalation Vulnerability 34942 Apple Mac OS X Disk Image Multiple Memory Corruption Vulnerabilities 34947 Apple Mac OS X Compact Font Format (CFF) Heap Based Buffer Overflow Vulnerability 34948 Apple Mac OS X Telnet Stack Overflow Vulnerability 34950 Apple Mac OS X Help Viewer Cascading Style Sheets Remote Code Execution Vulnerability 34951 Apple Mac OS X CFNetwork 'Set-Cookie' Headers Information Disclosure Vulnerability 34952 Apple Mac OS X Help Viewer HTML Document Remote Code Execution Vulnerability 34958 Apple Mac OS X CFNetwork HTTP Header Handling Heap Buffer Overflow Vulnerability 34959 Apple Mac OS X Kernel Workqueue Local Privilege Escalation Vulnerability 34962 Apple Mac OS X CoreGraphics PDF Handling Multiple Memory Corruption Vulnerabilities 34965 Apple Mac OS X CoreGraphics PDF Handling Heap Overflow Vulnerability 34972 Apple Mac OS X Disk Image Stack Buffer Overflow Vulnerability 34973 Apple Mac OS X iChat Disabled SSL Connection Information Disclosure Vulnerability 34974 Apple Mac OS X International Components for Unicode Invalid Byte Sequence Handling Vulnerability. An attacker can exploit this issue by tricking a victim into opening a specially crafted PICT image file. A successful exploit will allow arbitrary attacker-supplied code to run in the context of the victim running the affected application. I. II. Impact The impacts of these vulnerabilities vary. Potential consequences include arbitrary code execution, sensitive information disclosure, denial of service, or privilege escalation. III. These and other updates are available via Software Update or via Apple Downloads. IV. References * Apple Security Update 2009-002 - <http://support.apple.com/kb/HT3549> * Safari 3.2.3 - <http://support.apple.com/kb/HT3550> * Apple Downloads - <http://support.apple.com/downloads/> * Software Update - <https://support.apple.com/kb/HT1338?viewlocale=en_US> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA09-133A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA09-133A Feedback VU#175188" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2009 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History May 13, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSgsdiHIHljM+H4irAQIsGAf+IykbS/FD1X/R2ooezndAmZjrcT29XnpV HO4DiMlKmqW+dUffk4mdJLVR7y8pwUuP4TbjwncoT39SDR9UoEankv7+Dao/qkM/ Jp0flkEpb5qtcIm9VnuWvpCE31OZZgwBwJ7f2WWzbBLqoZ5FIWAhCcW6E5v6mjVy J+Z4BmHYUIapPLzGzV8+HT6/7LRNpg+mZoldEBUoXXjik8o78v5A7iGyMSXoaBlV vL8N/3GG9a9xecLqbbv5N6ABsncHA9f/GzBnfJUqVHkUM1xnjqmgd7TZikObw+fJ xcgWvmYmoRdCMzM3b1jPqWPDGJDbo0oHZM3J3hKE+opsLe9xChM1qA== =dQ2L -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Are you missing: SECUNIA ADVISORY ID: Critical: Impact: Where: within the advisory below? This is now part of the Secunia commercial solutions. 1) A vulnerability in Apache when handling FTP proxy requests can be exploited by malicious people to conduct cross-site scripting attacks. For more information: SA31384 2) A boundary error in the handling of Compact Font Format (CFF) fonts in Apple Type Services can be exploited to cause a heap-based buffer overflow when specially crafted document is downloaded or viewed. 3) A vulnerability in BIND can potentially be exploited by malicious people to conduct spoofing attacks. For more information: SA33404 4) An error in the parsing of Set-Cookie headers in CFNetwork can result in applications using CFNetwork sending sensitive information in unencrypted HTTP requests. 5) An unspecified error in the processing of HTTP headers in CFNetwork can be exploited to cause a heap-based buffer overflow when visiting a malicious web site. 6) Multiple errors exist in the processing of PDF files in CoreGraphics, which can be exploited to corrupt memory and execute arbitrary code via a specially crafted PDF file. 7) An integer underflow error in the processing of PDF files in CoreGraphics can be exploited to cause a heap-based buffer overflow when specially crafted PDF files is opened. 8) Multiple vulnerabilities in the processing of JBIG2 streams within PDF files in CoreGraphics can be exploited by malicious people to compromise a user's system. For more information: SA34291 9) Multiple vulnerabilities in cscope can be exploited by malicious people to compromise a user's system. For more information: SA34978: 10) A boundary error in the handling of disk images can be exploited to cause a stack-based buffer overflow when a specially crafted disk image is mounted. 11) Multiple unspecified errors in the handling of disk images can be exploited to cause memory corruptions when a specially crafted disk image is mounted. 12) Multiple vulnerabilities in enscript can be exploited by malicious people to compromise a vulnerable system. For more information: SA13968 SA32137 13) Multiple vulnerabilities in the Flash Player plugin can be exploited by malicious people to compromise a user's system. For more information: SA34012 14) An error in Help Viewer when loading Cascading Style Sheets referenced in URL parameters can be exploited to invoke arbitrary AppleScript files. 15) A vulnerability exists due to Help Viewer not validating that full paths to HTML documents are within registered help books, which can be exploited to invoke arbitrary AppleScript files. 16) An error in iChat can result in AIM communication configured for SSL to be sent in plaintext. 17) An error in the handling of certain character encodings in ICU can be exploited to bypass filters on websites that attempt to mitigate cross-site scripting. 18) Some vulnerabilities in IPSec can be exploited by malicious users and malicious people to cause a DoS (Denial of Service). For more information: SA31450 SA31478 19) Multiple vulnerabilities in Kerberos can be exploited by malicious people to potentially disclose sensitive information, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. For more information: SA34347 20) An error in the handling of workqueues within the kernel can be exploited by malicious, local users to cause a DoS or execute arbitrary code with Kernel privileges. 21) An error in Launch Services can cause Finder to repeatedly terminate and relaunch when a specially crafted Mach-O is downloaded. 22) A vulnerability in libxml can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise an application using the library. For more information: SA31558 23) A vulnerability in Net-SNMP can be exploited by malicious people to cause a DoS (Denial of Service). For more information: SA32560 24) A vulnerability in Network Time can be exploited by malicious people to conduct spoofing attacks. For more information: SA33406 25) A vulnerability in Network Time can be exploited by malicious people to potentially compromise a user's system. For more information: SA34608 26) A vulnerability in Networking can be exploited by malicious people to cause a DoS (Denial of Service). For more information: SA31745 27) A vulnerability in OpenSSL can be exploited by malicious people to conduct spoofing attacks. For more information: SA33338 28) Some vulnerabilities in PHP can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system, and by malicious, local users to bypass certain security restrictions. 31) Multiple vulnerabilities in ruby can be exploited by malicious people to bypass certain security restrictions, cause a DoS (Denial of Service), and conduct spoofing attacks. For more information: SA31430 SA31602 32) An error in the use of the OpenSSL library in ruby can cause revoked certificates to be accepted. 33) A vulnerability in Safari when handling "feed:" URLs can be exploited to compromise a user's system. For more information: SA35056 34) Multiple unspecified errors in Spotlight can be exploited to cause memory corruptions and execute arbitrary code when a specially crafted Office document is downloaded. 35) An error when invoking the "login" command can result in unexpected high privileges. 36) A boundary error in telnet can be exploited to cause a stack-based buffer overflow when connecting to a server with an overly long canonical name in its DNS address record. 37) A vulnerability in WebKit when handling SVGList objects can be exploited to corrupt memory and potentially execute arbitrary code. For more information: SA35056 38) Multiple vulnerabilities in FreeType can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise applications using the library. For more information: SA20100 SA25350 SA34723 39) A vulnerability in xterm can be exploited by malicious people to compromise a user's system. For more information: SA33318 40) Multiple vulnerabilities in libpng can be exploited by malicious people to cause a DoS (Denial of Service) or to potentially compromise an application using the library. Nathan 8) Alin Rad Pop, Secunia Research and Will Dormann, CERT/CC 10) Tiller Beauchamp, IOActive 14, 15) Brian Mastenbrook 17) Chris Weber of Casaba Security 20) An anonymous researcher working with Verisign iDefense VCP 30) Damian Put and Sebastian Apelt, working with ZDI, and Chris Ries of Carnegie Mellon University Computing Services 38) Tavis Ormandy of the Google Security Team OTHER REFERENCES: SA13968: http://secunia.com/advisories/13968/ SA20100: http://secunia.com/advisories/20100/ SA25350: http://secunia.com/advisories/25350/ SA29792: http://secunia.com/advisories/29792/ SA31384: http://secunia.com/advisories/31384/ SA31430: http://secunia.com/advisories/31430/ SA31450: http://secunia.com/advisories/31450/ SA31478: http://secunia.com/advisories/31478/ SA31558: http://secunia.com/advisories/31558/ SA31602: http://secunia.com/advisories/31602/ SA31745: http://secunia.com/advisories/31745/ SA32137: http://secunia.com/advisories/32137/ SA32560: http://secunia.com/advisories/32560/ SA32964: http://secunia.com/advisories/32964/ SA33318: http://secunia.com/advisories/33318/ SA33338: http://secunia.com/advisories/33338/ SA33404: http://secunia.com/advisories/33404/ SA33406: http://secunia.com/advisories/33406/ SA33970: http://secunia.com/advisories/33970/ SA34012: http://secunia.com/advisories/34012/ SA34291: http://secunia.com/advisories/34291/ SA34347: http://secunia.com/advisories/34347/ SA34608: http://secunia.com/advisories/34608/ SA34723: http://secunia.com/advisories/34723/ SA34978: http://secunia.com/advisories/34978/ SA35056: http://secunia.com/advisories/35056/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------