VARIoT IoT vulnerabilities database

Unspecified vulnerability in the Wireless LAN Controller (WLC) TSEC driver in the Cisco 4400 WLC, Cisco Catalyst 6500 and 7600 Wireless Services Module (WiSM), and Cisco Catalyst 3750 Integrated Wireless LAN Controller with software 4.x before 4.2.176.0 and 5.x before 5.1 allows remote attackers to cause a denial of service (device crash or hang) via unknown IP packets. Multiple Cisco Wireless LAN Controllers are prone to these remote vulnerabilities: - Multiple denial-of-service vulnerabilities - A remote privilege-escalation vulnerability Remote attackers can exploit these issues to gain administrative rights on an affected device or crash the device, denying service to legitimate users. SOLUTION: Update to a fixed version. Please see vendor advisory for a patch matrix. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. This security advisory outlines details of the following vulnerabilities: * Denial of Service Vulnerabilities (total of three) * Privilege Escalation Vulnerability These vulnerabilities are independent of each other. Cisco has released free software updates that address these vulnerabilities. There are no workarounds available for these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml. Affected Products ================= Vulnerable Products +------------------ The following products and software versions are affected for each vulnerability. Denial of Service Vulnerabilities +-------------------------------- Two denial of service (DoS) vulnerabilities affect software versions 4.2 and later. A third DoS vulnerability affects software versions 4.1 and later. Privilege Escalation Vulnerability +--------------------------------- Only WLC software version 4.2.173.0 is affected by this vulnerability. Determination of Software Versions +--------------------------------- To determine the WLC version that is running in a given environment, use one of the following methods: * In the web interface, choose the Monitor tab, click Summary in the left pane, and note the Software Version. * From the command-line interface, type "show sysinfo" and note the Product Version, as shown in the following example: (Cisco Controller) >show sysinfo Manufacturer's Name.. Cisco Systems Inc. Product Name......... Cisco Controller Product Version...... 5.1.151.0 RTOS Version......... Linux-2.6.10_mvl401 Bootloader Version... 4.0.207.0 Build Type........... DATA + WPS <output suppressed> Use the "show wism module <module number> controller 1 status" command on a Cisco Catalyst 6500 Series/7600 Series switch if using a WiSM, and note the Software Version, as demonstrated in the following example: Router#show wism mod 3 controller 1 status WiSM Controller 1 in Slot 3 Operational Status of the Controller : Oper-Up Service VLAN : 192 Service Port : 10 Service Port Mac Address : 0011.92ff.8742 Service IP Address : 192.168.10.1 Management IP Address : 192.168.1.123 Software Version : 5.1.151.0 Port Channel Number : 288 Allowed vlan list : 30,40 Native VLAN ID : 40 WCP Keep Alive Missed : 0 Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. These devices communicate with Controller-based Access Points over any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the Lightweight Access Point Protocol (LWAPP). This Security Advisory describes multiple distinct vulnerabilities in the WLCs, WiSMs, and the Cisco Catalyst 3750 Integrated WLCs. These vulnerabilities are independent of each other. Denial of Service Vulnerabilities +-------------------------------- These vulnerabilities are documented in the following Cisco Bug ID and have been assigned the following Common Vulnerabilities and Exposures (CVE) identifiers: * CSCsq44516 - CVE-2009-0058 Web authentication is a Layer 3 security feature that causes the controller to drop IP traffic (except DHCP and DNS related packets) from a particular client until that client has correctly supplied a valid username and password. An attacker may use a vulnerability scanner to cause the device to stop servicing web authentication or cause a reload of the device. The following error messages may appear on the console during an active attack: SshPmStMain/pm_st_main.c:1954/ ssh_pm_st_main_batch_addition_result: Failed to add rule to the engine: restoring old state SshEnginePmApiPm/engine_pm_api_pm.c:1896/ ssh_pme_enable_policy_lookup: Could not allocate message * CSCsm82364 - CVE-2009-0059 An attacker may cause a device reload when sending a malformed post to the web authentication "login.html" page. The following error messages may appear on the WLC console during this attack: Cisco Crash Handler Signal generated during a signal 11, count 193 Memory 0x14ef1e44 has been freed! Note: A crash file is not generated during this attack. Upon receiving these IP packets, the affected device may become unresponsive and require a reboot to recover. Privilege Escalation Vulnerability +--------------------------------- A privilege escalation vulnerability exists only in WLC software version 4.2.173.0, and could allow a restricted user (i.e., Lobby Admin) to gain full administrative rights on the affected system. Note: Wireless network users are not affected by this vulnerability. This vulnerability is documented in Cisco Bug ID CSCsv62283 and has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-0062. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss * Certain packets may cause WebAuth services to hang or reload the device (CSCsq44516) CVSS Base Score - 6.1 Access Vector - Adjacent Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.0 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * Crash handling invalid post for webauth (CSCsq44516) CVSS Base Score - 6.1 Access Vector - Adjacent Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.0 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * WLC TSEC driver may hang or crash the device (CSCso60979) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * Local Management Users may obtain full admin rights (CSCsv62283) CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.8 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the denial of service vulnerabilities may cause the affected device to hang or reload. Repeated exploitation could result in a sustained DoS condition. The privilege escalation vulnerability may allow an authenticated user to obtain full administrative rights on the affected system. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +-----------------------------------------------------+ | Vulnerability | Affected | First | Recommended | | / Bug ID | Release | Fixed | Release | | | | Version | | |---------------+----------+------------+-------------| | | 4.1 | Migrate to | 4.2.176.0 | | | | 4.2 | | | |----------+------------+-------------| | | 4.2 | 4.2.173.0 | 4.2.176.0 | | |----------+------------+-------------| | | 5.0 | Migrate to | 5.2.157.0 | | CSCsq44516 | | 5.2 | | | |----------+------------+-------------| | | 5.1 | Contact | Contact TAC | | | | TAC | | | |----------+------------+-------------| | | 5.2 | Not | Not | | | | vulnerable | Vulnerable | |---------------+----------+------------+-------------| | | 4.1 | Migrate to | 4.2.176.0 | | | | 4.2 | | | |----------+------------+-------------| | | 4.2 | 4.2.112.0 | 4.2.176.0 | | |----------+------------+-------------| | CSCsm82364 | 5.0 | Not | Not | | | | vulnerable | vulnerable | | |----------+------------+-------------| | | 5.1 | Not | Not | | | | vulnerable | vulnerable | | |----------+------------+-------------| | | 5.2 | 5.2.157.0 | 5.2.157.0 | |---------------+----------+------------+-------------| | | 4.1 | Migrate to | 4.2.176.0 | | | | 4.2 | | | |----------+------------+-------------| | | 4.2 | 4.2.117.0 | 4.2.176.0 | | |----------+------------+-------------| | | 5.0 | Migrate to | 5.2.157.0 | | CSCso60979 | | 5.2 | | | |----------+------------+-------------| | | 5.1 | Not | Not | | | | vulnerable | vulnerable | | |----------+------------+-------------| | | 5.2 | Not | Not | | | | vulnerable | vulnerable | |---------------+----------+------------+-------------| | | 4.1 | Not | Not | | | | vulnerable | vulnerable | | |----------+------------+-------------| | | 4.2 | 4.2.174.0 | 4.2.176.0 | | |----------+------------+-------------| | | 5.0 | Not | Not | | CSCsv62283 | | Vulnerable | Vulnerable | | |----------+------------+-------------| | | 5.1 | Not | Not | | | | Vulnerable | vulnerable | | |----------+------------+-------------| | | 5.2 | Not | Not | | | | Vulnerable | vulnerable | +-----------------------------------------------------+ Note: Customers running 4.1M WLC mesh code, using Cisco Wireless 1510 Access Points (APs) are recommended to migrate to release 4.2.176.0. Customers running 4.1 mesh code, using Cisco Wireless 1520 APs are recommended to migrate to 5.2 or later. Workarounds =========== There are no workarounds for any of these vulnerabilities. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were found during internal testing and during the resolution of customer support cases. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2009-February-04 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2008 - 2009 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Feb 04, 2009 Document ID: 108336 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkmJxSEACgkQ86n/Gc8U/uB4XQCfadDoSJbA5K+0GujUY02Rj1Ua xnUAn0nc+bNHTzHwD298ai3ZW/JWKWaU =waFY -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

The Cisco Wireless LAN Controller (WLC), Cisco Catalyst 6500 Wireless Services Module (WiSM), and Cisco Catalyst 3750 Integrated Wireless LAN Controller with software 4.x before 4.2.176.0 and 5.x before 5.2 allow remote attackers to cause a denial of service (web authentication outage or device reload) via unspecified network traffic, as demonstrated by a vulnerability scanner. Multiple Cisco Wireless LAN Controllers are prone to these remote vulnerabilities: - Multiple denial-of-service vulnerabilities - A remote privilege-escalation vulnerability Remote attackers can exploit these issues to gain administrative rights on an affected device or crash the device, denying service to legitimate users. SOLUTION: Update to a fixed version. Please see vendor advisory for a patch matrix. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. This security advisory outlines details of the following vulnerabilities: * Denial of Service Vulnerabilities (total of three) * Privilege Escalation Vulnerability These vulnerabilities are independent of each other. Cisco has released free software updates that address these vulnerabilities. There are no workarounds available for these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml. Affected Products ================= Vulnerable Products +------------------ The following products and software versions are affected for each vulnerability. Denial of Service Vulnerabilities +-------------------------------- Two denial of service (DoS) vulnerabilities affect software versions 4.2 and later. A third DoS vulnerability affects software versions 4.1 and later. Privilege Escalation Vulnerability +--------------------------------- Only WLC software version 4.2.173.0 is affected by this vulnerability. Determination of Software Versions +--------------------------------- To determine the WLC version that is running in a given environment, use one of the following methods: * In the web interface, choose the Monitor tab, click Summary in the left pane, and note the Software Version. * From the command-line interface, type "show sysinfo" and note the Product Version, as shown in the following example: (Cisco Controller) >show sysinfo Manufacturer's Name.. Cisco Systems Inc. Product Name......... Cisco Controller Product Version...... 5.1.151.0 RTOS Version......... Linux-2.6.10_mvl401 Bootloader Version... 4.0.207.0 Build Type........... DATA + WPS <output suppressed> Use the "show wism module <module number> controller 1 status" command on a Cisco Catalyst 6500 Series/7600 Series switch if using a WiSM, and note the Software Version, as demonstrated in the following example: Router#show wism mod 3 controller 1 status WiSM Controller 1 in Slot 3 Operational Status of the Controller : Oper-Up Service VLAN : 192 Service Port : 10 Service Port Mac Address : 0011.92ff.8742 Service IP Address : 192.168.10.1 Management IP Address : 192.168.1.123 Software Version : 5.1.151.0 Port Channel Number : 288 Allowed vlan list : 30,40 Native VLAN ID : 40 WCP Keep Alive Missed : 0 Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. These devices communicate with Controller-based Access Points over any Layer 2 (Ethernet) or Layer 3 (IP) infrastructure using the Lightweight Access Point Protocol (LWAPP). This Security Advisory describes multiple distinct vulnerabilities in the WLCs, WiSMs, and the Cisco Catalyst 3750 Integrated WLCs. These vulnerabilities are independent of each other. Denial of Service Vulnerabilities +-------------------------------- These vulnerabilities are documented in the following Cisco Bug ID and have been assigned the following Common Vulnerabilities and Exposures (CVE) identifiers: * CSCsq44516 - CVE-2009-0058 Web authentication is a Layer 3 security feature that causes the controller to drop IP traffic (except DHCP and DNS related packets) from a particular client until that client has correctly supplied a valid username and password. An attacker may use a vulnerability scanner to cause the device to stop servicing web authentication or cause a reload of the device. The following error messages may appear on the console during an active attack: SshPmStMain/pm_st_main.c:1954/ ssh_pm_st_main_batch_addition_result: Failed to add rule to the engine: restoring old state SshEnginePmApiPm/engine_pm_api_pm.c:1896/ ssh_pme_enable_policy_lookup: Could not allocate message * CSCsm82364 - CVE-2009-0059 An attacker may cause a device reload when sending a malformed post to the web authentication "login.html" page. The following error messages may appear on the WLC console during this attack: Cisco Crash Handler Signal generated during a signal 11, count 193 Memory 0x14ef1e44 has been freed! Note: A crash file is not generated during this attack. Upon receiving these IP packets, the affected device may become unresponsive and require a reboot to recover. Privilege Escalation Vulnerability +--------------------------------- A privilege escalation vulnerability exists only in WLC software version 4.2.173.0, and could allow a restricted user (i.e., Lobby Admin) to gain full administrative rights on the affected system. Note: Wireless network users are not affected by this vulnerability. This vulnerability is documented in Cisco Bug ID CSCsv62283 and has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-0062. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss * Certain packets may cause WebAuth services to hang or reload the device (CSCsq44516) CVSS Base Score - 6.1 Access Vector - Adjacent Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.0 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * Crash handling invalid post for webauth (CSCsq44516) CVSS Base Score - 6.1 Access Vector - Adjacent Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.0 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * WLC TSEC driver may hang or crash the device (CSCso60979) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * Local Management Users may obtain full admin rights (CSCsv62283) CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.8 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the denial of service vulnerabilities may cause the affected device to hang or reload. Repeated exploitation could result in a sustained DoS condition. The privilege escalation vulnerability may allow an authenticated user to obtain full administrative rights on the affected system. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +-----------------------------------------------------+ | Vulnerability | Affected | First | Recommended | | / Bug ID | Release | Fixed | Release | | | | Version | | |---------------+----------+------------+-------------| | | 4.1 | Migrate to | 4.2.176.0 | | | | 4.2 | | | |----------+------------+-------------| | | 4.2 | 4.2.173.0 | 4.2.176.0 | | |----------+------------+-------------| | | 5.0 | Migrate to | 5.2.157.0 | | CSCsq44516 | | 5.2 | | | |----------+------------+-------------| | | 5.1 | Contact | Contact TAC | | | | TAC | | | |----------+------------+-------------| | | 5.2 | Not | Not | | | | vulnerable | Vulnerable | |---------------+----------+------------+-------------| | | 4.1 | Migrate to | 4.2.176.0 | | | | 4.2 | | | |----------+------------+-------------| | | 4.2 | 4.2.112.0 | 4.2.176.0 | | |----------+------------+-------------| | CSCsm82364 | 5.0 | Not | Not | | | | vulnerable | vulnerable | | |----------+------------+-------------| | | 5.1 | Not | Not | | | | vulnerable | vulnerable | | |----------+------------+-------------| | | 5.2 | 5.2.157.0 | 5.2.157.0 | |---------------+----------+------------+-------------| | | 4.1 | Migrate to | 4.2.176.0 | | | | 4.2 | | | |----------+------------+-------------| | | 4.2 | 4.2.117.0 | 4.2.176.0 | | |----------+------------+-------------| | | 5.0 | Migrate to | 5.2.157.0 | | CSCso60979 | | 5.2 | | | |----------+------------+-------------| | | 5.1 | Not | Not | | | | vulnerable | vulnerable | | |----------+------------+-------------| | | 5.2 | Not | Not | | | | vulnerable | vulnerable | |---------------+----------+------------+-------------| | | 4.1 | Not | Not | | | | vulnerable | vulnerable | | |----------+------------+-------------| | | 4.2 | 4.2.174.0 | 4.2.176.0 | | |----------+------------+-------------| | | 5.0 | Not | Not | | CSCsv62283 | | Vulnerable | Vulnerable | | |----------+------------+-------------| | | 5.1 | Not | Not | | | | Vulnerable | vulnerable | | |----------+------------+-------------| | | 5.2 | Not | Not | | | | Vulnerable | vulnerable | +-----------------------------------------------------+ Note: Customers running 4.1M WLC mesh code, using Cisco Wireless 1510 Access Points (APs) are recommended to migrate to release 4.2.176.0. Customers running 4.1 mesh code, using Cisco Wireless 1520 APs are recommended to migrate to 5.2 or later. Workarounds =========== There are no workarounds for any of these vulnerabilities. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were found during internal testing and during the resolution of customer support cases. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20090204-wlc.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2009-February-04 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2008 - 2009 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Feb 04, 2009 Document ID: 108336 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkmJxSEACgkQ86n/Gc8U/uB4XQCfadDoSJbA5K+0GujUY02Rj1Ua xnUAn0nc+bNHTzHwD298ai3ZW/JWKWaU =waFY -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Cross-site scripting (XSS) vulnerability in emaullinks.php in YABSoft Mega File Hosting Script (aka MFH or MFHS) 1.2 allows remote attackers to inject arbitrary web script or HTML via the moudi parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NaviCOPA Web Server is a web server installed on a Windows system that automatically configures HTTP access. If a remote attacker submits a long HTTP GET request to the NaviCOPA Web Server, it can trigger a heap overflow, causing arbitrary code execution; in addition, submitting a specially crafted HTTP request containing a dot character to the server can also reveal the source code of the PHP script. NaviCOPA Web Server is prone to a remote buffer-overflow vulnerability and an information-disclosure vulnerability because the application fails to properly bounds-check or validate user-supplied input. Successful exploits of the buffer-overflow issue may lead to the execution of arbitrary code in the context of the application or to denial-of-service conditions. Also, attackers can exploit the information-disclosure issue to retrieve arbitrary source code in the context of the webserver process. Information harvested may aid in further attacks. This may let the attacker steal cookie-based authentication credentials and launch other attacks. ---------------------------------------------------------------------- Did you know that a change in our assessment rating, exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more: http://secunia.com/advisories/business_solutions/ ---------------------------------------------------------------------- TITLE: NaviCOPA Script Source Disclosure and Buffer Overflow Vulnerabilities SECUNIA ADVISORY ID: SA33766 VERIFY ADVISORY: http://secunia.com/advisories/33766/ CRITICAL: Highly critical IMPACT: Exposure of sensitive information, DoS, System access WHERE: >From remote SOFTWARE: NaviCOPA 3.x http://secunia.com/advisories/product/21322/ DESCRIPTION: e.wiZz! has discovered two vulnerabilities in NaviCOPA, which can be exploited by malicious people to disclose potentially sensitive information, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. 1) A boundary error in the processing of HTTP requests can be exploited to cause a heap-based buffer overflow via an overly long HTTP GET request. PHP scripts via specially crafted requests containing e.g. dot characters. The vulnerabilities are confirmed in version 3.01. SOLUTION: Restrict access to trusted users only. PROVIDED AND/OR DISCOVERED BY: e.wiZz! ORIGINAL ADVISORY: http://milw0rm.com/exploits/7966 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

InterVations NaviCOPA Web Server 3.01 allows remote attackers to obtain the source code for a web page via an HTTP request with the addition of ::$DATA after the HTML file name. NaviCOPA Web Server is a web server installed on a Windows system that automatically configures HTTP access. NaviCOPA Web Server is prone to a remote buffer-overflow vulnerability and an information-disclosure vulnerability because the application fails to properly bounds-check or validate user-supplied input. Successful exploits of the buffer-overflow issue may lead to the execution of arbitrary code in the context of the application or to denial-of-service conditions. Also, attackers can exploit the information-disclosure issue to retrieve arbitrary source code in the context of the webserver process. Information harvested may aid in further attacks. The CB Resume Builder ('com_cbresumebuilder') component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. Input passed via the "group_id" parameter to index.php (if "option" is set to "com_cbresumebuilder" and "task" is set to "group_member") is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. SOLUTION: Edit the source code to ensure that input is properly sanitised. ---------------------------------------------------------------------- Did you know that a change in our assessment rating, exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more: http://secunia.com/advisories/business_solutions/ ---------------------------------------------------------------------- TITLE: NaviCOPA Script Source Disclosure and Buffer Overflow Vulnerabilities SECUNIA ADVISORY ID: SA33766 VERIFY ADVISORY: http://secunia.com/advisories/33766/ CRITICAL: Highly critical IMPACT: Exposure of sensitive information, DoS, System access WHERE: >From remote SOFTWARE: NaviCOPA 3.x http://secunia.com/advisories/product/21322/ DESCRIPTION: e.wiZz! has discovered two vulnerabilities in NaviCOPA, which can be exploited by malicious people to disclose potentially sensitive information, cause a DoS (Denial of Service), or potentially compromise a vulnerable system. 1) A boundary error in the processing of HTTP requests can be exploited to cause a heap-based buffer overflow via an overly long HTTP GET request. PHP scripts via specially crafted requests containing e.g. dot characters. The vulnerabilities are confirmed in version 3.01. SOLUTION: Restrict access to trusted users only. PROVIDED AND/OR DISCOVERED BY: e.wiZz! ORIGINAL ADVISORY: http://milw0rm.com/exploits/7966 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

D-Link DIR-300 is prone to a cross-site scripting vulnerability and a security-bypass vulnerability. An attacker may exploit these issues to bypass authentication or execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. The issues affect D-Link DIR-300 with firmware 1.04-tomi-1.1.2.

Multiple cross-site request forgery (CSRF) vulnerabilities in ajax.html in Profense Web Application Firewall 2.6.2 and 2.6.3 allow remote attackers to hijack the authentication of administrators for requests that (1) shutdown the server, (2) send ping packets, (3) enable network services, (4) configure a proxy server, and (5) modify other settings via parameters in the query string. Profense is prone to a cross-site scripting vulnerability and a cross-site request-forgery vulnerability. An attacker can exploit the cross-site request forgery issue to alter the settings on affected devices. This may lead to further network-based attacks. The attacker can exploit the cross-site scripting issue to execute arbitrary script code in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials. Other attacks are also possible. Profense 2.6.2 is vulnerable; other versions may also be affected. ---------------------------------------------------------------------- Did you know that a change in our assessment rating, exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more: http://secunia.com/advisories/business_solutions/ ---------------------------------------------------------------------- TITLE: Profense Web Application Firewall Cross-Site Scripting and Cross-Site Request Forgery SECUNIA ADVISORY ID: SA33739 VERIFY ADVISORY: http://secunia.com/advisories/33739/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote SOFTWARE: Profense Web Application Firewall 2.x http://secunia.com/advisories/product/21280/ DESCRIPTION: Michael Brooks has discovered some vulnerabilities in Profense Web Application Firewall, which can be exploited by malicious people to conduct cross-site scripting and cross-site request forgery attacks. 1) Input passed via the "proxy" parameter in proxy.html is not properly sanitised before being returned to the user. 2) The application allows users to perform certain actions via HTTP requests without performing any validity check to verify the request. This can be exploited to perform certain actions, e.g. to shutdown the system, by enticing a logged-in administrator to visit a malicious web site. The vulnerability is reported in version 2.6.2 and confirmed in version 2.6.3. SOLUTION: Do not follow untrusted links and do not visit untrusted web sites while being logged-in to the web-based management interface. PROVIDED AND/OR DISCOVERED BY: Michael Brooks ORIGINAL ADVISORY: http://milw0rm.com/exploits/7919 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in proxy.html in Profense Web Application Firewall 2.6.2 and 2.6.3 allows remote attackers to inject arbitrary web script or HTML via the proxy parameter in a deny_log manage action. Profense is prone to a cross-site scripting vulnerability and a cross-site request-forgery vulnerability. An attacker can exploit the cross-site request forgery issue to alter the settings on affected devices. This may lead to further network-based attacks. Other attacks are also possible. Profense 2.6.2 is vulnerable; other versions may also be affected. Profense Web Application Firewal is a website firewall. ---------------------------------------------------------------------- Did you know that a change in our assessment rating, exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more: http://secunia.com/advisories/business_solutions/ ---------------------------------------------------------------------- TITLE: Profense Web Application Firewall Cross-Site Scripting and Cross-Site Request Forgery SECUNIA ADVISORY ID: SA33739 VERIFY ADVISORY: http://secunia.com/advisories/33739/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote SOFTWARE: Profense Web Application Firewall 2.x http://secunia.com/advisories/product/21280/ DESCRIPTION: Michael Brooks has discovered some vulnerabilities in Profense Web Application Firewall, which can be exploited by malicious people to conduct cross-site scripting and cross-site request forgery attacks. 1) Input passed via the "proxy" parameter in proxy.html is not properly sanitised before being returned to the user. 2) The application allows users to perform certain actions via HTTP requests without performing any validity check to verify the request. This can be exploited to perform certain actions, e.g. to shutdown the system, by enticing a logged-in administrator to visit a malicious web site. The vulnerability is reported in version 2.6.2 and confirmed in version 2.6.3. SOLUTION: Do not follow untrusted links and do not visit untrusted web sites while being logged-in to the web-based management interface. PROVIDED AND/OR DISCOVERED BY: Michael Brooks ORIGINAL ADVISORY: http://milw0rm.com/exploits/7919 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple unspecified vulnerabilities in the Arclib library (arclib.dll) before 7.3.0.15 in the CA Anti-Virus engine for CA Anti-Virus for the Enterprise 7.1, r8, and r8.1; Anti-Virus 2007 v8 and 2008; Internet Security Suite 2007 v3 and 2008; and other CA products allow remote attackers to bypass virus detection via a malformed archive file. Computer Associates Anti-Virus engine is prone to multiple vulnerabilities that may allow certain compressed archives to bypass the scan engine. Successful exploits will allow attackers to distribute files containing malicious code that the antivirus engine will fail to detect. Products with 'arclib.dll' prior to version 7.3.0.15 are vulnerable. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Title: CA20090126-01: CA Anti-Virus Engine Detection Evasion Multiple Vulnerabilities CA Advisory Reference: CA20090126-01 CA Advisory Date: 2009-01-26 Reported By: Thierry Zoller and Sergio Alvarez of n.runs AG Impact: A remote attacker can evade detection. CA has released a new Anti-Virus engine to address the vulnerabilities. Consequently, detection evasion can be a concern for gateway anti-virus software if archives are not scanned, but the risk is effectively mitigated by the desktop anti-virus engine. Mitigating Factors: See note above. Severity: CA has given these vulnerabilities a Low risk rating. If your product is configured for automatic updates, you should already be protected, and you need to take no action. If your product is not configured for automatic updates, then you simply need to run the update utility included with your product. How to determine if you are affected: For products on Windows: 1. Using Windows Explorer, locate the file "arclib.dll". By default, the file is located in the "C:\Program Files\CA\SharedComponents\ScanEngine" directory (*). 2. Right click on the file and select Properties. 3. Select the Version tab. 4. File Name File Version arclib.dll 7.3.0.15 *For eTrust Intrusion Detection 2.0 the file is located in "Program Files\eTrust\Intrusion Detection\Common", and for eTrust Intrusion Detection 3.0 and 3.0 sp1, the file is located in "Program Files\CA\Intrusion Detection\Common". For CA Anti-Virus r8.1 on non-Windows platforms: Use the compver utility provided on the CD to determine the version of Arclib. Example compver utility output: ------------------------------------------------ COMPONENT NAME VERSION ------------------------------------------------ eTrust Antivirus Arclib Archive Library 7.3.0.15 ... (followed by other components) For reference, the following are file names for arclib on non-Windows operating systems: Operating System File name Solaris libarclib.so Linux libarclib.so Mac OS X arclib.bundle Workaround: Do not open email attachments or download files from untrusted sources. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to the CA Product Vulnerability Response Team. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1777 82 Regards, Ken Williams, Director ; 0xE2941985 CA Product Vulnerability Response Team CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2009 CA. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.9.1 (Build 287) Charset: utf-8 wj8DBQFJfyMKeSWR3+KUGYURAkyRAJ94Db9OT0mSDBo8UiSAK7AWWt5XSgCfc89J SlKLxRwfw06DmTk2tmlcrJI= =Kjse -----END PGP SIGNATURE-----

Cross-site scripting (XSS) vulnerability in Web Dynpro (WD) in the SAP NetWeaver portal, when Internet Explorer 7.0.5730 is used, allows remote attackers to inject arbitrary web script or HTML via a crafted URI, which causes the XSS payload to be reflected in a text/plain document. SAP NetWeaver and Web Dynpro Java are prone to a cross-site scripting vulnerability because the applications fail to sufficiently sanitize user-supplied input. A successful exploit of this vulnerability could allow an attacker to compromise the application, access or modify data, or steal cookie-based authentication credentials. Other attacks are also possible. This issue is associated with SAP notification number 1235253. ############################################################# # # COMPASS SECURITY ADVISORY # http://www.csnc.ch/en/downloads/advisories.html # ############################################################# # # Product: NetWeaver/Web DynPro # Vendor: SAP (www.sap.com) # CVD ID: CVE-2008-3358 # Subject: Cross-Site Scripting Vulnerability # Risk: High # Effect: Remotely exploitable # Author: Martin Suess <martin.suess@csnc.ch> # Date: January 27th 2009 # ############################################################# Introduction: ------------- The vulnerability found targets the SAP NetWeaver portal. It is possible to execute JavaScript code in the browser of a valid user when clicking on a specially crafted URL which can be sent to the user by email. This vulnerability can be used to steal the user's session cookie or redirect him to a phishing website which shows the (faked) login screen and gets his logon credentials as soon as he tries to log in on the faked site. Affected: --------- - All tested versions that are vulnerable SAP NetWeaver/Web DynPro [for detailed Information, see SAP Notification 1235253] Description: ------------ A specially crafted URL in SAP NetWeaver allows an attacker to launch a Cross-Site Scripting attack. The resulting page contains only the unfiltered value of the vulnerable parameter. It is possible to create an URL which causes the resulting page to contain malicious JavaScript code. A response to such a request could look like the following example: HTTP/1.1 200 OK Date: Fri, 18 Jul 2008 13:13:30 GMT Server: <server> content-type: text/plain Content-Length: 67 Keep-Alive: timeout=10, max=500 Connection: Keep-Alive <html><title>test</title><body onload="alert(document.cookie)"> </body></html> The code only gets executed in Microsoft Internet Explorer (tested with version 7.0.5730 only). In Firefox (tested with version 3.0 only) it did not get executed as the content-type header of the server response is interpreted more strictly (text/plain). SAP Information Policy: ----------------------- The information is available to registered SAP clients only (SAP Security Notes). Patches: -------- Apply the latest SAP security patches for Netweaver. Timeline: --------- Vendor Status: Patch released Vendor Notified: July 21st 2008 Vendor Response: July 28th 2008 Patch available: October 2008 Advisory Release: January 27th 2009 References: ----------- - SAP Notification 1235253 (problem and patches) . ---------------------------------------------------------------------- Did you know that a change in our assessment rating, exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more: http://secunia.com/advisories/business_solutions/ ---------------------------------------------------------------------- TITLE: SAP NetWeaver Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA33685 VERIFY ADVISORY: http://secunia.com/advisories/33685/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote SOFTWARE: SAP NetWeaver 4.x http://secunia.com/advisories/product/9490/ DESCRIPTION: A vulnerability has been reported in SAP NetWeaver, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed via the URL is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Successful exploitation may require that the victim uses a browser which executes JavaScript statements in documents of the content type "text/plain" (e.g. Internet Explorer). SOLUTION: The vendor has reportedly issued a patch via SAP Note 1235253. http://service.sap.com/sap/support/notes/1235253 PROVIDED AND/OR DISCOVERED BY: Martin Suess, Compass Security ORIGINAL ADVISORY: SAP: http://service.sap.com/sap/support/notes/1235253 Compass Security: http://www.csnc.ch/misc/files/advisories/CVE-2008-3358.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Apple Safari 3.2.1 (aka AppVer 3.525.27.1) on Windows allows remote attackers to cause a denial of service (infinite loop or access violation) via a link to an http URI in which the authority (aka hostname) portion is either a (1) . (dot) or (2) .. (dot dot) sequence. ( Dot dot ) Is a string http URI Service disruption via link to (DoS) There is a possibility of being put into a state. Apple Safari is prone to a denial-of-service vulnerability because it fails to adequately sanitize user-supplied input. Attackers can exploit this issue to crash the affected application, denying service to legitimate users. Apple Safari 3.2.1 for Windows is vulnerable; other versions may also be affected. In this http URI, the host port is either a "." sequence or a ".." sequence

CUPS on Mandriva Linux 2008.0, 2008.1, 2009.0, Corporate Server (CS) 3.0 and 4.0, and Multi Network Firewall (MNF) 2.0 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/pdf.log temporary file. CUPS creates temporary files in an insecure manner. An attacker with local access could potentially exploit this issue to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application. Successfully mounting a symlink attack may allow the attacker to delete or corrupt sensitive files, which may result in a denial of service. Other attacks may also be possible. CUPS 1.3.9 is vulnerable; other versions may also be affected. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:028 http://www.mandriva.com/security/ _______________________________________________________________________ Package : cups Date : January 24, 2009 Affected: 2008.0, 2008.1 _______________________________________________________________________ Problem Description: Security vulnerabilities have been discovered and corrected in CUPS. CUPS before 1.3.8 allows local users, and possibly remote attackers, to cause a denial of service (daemon crash) by adding a large number of RSS Subscriptions, which triggers a NULL pointer dereference (CVE-2008-5183). The web interface (cgi-bin/admin.c) in CUPS before 1.3.8 uses the guest username when a user is not logged on to the web server, which makes it easier for remote attackers to bypass intended policy and conduct CSRF attacks via the (1) add and (2) cancel RSS subscription functions (CVE-2008-5184). CUPS 1.1.17 through 1.3.9 allows remote attackers to execute arbitrary code via a PNG image with a large height value, which bypasses a validation check and triggers a buffer overflow (CVE-2008-5286). The updated packages have been patched to prevent this. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5183 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5184 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5286 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0032 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.0: 9ff1555139c59b89ea0623dfdfff4de5 2008.0/i586/cups-1.3.6-1.4mdv2008.0.i586.rpm 3cda60090d2108259f55cdbc6cf372e5 2008.0/i586/cups-common-1.3.6-1.4mdv2008.0.i586.rpm 1fbbbf89a0341cf430905757bdc6c355 2008.0/i586/cups-serial-1.3.6-1.4mdv2008.0.i586.rpm f6eb5a73b984f77e851cb39826ba26a1 2008.0/i586/libcups2-1.3.6-1.4mdv2008.0.i586.rpm e8279e8427ef9c3ec9536abe94038423 2008.0/i586/libcups2-devel-1.3.6-1.4mdv2008.0.i586.rpm 9974e6ad715a853706ec26acf9ca73c3 2008.0/i586/php-cups-1.3.6-1.4mdv2008.0.i586.rpm 6f6a298d7935094b6fcd18d39c3de1b7 2008.0/SRPMS/cups-1.3.6-1.4mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 355ce3cfb79a4aebbdabedb206a32e05 2008.0/x86_64/cups-1.3.6-1.4mdv2008.0.x86_64.rpm e3a2b95ac7138318d6cefab0fdf3face 2008.0/x86_64/cups-common-1.3.6-1.4mdv2008.0.x86_64.rpm fb0abf9e3d492edd06876b7d4cebe784 2008.0/x86_64/cups-serial-1.3.6-1.4mdv2008.0.x86_64.rpm 5b5196b27e24fb6ad910563ed884ce2e 2008.0/x86_64/lib64cups2-1.3.6-1.4mdv2008.0.x86_64.rpm e8b1cdbba7283ff2e9b76eb498f508d0 2008.0/x86_64/lib64cups2-devel-1.3.6-1.4mdv2008.0.x86_64.rpm 178ca59986af801a2c29611fa16ce2dd 2008.0/x86_64/php-cups-1.3.6-1.4mdv2008.0.x86_64.rpm 6f6a298d7935094b6fcd18d39c3de1b7 2008.0/SRPMS/cups-1.3.6-1.4mdv2008.0.src.rpm Mandriva Linux 2008.1: 93a94c922f72f8844e232ed779a8c66c 2008.1/i586/cups-1.3.6-5.3mdv2008.1.i586.rpm eccb6a07dd53dbbeb490675c2cf311f0 2008.1/i586/cups-common-1.3.6-5.3mdv2008.1.i586.rpm 2ad9c7135f6d8a2217d34055ca8f57b3 2008.1/i586/cups-serial-1.3.6-5.3mdv2008.1.i586.rpm 62d4efcf07165da647db08d6636ac596 2008.1/i586/libcups2-1.3.6-5.3mdv2008.1.i586.rpm f0779950606ab9fa83b9de410a7beb70 2008.1/i586/libcups2-devel-1.3.6-5.3mdv2008.1.i586.rpm d0bd96dc1aec2dab736d538a7bd49a2b 2008.1/i586/php-cups-1.3.6-5.3mdv2008.1.i586.rpm abd1474014a74c467881ca52b4090ace 2008.1/SRPMS/cups-1.3.6-5.3mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 64aca60db93cd3886f58823155e2f982 2008.1/x86_64/cups-1.3.6-5.3mdv2008.1.x86_64.rpm 2cb2d9467430c4619ed23d37099ad2cc 2008.1/x86_64/cups-common-1.3.6-5.3mdv2008.1.x86_64.rpm 69b5f842144013c41c946783c898c1db 2008.1/x86_64/cups-serial-1.3.6-5.3mdv2008.1.x86_64.rpm 243a0d7da4c4e24ac8c7571a202e1627 2008.1/x86_64/lib64cups2-1.3.6-5.3mdv2008.1.x86_64.rpm 2d4bbbd60d026d3bc272001d447dc5ae 2008.1/x86_64/lib64cups2-devel-1.3.6-5.3mdv2008.1.x86_64.rpm e1a2d953fdc0dbb7eda2097f0e4c38e9 2008.1/x86_64/php-cups-1.3.6-5.3mdv2008.1.x86_64.rpm abd1474014a74c467881ca52b4090ace 2008.1/SRPMS/cups-1.3.6-5.3mdv2008.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJe0RhmqjQ0CJFipgRAsXFAKDBJeogydK5chEfSmEpHuVXDsC6xQCgq+vl JbRgydRjIpXNqGzlnNrqXZI= =2ydF -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Cisco Security Manager 3.1 and 3.2 before 3.2.2, when Cisco IPS Event Viewer (IEV) is used, exposes TCP ports used by the MySQL daemon and IEV server, which allows remote attackers to obtain "root access" to IEV via unspecified use of TCP sessions to these ports. Attackers can exploit this issue to obtain SYSTEM-level access to data and to the Security Manager service. Successful exploits can result in the complete compromise of affected computers. This issue is tracked by Cisco Bug ID CSCsv66897. This issue affects Security Manager 3.0 up to 3.2. ---------------------------------------------------------------------- Did you know that a change in our assessment rating, exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more: http://secunia.com/advisories/business_solutions/ ---------------------------------------------------------------------- TITLE: Cisco Security Manager Security Bypass Vulnerability SECUNIA ADVISORY ID: SA33633 VERIFY ADVISORY: http://secunia.com/advisories/33633/ CRITICAL: Moderately critical IMPACT: Security Bypass, Manipulation of data WHERE: >From local network SOFTWARE: Cisco Security Manager (CSM) 3.x http://secunia.com/advisories/product/18842/ DESCRIPTION: A vulnerability has been reported in Cisco Security Manager, which can be exploited by malicious people to bypass certain security restrictions. This vulnerability is reported in versions 3.1, 3.1.1, 3.2, and 3.2.1. SOLUTION: Update to a fixed version. Please see vendor advisory for a patch matrix. PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: cisco-sa-20090121-csm: http://www.cisco.com/en/US/products/products_security_advisory09186a0080a6192a.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . An unauthenticated, remote attacker could leverage this vulnerability to access the MySQL databases or IEV server. Cisco has released free software updates that address this vulnerability. A workaround is also available to mitigate this vulnerability. As part of Cisco Security Manager installation, the Cisco IEV is installed by default. The IEV is a Java-based application that allows users to view and manage alerts for up to five sensors, including the ability to report top alerts, attackers, and victims over a specified number of hours or days. Users can connect to and view alerts in real time or via imported log files, configure filters and views to help manage alerts, and import and export event data for further analysis. These ports could allow remote, unauthenticated root access to the IEV database and server. The IEV database contains events that are collected from Cisco Intrusion Prevention System (IPS) devices. The IEV server allows an unauthenticated user to add, delete, or modify the devices that are added into the IEV. This vulnerability is documented in Cisco Bug ID: CSCsv66897 This vulnerability have been assigned the Common Vulnerabilities and Exposures (CVE) identifiers CVE-2008-3820. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsv66897: Cisco Security Manager/IEV: TCP Ports open for remote connection without any authentication CVSS Base Score - 8.8 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - None CVSS Temporal Score - 7.3 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of this vulnerability may result in remote root access to the IEV database or to the IEV Server. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. A software patch for Cisco Security Manager versions 3.1, 3.1.1, 3.2 and 3.2.1 is available for download at: http://www.cisco.com/cgi-bin/tablebuild.pl/csm-app?psrtdcat20e2 The patch file names by Cisco Security Manager version follow: +------------------------------------------+ | Cisco | | | Security | Patch Filename | | Manager | | | version | | |-----------+------------------------------| | 3.0.x and | Not Vulnerable | | earlier | | |-----------+------------------------------| | 3.1 | CSM310PatchCSCsv66897.zip | |-----------+------------------------------| | 3.1.1.SP3 | CSM311SP3PatchCSCsv66897.zip | |-----------+------------------------------| | 3.2.SP2 | CSM320SP2PatchCSCsv66897.zip | |-----------+------------------------------| | 3.2.1.SP1 | CSM321SP1PatchCSCsv66897.zip | |-----------+------------------------------| | 3.2.2 | Not Vulnerable | +------------------------------------------+ Please read the corresponding readme files for installation instructions. Workarounds =========== In the event that Cisco IEV is not being used, administrators are advised to disable the functionality until a patch is applied. To disable IEV on Cisco Security Manager, perform the following steps: 1. 2. Open the Services dialog box (Choose Start > Administrative Tools > Services). 3. Locate the Cisco IPS Event Viewer service and open Properties. 4. Change Startup Type: to Disabled and click Ok. 5. Stop the Cisco IPS Event Viewer service. 6. 7. Confirm that the Cisco IPS Event Viewer service has not restarted. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20090121-csm.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. This vulnerability was discovered through internal Cisco testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20090121-csm.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2009-January-21 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkl3Q3QACgkQ86n/Gc8U/uCrVwCgjzYJzcc9npFzFfdAnudO1QYC JvAAn1Ij4FRrttn3WjOHF+GthJw1x1+K =5AmB -----END PGP SIGNATURE-----

The Certificate Authority Proxy Function (CAPF) service in Cisco Unified Communications Manager 5.x before 5.1(3e) and 6.x before 6.1(3) allows remote attackers to cause a denial of service (voice service outage) by sending malformed input over a TCP session in which the "client terminates prematurely.". Cisco Unified Communications Manager is prone to a denial-of-service vulnerability because it fails to handle malformed input. An attacker can exploit this issue to cause an interruption in voice services. This issue is tracked by Cisco Bug ID CSCsq32032. PROVIDED AND/OR DISCOVERED BY: The vendor credits VoIPshield. ORIGINAL ADVISORY: cisco-sa-20090121-cucmcapf: http://www.cisco.com/en/US/products/products_security_advisory09186a0080a61928.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. The CAPF service is disabled by default. Cisco has released free software updates that address this vulnerability. Workarounds available that mitigate this vulnerability are available. The software version can also be determined by running the command show version active by way of the command line interface (CLI). No other Cisco products are currently known to be affected by this vulnerability. The CAPF service is disabled by default; however, if it is enabled, the CAPF service listens by default on TCP port 3804 and the listening port is configurable by the user. There is a workaround for this vulnerability. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCsq32032 - CAPF DoS when client terminates prematurely CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability described in this advisory may result in the interruption of voice services. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Access to the CAPF service is only required if Cisco Unified Communications Manager systems and IP phone devices are configured to use certificates for a secure deployment. If phones are not configured to use certificates, then the CAPF service can be disabled. The CAPF service is controlled by the Cisco Certificate Authority Proxy Function menu selection. It is possible to mitigate the CAPF vulnerability by implementing filtering on screening devices if the CAPF service is required. If the CAPF service is enabled, allow access to TCP port 3804 only from networks that contain IP phone devices that require the CAPF service. The CAPF port is user configurable, and if modified, filtering on screening devices should be based on the TCP port that is used. For Cisco Unified Communications Manager 5.x and 6.x systems, please consult the following documentation for details on how to disable Cisco Unified Communications Manager services: http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/service/5_0_1/ccmsrva/sasrvact.html#wp1048220 Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20090121-cucmcapf.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was reported to Cisco by VoIPshield. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20090121-cucmcapf.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2009-January-21 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/ products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/ go/psirt. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (SunOS) iD8DBQFJd0dD86n/Gc8U/uARAhPkAJ9eOS8yZa18csFfRpyarwx2G4G00wCgjPWa Jd/WyK/F5INcBCYG2KCL2K0= =MqQz -----END PGP SIGNATURE-----

Unspecified vulnerability in Apple QuickTime MPEG-2 Playback Component before 7.60.92.0 on Windows allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a crafted MPEG-2 movie. The Apple QuickTime MPEG-2 Playback Component is prone to a memory-corruption issue because it fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted movie file. Failed exploit attempts likely result in denial-of-service conditions. This issue affects Apple QuickTime MPEG-2 Playback Component running on Microsoft Windows Vista and Windows XP SP2 and SP3. Apple QuickTime is a very popular multimedia player. The QuickTime MPEG-2 Playback Component allows QuickTime users to import and play back format-specific MPEG-2 content, available for purchase and download separately from the Apple Online Store. ---------------------------------------------------------------------- Did you know that a change in our assessment rating, exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more: http://secunia.com/advisories/business_solutions/ ---------------------------------------------------------------------- TITLE: Apple QuickTime MPEG-2 Playback Component Input Validation Vulnerability SECUNIA ADVISORY ID: SA33642 VERIFY ADVISORY: http://secunia.com/advisories/33642/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: Apple QuickTime MPEG-2 Playback Component 7.x http://secunia.com/advisories/product/21083/ DESCRIPTION: A vulnerability has been reported in the Apple QuickTime MPEG-2 Playback component, which can potentially be exploited by malicious people to compromise a user's system. The vulnerability is reported in QuickTime MPEG-2 Playback Component for Windows in versions prior to 7.60.92.0. SOLUTION: Update to version 7.60.92.0. PROVIDED AND/OR DISCOVERED BY: The vendor credits Richard Lemon, Code Lemon ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT3404 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in Apple QuickTime before 7.6 allows remote attackers to cause a denial of service (application termination) and possibly execute arbitrary code via a crafted MP3 audio file. Apple QuickTime is prone to a heap-based buffer-overflow issue because it fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted movie file. Failed exploit attempts likely result in denial-of-service conditions. This issue affects Apple QuickTime running on Microsoft Windows Vista, Windows XP SP2 and SP3, and Mac OS X. Apple QuickTime is a very popular multimedia player. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA09-022A Apple QuickTime Updates for Multiple Vulnerabilities Original release date: January 22, 2009 Last revised: -- Source: US-CERT Systems Affected * Apple QuickTime 7.5 for Windows and Mac OS X Overview Apple has released QuickTime 7.6 to correct multiple vulnerabilities affecting QuickTime for Mac OS X and Windows. I. Description Apple QuickTime 7.6 addresses a number of vulnerabilities affecting QuickTime. This file could be hosted on a web page or sent via email. II. Impact The impacts of these vulnerabilities vary. III. This and other updates are available via Software Update or via Apple Downloads. IV. References * About the security content of QuickTime 7.6 - <http://support.apple.com/kb/HT3403> * Apple Support Downloads - <http://support.apple.com/downloads/> * Mac OS X - updating your software - <http://support.apple.com/kb/HT1338?viewlocale=en_US> * Securing Your Web Browser - <https://www.us-cert.gov/reading_room/securing_browser/> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA09-022A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA09-022A Feedback VU#703068" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2009 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History January 22, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSXj25HIHljM+H4irAQKNIgf+LSBKBzHWdjxmJgYw3vYmAXtwpUxAVThs Ma4vIB1vSjv8Us83S2XrKIGcKrdPgQgeS7Vji9WRMmlzEv/AYlFJseqq17ufGely 5YosATUh+C0SjY6OAYeJNYMws7fgGcGJagtfQp0gJTRLruknEoB/iqlASBQ7MtNg 7viHKIR8r2BxCNB1A4ir1kzPELIHFF/pmmuaD+E2PnxH1XtYLM9b9t6xbkjie2PG vEwv7JCGH/RrJtst480ZMIHOghsZ0ONoMkTjZB7o5S0ww3guktGOMB+/QiZI8eFB KbU6nB6JGscZ8Fb1E4K3yOU9MvpzEfurIvYmyMcAdxFCiq5CSUjOug== =B5D3 -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Did you know that a change in our assessment rating, exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more: http://secunia.com/advisories/business_solutions/ ---------------------------------------------------------------------- TITLE: Apple QuickTime Multiple Vulnerabilities SECUNIA ADVISORY ID: SA33632 VERIFY ADVISORY: http://secunia.com/advisories/33632/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: Apple QuickTime 7.x http://secunia.com/advisories/product/5090/ DESCRIPTION: Some vulnerabilities have been reported in Apple QuickTime, which can be exploited by malicious people to compromise a user's system. 1) A boundary error exists in the processing of RTSP URLs. This can be exploited to cause a heap-based buffer overflow when a specially crafted RTSP URL is accessed. 2) An error due to improper validation of transform matrix data exists when processing Track Header (THKD) atoms in QuickTime Virtual Reality (QTVR) movie files. This can be exploited to cause a heap-based buffer overflow via a specially crafted QTVR file. 3) An error in the processing of "nBlockAlign" values in the "_WAVEFORMATEX" structure of AVI headers can be exploited to cause a heap-based buffer overflow when a specially crafted AVI file is accessed. 6) A signedness error exists within the processing of the MDAT atom when handling Cinepak encoded movie files. 7) An error exists within the function JPEG_DComponentDispatch() when processing the image width data in JPEG atoms embedded in STSD atoms. Successful exploitation of these vulnerabilities may allow execution of arbitrary code. SOLUTION: Update to version 7.6. QuickTime 7.6 for Windows: http://support.apple.com/downloads/QuickTime_7_6_for_Windows QuickTime 7.6 for Leopard: http://support.apple.com/downloads/QuickTime_7_6_for_Leopard QuickTime 7.6 for Tiger: http://support.apple.com/downloads/QuickTime_7_6_for_Tiger PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Attila Suszter 4) Chad Dougherty, CERT Coordination Center 5) Dave Soldera, NGS Software 2, 3, 6, 7) An anonymous person, reported via ZDI ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT3403 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-09-005/ http://www.zerodayinitiative.com/advisories/ZDI-09-006/ http://www.zerodayinitiative.com/advisories/ZDI-09-007/ http://www.zerodayinitiative.com/advisories/ZDI-09-008/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Apple QuickTime before 7.6 allows remote attackers to cause a denial of service (application termination) and possibly execute arbitrary code via a crafted H.263 encoded movie file that triggers memory corruption. Apple QuickTime is prone to a memory-corruption issue because it fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted movie file. Failed exploit attempts likely result in denial-of-service conditions. This issue affects Apple QuickTime running on Microsoft Windows Vista, Windows XP SP2 and SP3, and Mac OS X. Apple QuickTime is a very popular multimedia player. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA09-022A Apple QuickTime Updates for Multiple Vulnerabilities Original release date: January 22, 2009 Last revised: -- Source: US-CERT Systems Affected * Apple QuickTime 7.5 for Windows and Mac OS X Overview Apple has released QuickTime 7.6 to correct multiple vulnerabilities affecting QuickTime for Mac OS X and Windows. I. Description Apple QuickTime 7.6 addresses a number of vulnerabilities affecting QuickTime. This file could be hosted on a web page or sent via email. II. Impact The impacts of these vulnerabilities vary. III. This and other updates are available via Software Update or via Apple Downloads. IV. References * About the security content of QuickTime 7.6 - <http://support.apple.com/kb/HT3403> * Apple Support Downloads - <http://support.apple.com/downloads/> * Mac OS X - updating your software - <http://support.apple.com/kb/HT1338?viewlocale=en_US> * Securing Your Web Browser - <https://www.us-cert.gov/reading_room/securing_browser/> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA09-022A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA09-022A Feedback VU#703068" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2009 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History January 22, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSXj25HIHljM+H4irAQKNIgf+LSBKBzHWdjxmJgYw3vYmAXtwpUxAVThs Ma4vIB1vSjv8Us83S2XrKIGcKrdPgQgeS7Vji9WRMmlzEv/AYlFJseqq17ufGely 5YosATUh+C0SjY6OAYeJNYMws7fgGcGJagtfQp0gJTRLruknEoB/iqlASBQ7MtNg 7viHKIR8r2BxCNB1A4ir1kzPELIHFF/pmmuaD+E2PnxH1XtYLM9b9t6xbkjie2PG vEwv7JCGH/RrJtst480ZMIHOghsZ0ONoMkTjZB7o5S0ww3guktGOMB+/QiZI8eFB KbU6nB6JGscZ8Fb1E4K3yOU9MvpzEfurIvYmyMcAdxFCiq5CSUjOug== =B5D3 -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Did you know that a change in our assessment rating, exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more: http://secunia.com/advisories/business_solutions/ ---------------------------------------------------------------------- TITLE: Apple QuickTime Multiple Vulnerabilities SECUNIA ADVISORY ID: SA33632 VERIFY ADVISORY: http://secunia.com/advisories/33632/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: Apple QuickTime 7.x http://secunia.com/advisories/product/5090/ DESCRIPTION: Some vulnerabilities have been reported in Apple QuickTime, which can be exploited by malicious people to compromise a user's system. 1) A boundary error exists in the processing of RTSP URLs. This can be exploited to cause a heap-based buffer overflow when a specially crafted RTSP URL is accessed. 2) An error due to improper validation of transform matrix data exists when processing Track Header (THKD) atoms in QuickTime Virtual Reality (QTVR) movie files. This can be exploited to cause a heap-based buffer overflow via a specially crafted QTVR file. 3) An error in the processing of "nBlockAlign" values in the "_WAVEFORMATEX" structure of AVI headers can be exploited to cause a heap-based buffer overflow when a specially crafted AVI file is accessed. 4) A boundary error exists in the processing of MPEG-2 video files containing MP3 audio content, which can be exploited to cause a buffer overflow via a specially crafted movie file. 6) A signedness error exists within the processing of the MDAT atom when handling Cinepak encoded movie files. 7) An error exists within the function JPEG_DComponentDispatch() when processing the image width data in JPEG atoms embedded in STSD atoms. Successful exploitation of these vulnerabilities may allow execution of arbitrary code. SOLUTION: Update to version 7.6. QuickTime 7.6 for Windows: http://support.apple.com/downloads/QuickTime_7_6_for_Windows QuickTime 7.6 for Leopard: http://support.apple.com/downloads/QuickTime_7_6_for_Leopard QuickTime 7.6 for Tiger: http://support.apple.com/downloads/QuickTime_7_6_for_Tiger PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Attila Suszter 4) Chad Dougherty, CERT Coordination Center 5) Dave Soldera, NGS Software 2, 3, 6, 7) An anonymous person, reported via ZDI ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT3403 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-09-005/ http://www.zerodayinitiative.com/advisories/ZDI-09-006/ http://www.zerodayinitiative.com/advisories/ZDI-09-007/ http://www.zerodayinitiative.com/advisories/ZDI-09-008/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Heap-based buffer overflow in Apple QuickTime before 7.6 allows remote attackers to cause a denial of service (application termination) and possibly execute arbitrary code via a crafted RTSP URL. Apple QuickTime is prone to a remote heap-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition. Versions prior to Apple QuickTime 7.6 are vulnerable. Apple QuickTime is a multimedia framework of Apple (Apple), which can process digital video, pictures, sound and panoramic images in various formats. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA09-022A Apple QuickTime Updates for Multiple Vulnerabilities Original release date: January 22, 2009 Last revised: -- Source: US-CERT Systems Affected * Apple QuickTime 7.5 for Windows and Mac OS X Overview Apple has released QuickTime 7.6 to correct multiple vulnerabilities affecting QuickTime for Mac OS X and Windows. I. This file could be hosted on a web page or sent via email. II. Impact The impacts of these vulnerabilities vary. III. This and other updates are available via Software Update or via Apple Downloads. IV. References * About the security content of QuickTime 7.6 - <http://support.apple.com/kb/HT3403> * Apple Support Downloads - <http://support.apple.com/downloads/> * Mac OS X - updating your software - <http://support.apple.com/kb/HT1338?viewlocale=en_US> * Securing Your Web Browser - <https://www.us-cert.gov/reading_room/securing_browser/> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA09-022A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA09-022A Feedback VU#703068" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2009 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History January 22, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSXj25HIHljM+H4irAQKNIgf+LSBKBzHWdjxmJgYw3vYmAXtwpUxAVThs Ma4vIB1vSjv8Us83S2XrKIGcKrdPgQgeS7Vji9WRMmlzEv/AYlFJseqq17ufGely 5YosATUh+C0SjY6OAYeJNYMws7fgGcGJagtfQp0gJTRLruknEoB/iqlASBQ7MtNg 7viHKIR8r2BxCNB1A4ir1kzPELIHFF/pmmuaD+E2PnxH1XtYLM9b9t6xbkjie2PG vEwv7JCGH/RrJtst480ZMIHOghsZ0ONoMkTjZB7o5S0ww3guktGOMB+/QiZI8eFB KbU6nB6JGscZ8Fb1E4K3yOU9MvpzEfurIvYmyMcAdxFCiq5CSUjOug== =B5D3 -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Did you know that a change in our assessment rating, exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more: http://secunia.com/advisories/business_solutions/ ---------------------------------------------------------------------- TITLE: Apple QuickTime Multiple Vulnerabilities SECUNIA ADVISORY ID: SA33632 VERIFY ADVISORY: http://secunia.com/advisories/33632/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: Apple QuickTime 7.x http://secunia.com/advisories/product/5090/ DESCRIPTION: Some vulnerabilities have been reported in Apple QuickTime, which can be exploited by malicious people to compromise a user's system. 1) A boundary error exists in the processing of RTSP URLs. 2) An error due to improper validation of transform matrix data exists when processing Track Header (THKD) atoms in QuickTime Virtual Reality (QTVR) movie files. This can be exploited to cause a heap-based buffer overflow via a specially crafted QTVR file. 3) An error in the processing of "nBlockAlign" values in the "_WAVEFORMATEX" structure of AVI headers can be exploited to cause a heap-based buffer overflow when a specially crafted AVI file is accessed. 4) A boundary error exists in the processing of MPEG-2 video files containing MP3 audio content, which can be exploited to cause a buffer overflow via a specially crafted movie file. 5) An unspecified error exists in the processing of H.263 encoded movie files, which can be exploited to cause a memory corruption when a specially crafted movie file is viewed. 6) A signedness error exists within the processing of the MDAT atom when handling Cinepak encoded movie files. This can be exploited to cause a heap-based buffer overflow when a specially crafted movie file is viewed. 7) An error exists within the function JPEG_DComponentDispatch() when processing the image width data in JPEG atoms embedded in STSD atoms. This can be exploited to cause a memory corruption when a specially crafted movie file is viewed. Successful exploitation of these vulnerabilities may allow execution of arbitrary code. SOLUTION: Update to version 7.6. QuickTime 7.6 for Windows: http://support.apple.com/downloads/QuickTime_7_6_for_Windows QuickTime 7.6 for Leopard: http://support.apple.com/downloads/QuickTime_7_6_for_Leopard QuickTime 7.6 for Tiger: http://support.apple.com/downloads/QuickTime_7_6_for_Tiger PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Attila Suszter 4) Chad Dougherty, CERT Coordination Center 5) Dave Soldera, NGS Software 2, 3, 6, 7) An anonymous person, reported via ZDI ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT3403 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-09-005/ http://www.zerodayinitiative.com/advisories/ZDI-09-006/ http://www.zerodayinitiative.com/advisories/ZDI-09-007/ http://www.zerodayinitiative.com/advisories/ZDI-09-008/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Heap-based buffer overflow in Apple QuickTime before 7.6 allows remote attackers to cause a denial of service (application termination) and possibly execute arbitrary code via a QuickTime movie file containing invalid image width data in JPEG atoms within STSD atoms. User interaction is required to exploit this vulnerability in that the target must open a malicious file.The specific flaw exists in the handling of JPEG atoms embedded in STSD atoms within the function JPEG_DComponentDispatch(). Apple QuickTime is prone to a heap-based buffer-overflow issue because it fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted movie file. Failed exploit attempts likely result in denial-of-service conditions. This issue affects Apple QuickTime running on Microsoft Windows Vista, Windows XP SP2 and SP3, and Mac OS X. Apple QuickTime is a very popular multimedia player. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA09-022A Apple QuickTime Updates for Multiple Vulnerabilities Original release date: January 22, 2009 Last revised: -- Source: US-CERT Systems Affected * Apple QuickTime 7.5 for Windows and Mac OS X Overview Apple has released QuickTime 7.6 to correct multiple vulnerabilities affecting QuickTime for Mac OS X and Windows. I. Description Apple QuickTime 7.6 addresses a number of vulnerabilities affecting QuickTime. This file could be hosted on a web page or sent via email. II. Impact The impacts of these vulnerabilities vary. III. This and other updates are available via Software Update or via Apple Downloads. IV. References * About the security content of QuickTime 7.6 - <http://support.apple.com/kb/HT3403> * Apple Support Downloads - <http://support.apple.com/downloads/> * Mac OS X - updating your software - <http://support.apple.com/kb/HT1338?viewlocale=en_US> * Securing Your Web Browser - <https://www.us-cert.gov/reading_room/securing_browser/> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA09-022A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA09-022A Feedback VU#703068" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2009 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History January 22, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSXj25HIHljM+H4irAQKNIgf+LSBKBzHWdjxmJgYw3vYmAXtwpUxAVThs Ma4vIB1vSjv8Us83S2XrKIGcKrdPgQgeS7Vji9WRMmlzEv/AYlFJseqq17ufGely 5YosATUh+C0SjY6OAYeJNYMws7fgGcGJagtfQp0gJTRLruknEoB/iqlASBQ7MtNg 7viHKIR8r2BxCNB1A4ir1kzPELIHFF/pmmuaD+E2PnxH1XtYLM9b9t6xbkjie2PG vEwv7JCGH/RrJtst480ZMIHOghsZ0ONoMkTjZB7o5S0ww3guktGOMB+/QiZI8eFB KbU6nB6JGscZ8Fb1E4K3yOU9MvpzEfurIvYmyMcAdxFCiq5CSUjOug== =B5D3 -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Did you know that a change in our assessment rating, exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more: http://secunia.com/advisories/business_solutions/ ---------------------------------------------------------------------- TITLE: Apple QuickTime Multiple Vulnerabilities SECUNIA ADVISORY ID: SA33632 VERIFY ADVISORY: http://secunia.com/advisories/33632/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: Apple QuickTime 7.x http://secunia.com/advisories/product/5090/ DESCRIPTION: Some vulnerabilities have been reported in Apple QuickTime, which can be exploited by malicious people to compromise a user's system. 1) A boundary error exists in the processing of RTSP URLs. This can be exploited to cause a heap-based buffer overflow when a specially crafted RTSP URL is accessed. 2) An error due to improper validation of transform matrix data exists when processing Track Header (THKD) atoms in QuickTime Virtual Reality (QTVR) movie files. This can be exploited to cause a heap-based buffer overflow via a specially crafted QTVR file. 3) An error in the processing of "nBlockAlign" values in the "_WAVEFORMATEX" structure of AVI headers can be exploited to cause a heap-based buffer overflow when a specially crafted AVI file is accessed. 4) A boundary error exists in the processing of MPEG-2 video files containing MP3 audio content, which can be exploited to cause a buffer overflow via a specially crafted movie file. 6) A signedness error exists within the processing of the MDAT atom when handling Cinepak encoded movie files. Successful exploitation of these vulnerabilities may allow execution of arbitrary code. SOLUTION: Update to version 7.6. QuickTime 7.6 for Windows: http://support.apple.com/downloads/QuickTime_7_6_for_Windows QuickTime 7.6 for Leopard: http://support.apple.com/downloads/QuickTime_7_6_for_Leopard QuickTime 7.6 for Tiger: http://support.apple.com/downloads/QuickTime_7_6_for_Tiger PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Attila Suszter 4) Chad Dougherty, CERT Coordination Center 5) Dave Soldera, NGS Software 2, 3, 6, 7) An anonymous person, reported via ZDI ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT3403 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-09-005/ http://www.zerodayinitiative.com/advisories/ZDI-09-006/ http://www.zerodayinitiative.com/advisories/ZDI-09-007/ http://www.zerodayinitiative.com/advisories/ZDI-09-008/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ZDI-09-008: Apple QuickTime STSD JPEG Atom Heap Corruption Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-09-008 January 21, 2009 -- CVE ID: CVE-2009-0007 -- Affected Vendors: Apple -- Affected Products: Apple Quicktime -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 6254. More details can be found at: http://support.apple.com/kb/HT3403 -- Disclosure Timeline: 2008-06-25 - Vulnerability reported to vendor 2009-01-21 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at postmaster@3com.com. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Heap-based buffer overflow in Apple QuickTime before 7.6 allows remote attackers to cause a denial of service (application termination) and possibly execute arbitrary code via a QTVR movie file with crafted THKD atoms. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of 'tkhd' atoms found inside QuickTimeVR files. Improper validation of the transform matrix data results in a heap chunk header overwrite leading to arbitrary code execution under the context of the currently logged in user. Apple QuickTime is prone to a heap-based buffer-overflow issue because it fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted movie file. Failed exploit attempts likely result in denial-of-service conditions. This issue affects Apple QuickTime running on Microsoft Windows Vista, Windows XP SP2 and SP3, and Mac OS X. Apple QuickTime is a very popular multimedia player. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA09-022A Apple QuickTime Updates for Multiple Vulnerabilities Original release date: January 22, 2009 Last revised: -- Source: US-CERT Systems Affected * Apple QuickTime 7.5 for Windows and Mac OS X Overview Apple has released QuickTime 7.6 to correct multiple vulnerabilities affecting QuickTime for Mac OS X and Windows. I. Description Apple QuickTime 7.6 addresses a number of vulnerabilities affecting QuickTime. This file could be hosted on a web page or sent via email. II. Impact The impacts of these vulnerabilities vary. III. This and other updates are available via Software Update or via Apple Downloads. IV. References * About the security content of QuickTime 7.6 - <http://support.apple.com/kb/HT3403> * Apple Support Downloads - <http://support.apple.com/downloads/> * Mac OS X - updating your software - <http://support.apple.com/kb/HT1338?viewlocale=en_US> * Securing Your Web Browser - <https://www.us-cert.gov/reading_room/securing_browser/> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA09-022A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA09-022A Feedback VU#703068" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2009 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History January 22, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSXj25HIHljM+H4irAQKNIgf+LSBKBzHWdjxmJgYw3vYmAXtwpUxAVThs Ma4vIB1vSjv8Us83S2XrKIGcKrdPgQgeS7Vji9WRMmlzEv/AYlFJseqq17ufGely 5YosATUh+C0SjY6OAYeJNYMws7fgGcGJagtfQp0gJTRLruknEoB/iqlASBQ7MtNg 7viHKIR8r2BxCNB1A4ir1kzPELIHFF/pmmuaD+E2PnxH1XtYLM9b9t6xbkjie2PG vEwv7JCGH/RrJtst480ZMIHOghsZ0ONoMkTjZB7o5S0ww3guktGOMB+/QiZI8eFB KbU6nB6JGscZ8Fb1E4K3yOU9MvpzEfurIvYmyMcAdxFCiq5CSUjOug== =B5D3 -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Did you know that a change in our assessment rating, exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more: http://secunia.com/advisories/business_solutions/ ---------------------------------------------------------------------- TITLE: Apple QuickTime Multiple Vulnerabilities SECUNIA ADVISORY ID: SA33632 VERIFY ADVISORY: http://secunia.com/advisories/33632/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: Apple QuickTime 7.x http://secunia.com/advisories/product/5090/ DESCRIPTION: Some vulnerabilities have been reported in Apple QuickTime, which can be exploited by malicious people to compromise a user's system. 1) A boundary error exists in the processing of RTSP URLs. This can be exploited to cause a heap-based buffer overflow when a specially crafted RTSP URL is accessed. This can be exploited to cause a heap-based buffer overflow via a specially crafted QTVR file. 6) A signedness error exists within the processing of the MDAT atom when handling Cinepak encoded movie files. 7) An error exists within the function JPEG_DComponentDispatch() when processing the image width data in JPEG atoms embedded in STSD atoms. Successful exploitation of these vulnerabilities may allow execution of arbitrary code. SOLUTION: Update to version 7.6. QuickTime 7.6 for Windows: http://support.apple.com/downloads/QuickTime_7_6_for_Windows QuickTime 7.6 for Leopard: http://support.apple.com/downloads/QuickTime_7_6_for_Leopard QuickTime 7.6 for Tiger: http://support.apple.com/downloads/QuickTime_7_6_for_Tiger PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Attila Suszter 4) Chad Dougherty, CERT Coordination Center 5) Dave Soldera, NGS Software 2, 3, 6, 7) An anonymous person, reported via ZDI ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT3403 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-09-005/ http://www.zerodayinitiative.com/advisories/ZDI-09-006/ http://www.zerodayinitiative.com/advisories/ZDI-09-007/ http://www.zerodayinitiative.com/advisories/ZDI-09-008/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ZDI-09-005: Apple QuickTime VR Track Header Atom Heap Corruption Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-09-005 January 21, 2009 -- CVE ID: CVE-2009-0002 -- Affected Vendors: Apple -- Affected Products: Apple Quicktime -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 6449. More details can be found at: http://support.apple.com/kb/HT3403 -- Disclosure Timeline: 2008-09-16 - Vulnerability reported to vendor 2009-01-21 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at postmaster@3com.com. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Integer signedness error in Apple QuickTime before 7.6 allows remote attackers to cause a denial of service (application termination) and possibly execute arbitrary code via a Cinepak encoded movie file with a crafted MDAT atom that triggers a heap-based buffer overflow. User interaction is required to exploit this vulnerability in that the target must open a malicious file.The specific flaw exists in the handling of movie data encoded using the Cinepak Video Codec. When parsing the data in the MDAT atom, there exists a signedness error which leads to a heap overflow. When this occurs it can be further leveraged to execute arbitrary code under the context of the current user. Apple QuickTime is prone to a heap-based buffer-overflow issue because it fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted movie file. Failed exploit attempts likely result in denial-of-service conditions. This issue affects Apple QuickTime running on Microsoft Windows Vista, Windows XP SP2 and SP3, and Mac OS X. Apple QuickTime is a very popular multimedia player. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA09-022A Apple QuickTime Updates for Multiple Vulnerabilities Original release date: January 22, 2009 Last revised: -- Source: US-CERT Systems Affected * Apple QuickTime 7.5 for Windows and Mac OS X Overview Apple has released QuickTime 7.6 to correct multiple vulnerabilities affecting QuickTime for Mac OS X and Windows. I. Description Apple QuickTime 7.6 addresses a number of vulnerabilities affecting QuickTime. This file could be hosted on a web page or sent via email. II. Impact The impacts of these vulnerabilities vary. III. IV. References * About the security content of QuickTime 7.6 - <http://support.apple.com/kb/HT3403> * Apple Support Downloads - <http://support.apple.com/downloads/> * Mac OS X - updating your software - <http://support.apple.com/kb/HT1338?viewlocale=en_US> * Securing Your Web Browser - <https://www.us-cert.gov/reading_room/securing_browser/> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA09-022A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA09-022A Feedback VU#703068" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2009 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History January 22, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSXj25HIHljM+H4irAQKNIgf+LSBKBzHWdjxmJgYw3vYmAXtwpUxAVThs Ma4vIB1vSjv8Us83S2XrKIGcKrdPgQgeS7Vji9WRMmlzEv/AYlFJseqq17ufGely 5YosATUh+C0SjY6OAYeJNYMws7fgGcGJagtfQp0gJTRLruknEoB/iqlASBQ7MtNg 7viHKIR8r2BxCNB1A4ir1kzPELIHFF/pmmuaD+E2PnxH1XtYLM9b9t6xbkjie2PG vEwv7JCGH/RrJtst480ZMIHOghsZ0ONoMkTjZB7o5S0ww3guktGOMB+/QiZI8eFB KbU6nB6JGscZ8Fb1E4K3yOU9MvpzEfurIvYmyMcAdxFCiq5CSUjOug== =B5D3 -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Did you know that a change in our assessment rating, exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more: http://secunia.com/advisories/business_solutions/ ---------------------------------------------------------------------- TITLE: Apple QuickTime Multiple Vulnerabilities SECUNIA ADVISORY ID: SA33632 VERIFY ADVISORY: http://secunia.com/advisories/33632/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: Apple QuickTime 7.x http://secunia.com/advisories/product/5090/ DESCRIPTION: Some vulnerabilities have been reported in Apple QuickTime, which can be exploited by malicious people to compromise a user's system. 1) A boundary error exists in the processing of RTSP URLs. This can be exploited to cause a heap-based buffer overflow when a specially crafted RTSP URL is accessed. 2) An error due to improper validation of transform matrix data exists when processing Track Header (THKD) atoms in QuickTime Virtual Reality (QTVR) movie files. This can be exploited to cause a heap-based buffer overflow via a specially crafted QTVR file. 3) An error in the processing of "nBlockAlign" values in the "_WAVEFORMATEX" structure of AVI headers can be exploited to cause a heap-based buffer overflow when a specially crafted AVI file is accessed. 4) A boundary error exists in the processing of MPEG-2 video files containing MP3 audio content, which can be exploited to cause a buffer overflow via a specially crafted movie file. Successful exploitation of these vulnerabilities may allow execution of arbitrary code. SOLUTION: Update to version 7.6. QuickTime 7.6 for Windows: http://support.apple.com/downloads/QuickTime_7_6_for_Windows QuickTime 7.6 for Leopard: http://support.apple.com/downloads/QuickTime_7_6_for_Leopard QuickTime 7.6 for Tiger: http://support.apple.com/downloads/QuickTime_7_6_for_Tiger PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Attila Suszter 4) Chad Dougherty, CERT Coordination Center 5) Dave Soldera, NGS Software 2, 3, 6, 7) An anonymous person, reported via ZDI ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT3403 ZDI: http://www.zerodayinitiative.com/advisories/ZDI-09-005/ http://www.zerodayinitiative.com/advisories/ZDI-09-006/ http://www.zerodayinitiative.com/advisories/ZDI-09-007/ http://www.zerodayinitiative.com/advisories/ZDI-09-008/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ZDI-09-007: Apple QuickTime Cinepak Codec MDAT Heap Corruption Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-09-007 January 21, 2009 -- CVE ID: CVE-2009-2006 -- Affected Vendors: Apple -- Affected Products: Apple Quicktime -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 6172. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT3403 -- Disclosure Timeline: 2008-06-23 - Vulnerability reported to vendor 2009-01-21 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at postmaster@3com.com. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/