VARIoT IoT vulnerabilities database

VAR-200708-0087 | CVE-2007-4204 | Hitachi Groupmax Collaboration - Schedule Vulnerability in which important information is obtained |
CVSS V2: 3.5 CVSS V3: - Severity: LOW |
Hitachi Groupmax Collaboration - Schedule, as used in Groupmax Collaboration Portal 07-32 through 07-32-/B, uCosminexus Collaboration Portal 06-32 through 06-32-/B, and Groupmax Collaboration Web Client - Mail/Schedule 07-32 through 07-32-/A, can assign schedule data to the wrong user under unspecified conditions, which might allow remote authenticated users to obtain sensitive information
VAR-200708-0527 | No CVE | Ipswitch IMail Server SEARCH Command Remote Buffer Overflow Vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Ipswitch IMail Server is a mail server bundled in the Ipswitch collaboration component. A buffer overflow vulnerability exists in the IMail server processing parameters of the SEARCH command request. A remote attacker could exploit this vulnerability to control the server. The IMail server has a stack buffer overflow problem when dealing with multiple options of the SEARCH command (BEFORE, ON, SINCE, SENTBEFORE, SENTON, SENTSINCE). The remote attacker can trigger an overflow by submitting a malformed SEARCH request, resulting in arbitrary instructions. Ipswitch IMail Server and Collaboration Suite (ICS) are prone to multiple buffer-overflow vulnerabilities because these applications fail to properly bounds-check user-supplied input before copying it into an insufficiently sized memory buffer.
Attackers may exploit these issues to execute arbitrary code in the context of the affected applications. Failed exploit attempts will likely result in denial-of-service conditions.
These versions are reported vulnerable to these issues:
Ipswitch Collaboration Suite (ICS) 2006
IMail Premium 2006.2 and 2006.21
Other versions may also be affected.
----------------------------------------------------------------------
BETA test the new Secunia Personal Software Inspector!
The Secunia PSI detects installed software on your computer and
categorises it as either Insecure, End-of-Life, or Up-To-Date.
Effectively enabling you to focus your attention on software
installations where more secure versions are available from the
vendors. This
can be exploited to cause stack-based buffer overflows via overly
long, quoted or unquoted arguments passed to the command.
Successful exploitation allows execution of arbitrary code. Other versions may also be affected.
SOLUTION:
Grant only trusted users access to the IMAP service.
PROVIDED AND/OR DISCOVERED BY:
Independently discovered by:
* Secunia Research
* ZhenHan Liu, Ph4nt0m Security Team.
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200708-0003 | CVE-2007-2927 | Atheros wireless network drivers may fail to properly handle malformed frames |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in Atheros 802.11 a/b/g wireless adapter drivers before 5.3.0.35, and 6.x before 6.0.3.67, on Windows allows remote attackers to cause a denial of service via a crafted 802.11 management frame. Atheros wireless drivers fail to properly handle malformed wireless frames. This vulnerability may allow a remote, unauthenticated attacker to create a denial-of-service condition. Atheros Provided by the company Microsoft Windows The wireless network driver for is vulnerable to the frame handling part. Crafted 802.11 Sending a management frame causes a buffer overflow, resulting in service disruption ( DoS ) You may be attacked. 802.11b, 802.11g, 802.11n Management frames in are not encrypted and do not require authentication to be sent. further, WEP And WPA It has been found that even if wireless communication encryption such as is affected by this vulnerability. Linux And UNIX Used in NDISWrapper And using vulnerable drivers with similar technologies may also be affected.
The driver did not adequately check for malformed management frames, and a remote attacker could trigger an overflow by sending a specially constructed 802.11 management frame that requires no authentication or encryption.
Atheros drivers are also used by OEM (Original Equipment Manufacturer) wireless adapters.
This issue is reported to affect drivers for the Windows operating system.
----------------------------------------------------------------------
BETA test the new Secunia Personal Software Inspector!
The Secunia PSI detects installed software on your computer and
categorises it as either Insecure, End-of-Life, or Up-To-Date.
Effectively enabling you to focus your attention on software
installations where more secure versions are available from the
vendors.
SOLUTION:
The vendor has reportedly issued firmware updates (versions 5.3.0.35
and 6.0.3.67 and later) to OEMs.
PROVIDED AND/OR DISCOVERED BY:
Reported via US-CERT.
ORIGINAL ADVISORY:
US-CERT VU#730169:
http://www.kb.cert.org/vuls/id/730169
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200708-0147 | CVE-2007-4117 | platon of phpwebfilemanager Vulnerability in |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
PHP remote file inclusion vulnerability in index.php in phpWebFileManager 0.5 allows remote attackers to execute arbitrary PHP code via a URL in the PN_PathPrefix parameter. NOTE: this issue is disputed by a reliable third party, who demonstrates that PN_PathPrefix is defined before use. platon of phpwebfilemanager Exists in unspecified vulnerabilities.None
VAR-200708-0154 | CVE-2007-4124 | Cosminexus Component Container Session Handling Vulnerability |
CVSS V2: 4.9 CVSS V3: - Severity: MEDIUM |
The session failover function in Cosminexus Component Container in Cosminexus 6, 6.7, and 7 before 20070731, as used in multiple Hitachi products, can use session data for the wrong user under unspecified conditions, which might allow remote authenticated users to obtain sensitive information, corrupt another user's session data, and possibly gain privileges. Hitachi uCosminexus is an application server system.
There is a vulnerability in Hitachi uCosminexus's session failover implementation. Remote attackers may use this vulnerability to obtain session-related sensitive data.
Details of the vulnerability are currently unknown.
----------------------------------------------------------------------
BETA test the new Secunia Personal Software Inspector!
The Secunia PSI detects installed software on your computer and
categorises it as either Insecure, End-of-Life, or Up-To-Date.
Effectively enabling you to focus your attention on software
installations where more secure versions are available from the
vendors.
Download the free PSI BETA from the Secunia website:
https://psi.secunia.com/
----------------------------------------------------------------------
TITLE:
Hitachi Products Cosminexus Component Container Improper Session Data
Handling
SECUNIA ADVISORY ID:
SA26250
VERIFY ADVISORY:
http://secunia.com/advisories/26250/
CRITICAL:
Less critical
IMPACT:
Security Bypass, Exposure of sensitive information
WHERE:
>From local network
SOFTWARE:
uCosminexus Application Server
http://secunia.com/product/13819/
uCosminexus Service Platform
http://secunia.com/product/13823/
uCosminexus Developer
http://secunia.com/product/13820/
uCosminexus Service Architect
http://secunia.com/product/13821/
Cosminexus 6.x
http://secunia.com/product/5795/
DESCRIPTION:
A security issue has been reported in Hitachi products, which
potentially can be exploited by malicious users to gain knowledge of
sensitive information or bypass certain security restrictions.
Please see the vendor's advisory for a list of affected products and
versions.
SOLUTION:
Please see the vendor's advisory for fix details.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.hitachi-support.com/security_e/vuls_e/HS07-024_e/index-e.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200708-0152 | CVE-2007-4122 | Hitachi JP1/Cm2/HV Service disruption in (DoS) Vulnerabilities |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in Hitachi JP1/Cm2/Hierarchical Viewer (HV) 06-00 through 06-71-/B allows remote attackers to cause a denial of service (application stop and web interface outage) via certain "unexpected data.". Hitachi JP1 / Cm2 / Hierarchical is a middleware platform software.
There is a vulnerability in the implementation of Hitachi JP1 / Cm2 / Hierarchical Viewer. A remote attacker may use this vulnerability to cause a denial of service.
HV generates an error when processing malformed data, which makes the HV web interface unavailable.
Attackers can exploit this issue to cause denial-of-service conditions.
----------------------------------------------------------------------
BETA test the new Secunia Personal Software Inspector!
The Secunia PSI detects installed software on your computer and
categorises it as either Insecure, End-of-Life, or Up-To-Date.
Effectively enabling you to focus your attention on software
installations where more secure versions are available from the
vendors.
Please see the vendor's advisory for a list of affected versions.
SOLUTION:
Please see the vendor's advisory for fix information.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.hitachi-support.com/security_e/vuls_e/HS07-021_e/index-e.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200708-0466 | CVE-2007-2408 | Apple Safari of WebKit In Java Applet execution vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
WebKit in Apple Safari 3 Beta before Update 3.0.3 does not properly recognize an unchecked "Enable Java" setting, which allows remote attackers to execute Java applets via a crafted web page. Apple Safari is prone to a weakness that may result in the execution of potentially malicious Java applets. This issue results from a design error.
This weakness arises because the application fails to properly check a security setting.
Versions prior to Safari 3.0.3 Beta and Safari 3.0.3 Beta for Windows are vulnerable to this issue. Safari is the WEB browser bundled with the Apple family operating system by default. Safari provides an option to enable Java preferences
VAR-200707-0198 | CVE-2007-4023 | Aruba Mobility Controller Series cross-site scripting vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in the login CGI program in Aruba Mobility Controller 2.5.4.18 and earlier, and 2.4.8.6-FIPS and earlier FIPS versions, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Aruba Mobility Controller series, switch products from Aruba Networks, contain a cross-site scripting vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
This issue affects versions prior to Aruba Mobility Controller 2.5.4.18 and FIPS prior to 2.4.8.6-FIPS.
----------------------------------------------------------------------
Try a new way to discover vulnerabilities that ALREADY EXIST in your
IT infrastructure.
The Full Featured Secunia Network Software Inspector (NSI) is now
available:
http://secunia.com/network_software_inspector/
The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT
vulnerabilities in more than 4,000 different Windows applications.
Certain input passed to the login pages is not properly sanitised
before being returned to the user.
SOLUTION:
Update to the latest patched firmware version.
http://www.arubanetworks.com/support
PROVIDED AND/OR DISCOVERED BY:
The vendor credits Adair Collins and Steve Palmer of HostsPlus, and
Nobuhiro Tsuji of NTT DATA SECURITY.
ORIGINAL ADVISORY:
http://www.arubanetworks.com/support/alerts/aid-070907b.asc
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200707-0544 | CVE-2007-0060 | plural CA Used in products Message Queuing Server Vulnerable to stack-based buffer overflow |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Stack-based buffer overflow in the Message Queuing Server (Cam.exe) in CA (formerly Computer Associates) Message Queuing (CAM / CAFT) software before 1.11 Build 54_4 on Windows and NetWare, as used in CA Advantage Data Transport, eTrust Admin, certain BrightStor products, certain CleverPath products, and certain Unicenter products, allows remote attackers to execute arbitrary code via a crafted message to TCP port 3104. Multiple Computer Associates products are prone to a remote stack-based buffer-overflow vulnerability. This issue affects the Message Queuing (CAM/CAFT) component. The application fails to properly bounds-check user-supplied data before copying it to an insufficiently sized buffer.
A successful exploit will allow an attacker to execute arbitrary code with SYSTEM-level privileges. There is a buffer overflow vulnerability in the CAM service when processing malformed user requests. Remote attackers may use this vulnerability to control the server.
----------------------------------------------------------------------
Try a new way to discover vulnerabilities that ALREADY EXIST in your
IT infrastructure.
The Full Featured Secunia Network Software Inspector (NSI) is now
available:
http://secunia.com/network_software_inspector/
The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT
vulnerabilities in more than 4,000 different Windows applications. Please see
the vendor's advisory for more details.
CAM (Windows):
http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO89945
CAM(Netware):
http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO89943
PROVIDED AND/OR DISCOVERED BY:
IBM ISS X-Force
ORIGINAL ADVISORY:
CA:
http://supportconnectw.ca.com/public/dto_transportit/infodocs/camsgquevul-secnot.asp
IBM ISS X-Force:
http://www.iss.net/threats/272.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
Mitigating Factors: None
Severity: CA has given this vulnerability a High risk rating.
i.e. CAM versions 1.04, 1.05, 1.06, 1.07, 1.10 (prior to Build
54_4) and 1.11 (prior to Build 54_4).
Affected Products:
Advantage Data Transport 3.0
BrightStor SAN Manager 11.1, 11.5
BrightStor Portal 11.1
CleverPath OLAP 5.1
CleverPath ECM 3.5
CleverPath Predictive Analysis Server 2.0, 3.0
CleverPath Aion 10.0
eTrust Admin 2.01, 2.04, 2.07, 2.09, 8.0, 8.1
Unicenter Application Performance Monitor 3.0, 3.5
Unicenter Asset Management 3.1, 3.2, 3.2 SP1, 3.2 SP2, 4.0,
4.0 SP1
Unicenter Data Transport Option 2.0
Unicenter Enterprise Job Manager 1.0 SP1, 1.0 SP2
Unicenter Jasmine 3.0
Unicenter Management for WebSphere MQ 3.5
Unicenter Management for Microsoft Exchange 4.0, 4.1
Unicenter Management for Lotus Notes/Domino 4.0
Unicenter Management for Web Servers 5, 5.0.1
Unicenter NSM 3.0, 3.1
Unicenter NSM Wireless Network Management Option 3.0
Unicenter Remote Control 6.0, 6.0 SP1
Unicenter Service Level Management 3.0, 3.0.1, 3.0.2, 3.5
Unicenter Software Delivery 3.0, 3.1, 3.1 SP1, 3.1 SP2, 4.0,
4.0 SP1
Unicenter TNG 2.1, 2.2, 2.4, 2.4.2
Unicenter TNG JPN 2.2
Affected Platforms:
Windows and NetWare
Platforms NOT affected:
AIX, AS/400, DG Intel, DG Motorola, DYNIX, HP-UX, IRIX,
Linux Intel, Linux s/390, MVS, Open VMS, OS/2, OSF1,
Solaris Intel, Solaris Sparc and UnixWare.
Status and Recommendation:
CA has made patches available for all affected products. These
patches are independent of the CA Software that installed CAM.
Simply select the patch appropriate to the platform, and the
installed version of CAM, and follow the patch application
instructions. You should also review the product home pages on
SupportConnect for any additional product specific instructions.
Solutions for CAM:
Platform Solution
Windows QO89945
NetWare QO89943
How to determine if you are affected:
Determining CAM versions:
Simply running camstat will return the version information in the
top line of the output on any platform. The camstat command is
located in the bin subfolder of the installation directory.
The example below indicates that CAM version 1.11 build 27
increment 2 is running.
E:\>camstat
CAM – machine.ca.com Version 1.11 (Build 27_2) up 0 days 1:16
Determining the CAM install directory:
Windows: The install location is specified by the %CAI_MSQ%
environment variable.
Unix/Linux/Mac: The /etc/catngcampath text file holds the CAM
install location.
Workaround:
The affected listening port can be disabled by creating or
updating CAM's configuration file, CAM.CFG, with the following
entry under the "*CONFIG" section:
*CONFIG
cas_port=0
The CA Messaging Server must be recycled in order for this to take
effect. We advise that products dependent upon CAM should be
shutdown prior to recycling CAM. Once dependent products have
been shutdown, CAM can be recycled with the following commands:
On Windows:
camclose
cam start
On NetWare:
load camclose
load cam start
Once CAM has been restarted, any CAM dependent products that were
shutdown can be restarted.
For technical questions or comments related to this advisory,
please send email to vuln AT ca DOT com.
If you discover a vulnerability in CA products, please report your
findings to vuln AT ca DOT com, or utilize our "Submit a
Vulnerability" form.
URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx
Regards,
Ken Williams ; 0xE2941985
Director, CA Vulnerability Research
CA, 1 CA Plaza, Islandia, NY 11749
Contact http://www.ca.com/us/contact/
Legal Notice http://www.ca.com/us/legal/
Privacy Policy http://www.ca.com/us/privacy/
Copyright (c) 2007 CA. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)
wj8DBQFGpqCHeSWR3+KUGYURAt6DAJ0YpnaiwrNfhhQlvdvL28LYxBYbZgCfRpKQ
pNdOPBvd1/BVRF6Lo65uo2o=
=7w0f
-----END PGP SIGNATURE-----
VAR-200707-0263 | CVE-2007-3875 | CA Anti-Virus Such as arclib.dll Service disruption in (DoS) Vulnerabilities |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
arclib.dll before 7.3.0.9 in CA Anti-Virus (formerly eTrust Antivirus) 8 and certain other CA products allows remote attackers to cause a denial of service (infinite loop and loss of antivirus functionality) via an invalid "previous listing chunk number" field in a CHM file. Multiple Computer Associates products are prone to a denial-of-service vulnerability because the applications fail to handle malformed CHM files.
Successfully exploiting this issue will cause the affected applications to stop responding, denying service to legitimate users.
This issue affects applications that use the 'arclib.dll' library versions prior to 7.3.0.9. The Arclib.DLL library in eTrust products has a security vulnerability. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Title: [CAID 35525, 35526]: CA Products Arclib Library Denial of
Service Vulnerabilities
CA Vuln ID (CAID): 35525, 35526
CA Advisory Date: 2007-07-24
Reported By:
CVE-2006-5645 - Titon of BastardLabs and Damian Put
<pucik at overflow dot pl> working with the iDefense VCP.
CVE-2007-3875 - An anonymous researcher working with the iDefense
VCP.
Sergio Alvarez of n.runs AG also reported these issues.
Impact: A remote attacker can cause a denial of service.
Summary: CA products that utilize the Arclib library contain two
denial of service vulnerabilities. The second vulnerability,
CVE-2006-5645, is due to an application hang when processing a
specially malformed RAR file.
Mitigating Factors: None
Severity: CA has given these vulnerabilities a Medium risk rating.
Affected Products:
CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) 7.0,
7.1, r8, r8.1
CA Anti-Virus 2007 (v8)
eTrust EZ Antivirus r7, r6.1
CA Internet Security Suite 2007 (v3)
eTrust Internet Security Suite r1, r2
eTrust EZ Armor r1, r2, r3.x
CA Threat Manager for the Enterprise (formerly eTrust Integrated
Threat Management) r8
CA Anti-Virus Gateway (formerly eTrust Antivirus eTrust Antivirus
Gateway) 7.1
CA Protection Suites r2, r3
CA Secure Content Manager (formerly eTrust Secure Content Manager)
1.1, 8.0
CA Anti-Spyware for the Enterprise (Formerly eTrust PestPatrol)
r8, 8.1
CA Anti-Spyware 2007
Unicenter Network and Systems Management (NSM) r3.0, r3.1, r11,
r11.1
BrightStor ARCserve Backup v9.01, r11 for Windows, r11.1, r11.5
BrightStor Enterprise Backup r10.5
BrightStor ARCserve Client agent for Windows
eTrust Intrusion Detection 2.0 SP1, 3.0, 3.0 SP1
CA Common Services (CCS) r11, r11.1
CA Anti-Virus SDK (formerly eTrust Anti-Virus SDK)
Status and Recommendation:
CA has provided an update to address the vulnerabilities. The
updated Arclib library is provided in automatic content updates
with most products. Ensure that the latest content update is
installed. In the case where automatic updates are not available,
use the following product specific instructions.
CA Secure Content Manager 1.1:
Apply QO89469.
CA Secure Content Manager 8.0:
Apply QO87114.
Unicenter Network and Systems Management (NSM) r3.0:
Apply QO89141.
Unicenter Network and Systems Management (NSM) r3.1:
Apply QO89139.
Unicenter Network and Systems Management (NSM) r11:
Apply QO89140.
Unicenter Network and Systems Management (NSM) r11.1:
Apply QO89138.
CA Common Services (CCS) r11:
Apply QO89140.
CA Common Services (CCS) r11.1:
Apply QO89138.
CA Anti-Virus Gateway 7.1:
Apply QO89381.
eTrust Intrusion Detection 2.0 SP1:
Apply QO89474.
eTrust Intrusion Detection 3.0:
Apply QO86925.
eTrust Intrusion Detection 3.0 SP1:
Apply QO86923.
CA Protection Suites r2:
Apply updates for CA Anti-Virus 7.1.
BrightStor ARCserve Backup and BrightStor ARCserve Client agent
for Windows:
Manually replace the arclib.dll file with the one provided in the
CA Anti-Virus 7.1 fix set.
1. Locate and rename the existing arclib.dll file.
2. Download the CA Anti-Virus 7.1 patch that matches the host
operating system.
3. Unpack the patch and place the arclib.dll file in directory
where the existing arclib.dll file was found in step 1.
4. Reboot the host.
CA Anti-Virus 7.1 (non Windows):
T229327 – Solaris – QO86831
T229328 – Netware – QO86832
T229329 – MacPPC – QO86833
T229330 – MacIntel – QO86834
T229331 – Linux390 – QO86835
T229332 – Linux – QO86836
T229333 – HP-UX – QO86837
CA Anti-Virus 7.1 (Windows):
T229337 – NT (32 bit) – QO86843
T229338 – NT (AMD64) – QO86846
CA Threat Manager for the Enterprise r8.1 (non Windows):
T229334 – Linux – QO86839
T229335 – Mac – QO86828
T229336 – Solaris – QO86829
How to determine if you are affected:
For products on Windows:
1. Using Windows Explorer, locate the file “arclib.dll”. By
default, the file is located in the
“C:\Program Files\CA\SharedComponents\ScanEngine” directory(*).
2. Right click on the file and select Properties.
3. Select the Version tab.
4. If the file version is earlier than indicated in the table
below, the installation is vulnerable.
File Name File Version
arclib.dll 7.3.0.9
*For eTrust Intrusion Detection 2.0 the file is located in
“Program Files\eTrust\Intrusion Detection\Common”, and for eTrust
Intrusion Detection 3.0 and 3.0 sp1, the file is located in
“Program Files\CA\Intrusion Detection\Common”.
For CA Anti-Virus r8.1 on non-Windows:
Use the compver utility provided on the CD to determine the
version of arclib.dll. The same version information above applies.
Workaround: None
References (URLs may wrap):
CA SupportConnect:
http://supportconnect.ca.com/
Security Notice for CA Products Containing Arclib
http://supportconnectw.ca.com/public/antivirus/infodocs/caprodarclib-secnot
.asp
Solution Document Reference APARs:
QO89469, QO87114, QO89141, QO89139, QO89140, QO89138, QO89140,
QO89138, QO89381, QO89474, QO86925, QO86923, QO86831, QO86832,
QO86833, QO86834, QO86835, QO86836, QO86837, QO86843, QO86846,
QO86839, QO86828, QO86829
CA Security Advisor posting:
CA Products Arclib Library Denial of Service Vulnerabilities
http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=149847
CA Vuln ID (CAID): 35525, 35526
http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35525
http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35526
Reported By:
CVE-2006-5645 - Titon of BastardLabs and Damian Put
<pucik at overflow dot pl> working with the iDefense VCP.
CVE-2007-3875 - An anonymous researcher working with the iDefense
VCP.
Sergio Alvarez of n.runs AG also reported these issues.
iDefense advisories:
Computer Associates AntiVirus CHM File Handling DoS Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=567
Multiple Vendor Antivirus RAR File Denial of Service Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=439
CVE References:
CVE-2006-5645, CVE-2007-3875
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5645
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3875
OSVDB References: Pending
http://osvdb.org/
Changelog for this advisory:
v1.0 - Initial Release
Customers who require additional information should contact CA
Technical Support at http://supportconnect.ca.com.
For technical questions or comments related to this advisory,
please send email to vuln AT ca DOT com.
If you discover a vulnerability in CA products, please report your
findings to vuln AT ca DOT com, or utilize our "Submit a
Vulnerability" form.
URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx
Regards,
Ken Williams ; 0xE2941985
Director, CA Vulnerability Research
CA, 1 CA Plaza, Islandia, NY 11749
Contact http://www.ca.com/us/contact/
Legal Notice http://www.ca.com/us/legal/
Privacy Policy http://www.ca.com/us/privacy/
Copyright (c) 2007 CA. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)
wj8DBQFGpp9beSWR3+KUGYURAplHAJ4paEd/cX+2AxdBWfnw2zhfjAGQwACfW+mo
tCqbonQi4DvtQ9a45c65y70=
=o8Ac
-----END PGP SIGNATURE-----
. BACKGROUND
eTrust is an antivirus application developed by Computer Associates.
More information can be found on the vendor's website at the following
URL.
http://www3.ca.com/solutions/product.aspx?ID=156
II. DESCRIPTION
Remote exploitation of a denial of Service (DoS) vulnerability in
Computer Associates Inc.'s eTrust Antivirus products could allow
attackers to create a DoS condition on the affected computer.
III. ANALYSIS
This denial of service attack will prevent the scanner from scanning
other files on disk while it is stuck on the exploit file. The hung
process can be quit by the user and does not consume all system
resources.
IV. DETECTION
iDefense has confirmed this vulnerability in eTrust AntiVirus version
r8. Previous versions of eTrust Antivirus are suspected vulnerable.
Other Computer Associates products, as well as derived products, may
also be vulnerable.
V. WORKAROUND
iDefense is not aware of any workarounds for this issue.
VI. VENDOR RESPONSE
Computer Associates has addressed this vulnerability by releasing
updates. More information is available within Computer Associates
advisory at the following URL.
http://supportconnectw.ca.com/public/antivirus/infodocs/caprodarclib-secnot.asp
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-3875 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
01/16/2007 Initial vendor notification
01/17/2007 Initial vendor response
07/24/2007 Coordinated public disclosure
IX. CREDIT
The discoverer of this vulnerability wishes to remain anonymous.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright \xa9 2007 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
----------------------------------------------------------------------
Try a new way to discover vulnerabilities that ALREADY EXIST in your
IT infrastructure.
The Full Featured Secunia Network Software Inspector (NSI) is now
available:
http://secunia.com/network_software_inspector/
The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT
vulnerabilities in more than 4,000 different Windows applications. scanning a specially
crafted RAR archive. Please see the vendor's advisory for
details.
2) The vendor credits Titon of BastardLabs and Damian Put, reported
via iDefense Labs.
ORIGINAL ADVISORY:
CA:
http://supportconnectw.ca.com/public/antivirus/infodocs/caprodarclib-secnot.asp
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=567
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200707-0187 | CVE-2007-4011 |
Cisco 4100 Service disruption in (DoS) Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-200707-0623 |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
Cisco 4100 and 4400, Airespace 4000, and Catalyst 6500 and 3750 Wireless LAN Controller (WLC) software before 3.2 20070727, 4.0 before 20070727, and 4.1 before 4.1.180.0 allows remote attackers to cause a denial of service (traffic amplification or ARP storm) via a crafted unicast ARP request that (1) has a destination MAC address unknown to the Layer-2 infrastructure, aka CSCsj69233; or (2) occurs during Layer-3 roaming across IP subnets, aka CSCsj70841. Cisco Wireless LAN Controller (WLC) is prone to multiple denial-of-service vulnerabilities.
An attacker can exploit these issues to crash the device, denying service to legitimate users.
These issues affect Cisco Wireless LAN Control 3.2, 4.0, and 4.1; other versions may also be affected. Cisco Wireless LAN Controllers (WLCs) provide real-time communication between lightweight access points and other wireless-providing LAN controllers to perform centralized system-wide WLAN configuration and management functions. Vulnerable WLCs may mishandle unicast ARP requests from wireless clients, causing ARP storms. Both WLCs attached to the same set of Layer 2 VLANs must have wireless client contexts for this vulnerability to be exposed. This happens after using layer 3 (inter-subnet) roaming or when using guest WLAN (auto-anchor). This allows a second WLC to reprocess the ARP request and incorrectly re-forward the inclusion back to the network. This vulnerability is documented as CSCsj69233. In the case of Layer 3 (L3) roaming, wireless clients move from one controller to another, and the wireless LAN interfaces configured on different controllers are in different IP subnets. In this case, the unicast ARP may not be tunneled back to the anchor controller, but sent by the external controller to its native VLAN. This vulnerability is documented as CSCsj70841
VAR-200707-0188 | CVE-2007-4012 |
Cisco 4100 Service disruption in (DoS) Vulnerabilities
Related entries in the VARIoT exploits database: VAR-E-200707-0623 |
CVSS V2: 7.1 CVSS V3: - Severity: HIGH |
Cisco 4100 and 4400, Airespace 4000, and Catalyst 6500 and 3750 Wireless LAN Controller (WLC) software 4.1 before 4.1.180.0 allows remote attackers to cause a denial of service (ARP storm) via a broadcast ARP packet that "targets the IP address of a known client context", aka CSCsj50374. Cisco Wireless LAN Controller (WLC) is prone to multiple denial-of-service vulnerabilities.
An attacker can exploit these issues to crash the device, denying service to legitimate users.
These issues affect Cisco Wireless LAN Control 3.2, 4.0, and 4.1; other versions may also be affected. Cisco Wireless LAN Controllers (WLCs) provide real-time communication between lightweight access points and other wireless-providing LAN controllers to perform centralized system-wide WLAN configuration and management functions. There is a vulnerability in the WLC's handling of unicast ARP traffic, and the LAN link between the wireless LAN controllers in the mobility group may be flooded with unicast ARP requests. Vulnerable WLCs may mishandle unicast ARP requests from wireless clients, causing ARP storms. Both WLCs attached to the same set of Layer 2 VLANs must have wireless client contexts for this vulnerability to be exposed. This happens after using layer 3 (inter-subnet) roaming or when using guest WLAN (auto-anchor). If multiple WLCs are installed on the corresponding VLAN, it will cause an ARP storm. This vulnerability is documented as CSCsj50374
VAR-200707-0144 | CVE-2007-3959 | ICS of Ipswitch Instant Messaging of IM Server Service disruption in (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The IM Server (aka IMserve or IMserver) 2.0.5.30 and probably earlier in Ipswitch Instant Messaging before 2.07 in Ipswitch Collaboration Suite (ICS) allows remote attackers to cause a denial of service (daemon crash) via certain data to TCP port 5179 that overwrites a destructor, as reachable by the (1) DoAttachVideoSender, (2) DoAttachVideoReceiver, (3) DoAttachAudioSender, and (4) DoAttachAudioReceiver functions. (1) DoAttachVideoSender function (2) DoAttachVideoReceiver function (3) DoAttachAudioSender function (4) DoAttachAudioReceiver function. Ipswitch Instant Messaging Server is prone to a remote denial-of-service vulnerability because the application fails to properly handle unexpected network data.
Successfully exploiting this issue allows remote attackers to crash the IM service, denying further instant messages for legitimate users.
Ipswitch IM Server 2.0.5.30 is vulnerable; other versions may also be affected. Ipswitch Instant Messaging is the instant messaging software bundled in the Ipswitch collaboration component. The vulnerable code can be reached through the following functions: DoAttachVideoSender DoAttachVideoReceiver DoAttachAudioSender DoAttachAudioReceiver.
----------------------------------------------------------------------
Try a new way to discover vulnerabilities that ALREADY EXIST in your
IT infrastructure.
The Full Featured Secunia Network Software Inspector (NSI) is now
available:
http://secunia.com/network_software_inspector/
The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT
vulnerabilities in more than 4,000 different Windows applications.
The vulnerability is reported in version 2.0.5.30.
SOLUTION:
Update to version 2.0.7.
http://www.ipswitch.com/support/instant_messaging/patch-upgrades.asp
PROVIDED AND/OR DISCOVERED BY:
Discovered by an anonymous researcher and reported via iDefense.
ORIGINAL ADVISORY:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=566
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200707-0111 | CVE-2007-3926 | Ipswitch IMail Server 2006 Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Ipswitch IMail Server 2006 before 2006.21 allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors involving an "overwritten destructor.". Ipswitch IMail Server 2006 There is a service disruption ( Daemon crash ) There is a vulnerability that becomes a condition.Service disruption by a third party ( Daemon crash ) There is a possibility of being put into a state. Imail Server is prone to a denial-of-service vulnerability.
----------------------------------------------------------------------
Try a new way to discover vulnerabilities that ALREADY EXIST in your
IT infrastructure.
The Full Featured Secunia Network Software Inspector (NSI) is now
available:
http://secunia.com/network_software_inspector/
The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT
vulnerabilities in more than 4,000 different Windows applications.
----------------------------------------------------------------------
TITLE:
Ipswitch IMail Server/Collaboration Suite Multiple Buffer Overflows
SECUNIA ADVISORY ID:
SA26123
VERIFY ADVISORY:
http://secunia.com/advisories/26123/
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
>From remote
SOFTWARE:
IMail Server 2006
http://secunia.com/product/8653/
Ipswitch Collaboration Suite 2006
http://secunia.com/product/8652/
DESCRIPTION:
Some vulnerabilities have been reported in Ipswitch IMail Server and
Collaboration Suite, which can be exploited by malicious users and
malicious people to compromise a vulnerable system.
1) A boundary error in the processing of the IMAP "SEARCH" command
can be exploited to cause a stack-based buffer overflow.
Successful exploitation allows execution of arbitrary code, but
requires a valid user account.
2) A boundary error in the processing of the IMAP "SEARCH CHARSET"
command can be exploited to cause a heap-based buffer overflow.
Successful exploitation allows execution of arbitrary code, but
requires a valid user account.
Vulnerabilities #1 and #2 are reported in version 6.8.8.1 of
imapd32.exe. Prior versions may also be affected.
3) A boundary error in Imailsec can be exploited to cause a
heap-based buffer overflow and allows execution of arbitrary code.
4) A boundary error in "subscribe" can be exploited to cause a buffer
overflow. No further information is currently available.
Vulnerabilities #3 and #4 are reported in Ipswitch IMail Server and
Collaboration Suite prior to version 2006.21.
SOLUTION:
Update to IMail Server version 2006.21.
http://www.ipswitch.com/support/imail/releases/im200621.asp
Update to Ipswitch Collaboration Suite 2006.21.
http://www.ipswitch.com/support/ics/updates/ics200621.asp
PROVIDED AND/OR DISCOVERED BY:
1) Manuel Santamarina Suarez, reported via iDefense Labs.
2) An anonymous person, reported via iDefense Labs.
3, 4) The vendor credits TippingPoint and the Zero Day Initiative.
ORIGINAL ADVISORY:
IPSwitch:
http://www.ipswitch.com/support/imail/releases/im200621.asp
http://www.ipswitch.com/support/ics/updates/ics200621.asp
iDefense:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=563
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200711-0295 | CVE-2007-0011 | Citrix Access Gateway of Web Session hijack vulnerability in portal interface |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The web portal interface in Citrix Access Gateway (aka Citrix Advanced Access Control) before Advanced Edition 4.5 HF1 places a session ID in the URL, which allows context-dependent attackers to hijack sessions by reading "residual information", including the a referer log, browser history, or browser cache. " Residual information " Can be hijacked in the session. Citrix Access Gateway Standard and Advanced Edition are prone to multiple remote vulnerabilities. Exploiting these issues could allow an attacker to:
- Obtain sensitive information
- Execute code remotely
- Hijack sessions
- Redirect users to arbitrary sites
- Make unauthorized configuration changes
Citrix has released patches for these vulnerabilities.
Note: This is a belated release to the mailing lists (though most of the
tracking services picked this up via the Citrix advisory)...
-- History --
Discovered: 05.09.06 (Martin O'Neal)
Vendor notified: 19.10.06
Document released: 20.07.07
-- Overview --
Citrix Access Gateways are described [1] as "universal SSL VPN
appliances providing a secure, always-on, single point-of-access to an
organization's applications and data".
Amongst other features, the product provides a web portal to corporate
applications and resources.
-- Analysis --
The web portal interface incorporates a collection of .NET scripts,
which utilise a session ID contained within cookies. During the
authentication sequence the user session is redirected via a HTTP meta
refresh header in an HTML response. The browser subsequently uses this
within the next GET request (and the referer header field of the next
HTTP request), placing the session ID in history files, and both client
and server logs. The use of the session ID within the HTML content is
made worse by the application not setting the HTTP cache control headers
appropriately, which can lead to the HTML content being stored within
the local browser cache.
Where this is a particularly problem, is where the web portal is
accessed from a shared or public access terminal, such as an Internet
Caf,; the very environment that this type of solution is intended for.
Strong authentication technology, such as SecurID 2FA, does not protect
against this style of attack, as the session ID is generated after the
strong authentication process is completed.
-- Recommendations --
Review the recommendations in the Citrix alert [2].
Until the product is upgraded, consider reviewing you remote access
policy to restrict the use of the product in shared-access environments.
-- CVE --
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-0011 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardises names for
security problems.
-- References --
[1] http://www.citrix.com/English/ps2/products/product.asp?contentID
=15005
[2] http://support.citrix.com/article/CTX113814
-- Revision --
a. Initial release.
b. Released.
-- Distribution --
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.
-- Disclaimer --
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.
-- About Corsaire --
Corsaire are a leading information security consultancy, founded in 1997
in Guildford, Surrey, UK. Corsaire bring innovation, integrity and
analytical rigour to every job, which means fast and dramatic security
performance improvements. Our services centre on the delivery of
information security planning, assessment, implementation, management
and vulnerability research.
A free guide to selecting a security assessment supplier is available at
http://www.penetration-testing.com
Copyright 2006-2007 Corsaire Limited. All rights reserved.
----------------------------------------------------------------------
Try a new way to discover vulnerabilities that ALREADY EXIST in your
IT infrastructure.
The Full Featured Secunia Network Software Inspector (NSI) is now
available:
http://secunia.com/network_software_inspector/
The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT
vulnerabilities in more than 4,000 different Windows applications.
1) A security issue due to residual information left on the client
device can be exploited to gain unauthorized access to a user\x92s
active session.
2) Multiple unspecified errors in client components (Net6Helper.DLL
and npCtxCAO.dll as ActiveX control and Firefox plugin) of Access
Gateway Standard and Advanced Editions can be exploited to execute
arbitrary code in context of the logged-in user.
3) The web-based administration console of an Access Gateway
appliance allows administrator to perform certain actions via HTTP
requests without performing any validity checks to verify the
request. This can be exploited to e.g. change certain configuration
settings, by enticing a logged-in administrator to visit a malicious
web site.
A redirection issue that may facilitate phishing attacks has also
been reported.
SOLUTION:
Apply hotfix and update firmware to version 4.5.5.
Access Gateway Standard Edition 4.5:
http://support.citrix.com/article/CTX114028
Access Gateway Advanced Edition 4.5:
http://support.citrix.com/article/CTX112803
The vendor also recommends to remove the following components from
client devices:
VPN ActiveX components:
* Net6Helper.DLL (Friendly name: Net6Launcher Class, version number
up to and including 4.5.2)
EPA Components (ActiveX):
* npCtxCAO.dll (Friendly name: CCAOControl Object, version number up
to 4,5,0,0)
EPA Components (Firefox plugin):
* npCtxCAO.dll (Friendly name: Citrix Endpoint Analysis Client,
present in two locations)
PROVIDED AND/OR DISCOVERED BY:
1) The vendor credits Martin O\x92Neal, Corsaire.
2) The vendor credits Michael White, Symantec.
3) The vendor credits Paul Johnston.
ORIGINAL ADVISORY:
http://support.citrix.com/article/CTX113814
http://support.citrix.com/article/CTX113815
http://support.citrix.com/article/CTX113816
http://support.citrix.com/article/CTX113817
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200707-0189 | CVE-2007-4013 | Firefox In the plugin directory Net6Helper.DLL Vulnerabilities in unknown details |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Multiple unspecified vulnerabilities in (1) Net6Helper.DLL (aka Net6Launcher Class) 4.5.2 and earlier, (2) npCtxCAO.dll (aka Citrix Endpoint Analysis Client) in a Firefox plugin directory, and (3) a second npCtxCAO.dll (aka CCAOControl Object) before 4.5.0.0 in Citrix Access Gateway Standard Edition before 4.5.5 and Advanced Edition before 4.5 HF1 have unknown impact and attack vectors, possibly related to buffer overflows. NOTE: vector 3 might overlap CVE-2007-3679. This vulnerability CVE-2007-3679 And may overlap.Details of the impact of this vulnerability are unknown. Exploiting these issues could allow an attacker to:
- Obtain sensitive information
- Execute code remotely
- Hijack sessions
- Redirect users to arbitrary sites
- Make unauthorized configuration changes
Citrix has released patches for these vulnerabilities. Citrix Access Gateway, a general-purpose SSL VPN device, provides secure and always-on single-point access support for information resources.
----------------------------------------------------------------------
Try a new way to discover vulnerabilities that ALREADY EXIST in your
IT infrastructure.
The Full Featured Secunia Network Software Inspector (NSI) is now
available:
http://secunia.com/network_software_inspector/
The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT
vulnerabilities in more than 4,000 different Windows applications.
1) A security issue due to residual information left on the client
device can be exploited to gain unauthorized access to a user\x92s
active session.
3) The web-based administration console of an Access Gateway
appliance allows administrator to perform certain actions via HTTP
requests without performing any validity checks to verify the
request. This can be exploited to e.g. change certain configuration
settings, by enticing a logged-in administrator to visit a malicious
web site.
This vulnerability is reported in Access Gateway model 2000
appliances with firmware version 4.5.2 and prior.
A redirection issue that may facilitate phishing attacks has also
been reported.
SOLUTION:
Apply hotfix and update firmware to version 4.5.5.
2) The vendor credits Michael White, Symantec.
3) The vendor credits Paul Johnston.
ORIGINAL ADVISORY:
http://support.citrix.com/article/CTX113814
http://support.citrix.com/article/CTX113815
http://support.citrix.com/article/CTX113816
http://support.citrix.com/article/CTX113817
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200707-0192 | CVE-2007-4016 | Citrix Access Gateway Standard Edition and Advanced Edition Arbitrary client component vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in the client components in Citrix Access Gateway Standard Edition before 4.5.5 and Advanced Edition before 4.5 HF1 allows attackers to execute arbitrary code via unspecified vectors. Exploiting these issues could allow an attacker to:
- Obtain sensitive information
- Execute code remotely
- Hijack sessions
- Redirect users to arbitrary sites
- Make unauthorized configuration changes
Citrix has released patches for these vulnerabilities. Citrix Access Gateway, a general-purpose SSL VPN device, provides secure and always-on single-point access support for information resources.
----------------------------------------------------------------------
Try a new way to discover vulnerabilities that ALREADY EXIST in your
IT infrastructure.
The Full Featured Secunia Network Software Inspector (NSI) is now
available:
http://secunia.com/network_software_inspector/
The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT
vulnerabilities in more than 4,000 different Windows applications.
1) A security issue due to residual information left on the client
device can be exploited to gain unauthorized access to a user\x92s
active session.
3) The web-based administration console of an Access Gateway
appliance allows administrator to perform certain actions via HTTP
requests without performing any validity checks to verify the
request. This can be exploited to e.g. change certain configuration
settings, by enticing a logged-in administrator to visit a malicious
web site.
This vulnerability is reported in Access Gateway model 2000
appliances with firmware version 4.5.2 and prior.
A redirection issue that may facilitate phishing attacks has also
been reported.
SOLUTION:
Apply hotfix and update firmware to version 4.5.5.
Access Gateway Standard Edition 4.5:
http://support.citrix.com/article/CTX114028
Access Gateway Advanced Edition 4.5:
http://support.citrix.com/article/CTX112803
The vendor also recommends to remove the following components from
client devices:
VPN ActiveX components:
* Net6Helper.DLL (Friendly name: Net6Launcher Class, version number
up to and including 4.5.2)
EPA Components (ActiveX):
* npCtxCAO.dll (Friendly name: CCAOControl Object, version number up
to 4,5,0,0)
EPA Components (Firefox plugin):
* npCtxCAO.dll (Friendly name: Citrix Endpoint Analysis Client,
present in two locations)
PROVIDED AND/OR DISCOVERED BY:
1) The vendor credits Martin O\x92Neal, Corsaire.
2) The vendor credits Michael White, Symantec.
3) The vendor credits Paul Johnston.
ORIGINAL ADVISORY:
http://support.citrix.com/article/CTX113814
http://support.citrix.com/article/CTX113815
http://support.citrix.com/article/CTX113816
http://support.citrix.com/article/CTX113817
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200707-0193 | CVE-2007-4017 | Citrix Access Gateway of Web -Based management console cross-site request forgery vulnerability |
CVSS V2: 7.6 CVSS V3: - Severity: HIGH |
Cross-site request forgery (CSRF) vulnerability in the web-based administration console in Citrix Access Gateway before firmware 4.5.5 allows remote attackers to perform certain configuration changes as administrators. Citrix Access Gateway Standard and Advanced Edition are prone to multiple remote vulnerabilities. Exploiting these issues could allow an attacker to:
- Obtain sensitive information
- Execute code remotely
- Hijack sessions
- Redirect users to arbitrary sites
- Make unauthorized configuration changes
Citrix has released patches for these vulnerabilities. Citrix Access Gateway, a general-purpose SSL VPN device, provides secure and always-on single-point access support for information resources.
----------------------------------------------------------------------
Try a new way to discover vulnerabilities that ALREADY EXIST in your
IT infrastructure.
The Full Featured Secunia Network Software Inspector (NSI) is now
available:
http://secunia.com/network_software_inspector/
The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT
vulnerabilities in more than 4,000 different Windows applications.
1) A security issue due to residual information left on the client
device can be exploited to gain unauthorized access to a user\x92s
active session.
2) Multiple unspecified errors in client components (Net6Helper.DLL
and npCtxCAO.dll as ActiveX control and Firefox plugin) of Access
Gateway Standard and Advanced Editions can be exploited to execute
arbitrary code in context of the logged-in user. This can be exploited to e.g.
This vulnerability is reported in Access Gateway model 2000
appliances with firmware version 4.5.2 and prior.
A redirection issue that may facilitate phishing attacks has also
been reported.
SOLUTION:
Apply hotfix and update firmware to version 4.5.5.
Access Gateway Standard Edition 4.5:
http://support.citrix.com/article/CTX114028
Access Gateway Advanced Edition 4.5:
http://support.citrix.com/article/CTX112803
The vendor also recommends to remove the following components from
client devices:
VPN ActiveX components:
* Net6Helper.DLL (Friendly name: Net6Launcher Class, version number
up to and including 4.5.2)
EPA Components (ActiveX):
* npCtxCAO.dll (Friendly name: CCAOControl Object, version number up
to 4,5,0,0)
EPA Components (Firefox plugin):
* npCtxCAO.dll (Friendly name: Citrix Endpoint Analysis Client,
present in two locations)
PROVIDED AND/OR DISCOVERED BY:
1) The vendor credits Martin O\x92Neal, Corsaire.
2) The vendor credits Michael White, Symantec.
3) The vendor credits Paul Johnston.
ORIGINAL ADVISORY:
http://support.citrix.com/article/CTX113814
http://support.citrix.com/article/CTX113815
http://support.citrix.com/article/CTX113816
http://support.citrix.com/article/CTX113817
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200707-0194 | CVE-2007-4018 | Citrix Access Gateway Advanced Edition Vulnerable to phishing attacks |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Citrix Access Gateway Advanced Edition before firmware 4.5.5 allows attackers to redirect users to arbitrary web sites and conduct phishing attacks via unknown vectors. Citrix Access Gateway Standard and Advanced Edition are prone to multiple remote vulnerabilities. Exploiting these issues could allow an attacker to:
- Obtain sensitive information
- Execute code remotely
- Hijack sessions
- Redirect users to arbitrary sites
- Make unauthorized configuration changes
Citrix has released patches for these vulnerabilities. Citrix Access Gateway, a general-purpose SSL VPN device, provides secure and always-on single-point access support for information resources.
----------------------------------------------------------------------
Try a new way to discover vulnerabilities that ALREADY EXIST in your
IT infrastructure.
The Full Featured Secunia Network Software Inspector (NSI) is now
available:
http://secunia.com/network_software_inspector/
The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT
vulnerabilities in more than 4,000 different Windows applications.
1) A security issue due to residual information left on the client
device can be exploited to gain unauthorized access to a user\x92s
active session.
2) Multiple unspecified errors in client components (Net6Helper.DLL
and npCtxCAO.dll as ActiveX control and Firefox plugin) of Access
Gateway Standard and Advanced Editions can be exploited to execute
arbitrary code in context of the logged-in user.
3) The web-based administration console of an Access Gateway
appliance allows administrator to perform certain actions via HTTP
requests without performing any validity checks to verify the
request. This can be exploited to e.g. change certain configuration
settings, by enticing a logged-in administrator to visit a malicious
web site.
This vulnerability is reported in Access Gateway model 2000
appliances with firmware version 4.5.2 and prior.
A redirection issue that may facilitate phishing attacks has also
been reported.
SOLUTION:
Apply hotfix and update firmware to version 4.5.5.
Access Gateway Standard Edition 4.5:
http://support.citrix.com/article/CTX114028
Access Gateway Advanced Edition 4.5:
http://support.citrix.com/article/CTX112803
The vendor also recommends to remove the following components from
client devices:
VPN ActiveX components:
* Net6Helper.DLL (Friendly name: Net6Launcher Class, version number
up to and including 4.5.2)
EPA Components (ActiveX):
* npCtxCAO.dll (Friendly name: CCAOControl Object, version number up
to 4,5,0,0)
EPA Components (Firefox plugin):
* npCtxCAO.dll (Friendly name: Citrix Endpoint Analysis Client,
present in two locations)
PROVIDED AND/OR DISCOVERED BY:
1) The vendor credits Martin O\x92Neal, Corsaire.
2) The vendor credits Michael White, Symantec.
3) The vendor credits Paul Johnston.
ORIGINAL ADVISORY:
http://support.citrix.com/article/CTX113814
http://support.citrix.com/article/CTX113815
http://support.citrix.com/article/CTX113816
http://support.citrix.com/article/CTX113817
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200707-0453 | CVE-2007-3679 | Citrix EPA ActiveX Vulnerability in Control Downloading Arbitrary Programs on Client System |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
The Citrix EPA ActiveX control (aka the "endpoint checking control" or CCAOControl Object) before 4.5.0.0 in npCtxCAO.dll in Citrix Access Gateway Standard Edition before 4.5.5 and Advanced Edition before 4.5 HF1 allows remote attackers to download and execute arbitrary programs onto a client system. Citrix EPA ActiveX control is prone to a remote code-execution vulnerability.
An attacker may exploit this issue by enticing victims into visiting a malicious webpage.
Successful exploits may allow attackers to execute arbitrary code on a victim's computer. This may facilitate a compromise of vulnerable computers. Citrix Access Gateway, a general-purpose SSL VPN device, provides secure and always-on single-point access support for information resources. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Symantec Vulnerability Research
http://www.symantec.com/research
Security Advisory
Advisory ID: SYMSA-2007-006
Advisory Title: Citrix EPA ActiveX Control Design Flaw
Author: Michael White / michael_white@symantec.com
Release Date: 19-07-2007
Application: Citrix Access Gateway
Platform: Internet Explorer/Win32
Severity: Remote arbitrary code execution
Vendor status: Patch available
CVE Number: CVE-2007-3679
Reference: http://www.securityfocus.com/bid/24865
Overview:
Citrix Access Gateway offers a clientless SSL VPN solution
implemented through a series of browser-based controls. As part of
the endpoint validation, the ActiveX control for Internet Explorer
downloads and executes a series of executable modules from the
remote server.
Details:
Researchers identified that the endpoint checking control can be
embedded in any web page and subverted to download and execute any
executable module of the attacker\x92s choosing.
This vulnerability represents a design flaw in the architecture of
the endpoint validation practice.
A high level of browser trust is required to allow the endpoint
checks to function correctly, and the control is signed by Citrix
Corporation.
Vendor Response:
This has been addressed by a product update.
See http://support.citrix.com/article/CTX113815
Recommendation:
Apply the product update as detailed in
http://support.citrix.com/article/CTX113815
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
CVE-2007-3679
- -------Symantec Vulnerability Research Advisory Information-------
For questions about this advisory, or to report an error:
research@symantec.com
For details on Symantec's Vulnerability Reporting Policy:
http://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf
Symantec Vulnerability Research Advisory Archive:
http://www.symantec.com/research/
Symantec Vulnerability Research GPG Key:
http://www.symantec.com/research/Symantec_Vulnerability_Research_GPG.asc
- -------------Symantec Product Advisory Information-------------
To Report a Security Vulnerability in a Symantec Product:
secure@symantec.com
For general information on Symantec's Product Vulnerability
reporting and response:
http://www.symantec.com/security/
Symantec Product Advisory Archive:
http://www.symantec.com/avcenter/security/SymantecAdvisories.html
Symantec Product Advisory PGP Key:
http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc
- ---------------------------------------------------------------
Copyright (c) 2007 by Symantec Corp.
Permission to redistribute this alert electronically is granted
as long as it is not edited in any way unless authorized by
Symantec Consulting Services. Reprinting the whole or part of
this alert in any medium other than electronically requires
permission from research@symantec.com.
Disclaimer
The information in the advisory is believed to be accurate at the
time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS
condition. There are no warranties with regard to this information.
Neither the author nor the publisher accepts any liability for any
direct, indirect, or consequential loss or damage arising from use
of, or reliance on, this information.
Symantec, Symantec products, and Symantec Consulting Services are
registered trademarks of Symantec Corp. and/or affiliated companies
in the United States and other countries. All other registered and
unregistered trademarks represented in this document are the sole
property of their respective companies/owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
iD8DBQFGnRXXuk7IIFI45IARAla8AKDKwcYD23htC+trwq1Ke5Qvam99YACfUgJh
VynDvAnppLmojz2wbrLfR+U=
=QakL
-----END PGP SIGNATURE-----
.
----------------------------------------------------------------------
Try a new way to discover vulnerabilities that ALREADY EXIST in your
IT infrastructure.
The Full Featured Secunia Network Software Inspector (NSI) is now
available:
http://secunia.com/network_software_inspector/
The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT
vulnerabilities in more than 4,000 different Windows applications.
----------------------------------------------------------------------
TITLE:
Citrix Access Gateway Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA26143
VERIFY ADVISORY:
http://secunia.com/advisories/26143/
CRITICAL:
Highly critical
IMPACT:
Cross Site Scripting, Exposure of sensitive information, System
access
WHERE:
>From remote
SOFTWARE:
Citrix Access Gateway 4.x
http://secunia.com/product/6168/
DESCRIPTION:
Some vulnerabilities and a security issue have been reported in
Citrix Access Gateway, which can be exploited by malicious people to
disclose sensitive information, conduct cross-site request forgery
attacks, or to compromise a user's system.
1) A security issue due to residual information left on the client
device can be exploited to gain unauthorized access to a user\x92s
active session.
This security issue is reported in Access Gateway Advanced Edition
4.5 and prior.
These vulnerabilities are reported in Access Gateway Standard Edition
4.5.2 and prior and Access Gateway Advanced Editions version 4.5 and
prior with appliance firmware 4.5.2 and prior.
3) The web-based administration console of an Access Gateway
appliance allows administrator to perform certain actions via HTTP
requests without performing any validity checks to verify the
request. This can be exploited to e.g. change certain configuration
settings, by enticing a logged-in administrator to visit a malicious
web site.
This vulnerability is reported in Access Gateway model 2000
appliances with firmware version 4.5.2 and prior. Access Gateway
Enterprise Edition is reportedly not affected.
A redirection issue that may facilitate phishing attacks has also
been reported.
SOLUTION:
Apply hotfix and update firmware to version 4.5.5.
2) The vendor credits Michael White, Symantec.
3) The vendor credits Paul Johnston.
ORIGINAL ADVISORY:
http://support.citrix.com/article/CTX113814
http://support.citrix.com/article/CTX113815
http://support.citrix.com/article/CTX113816
http://support.citrix.com/article/CTX113817
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------