VARIoT IoT vulnerabilities database

modules/arch/win32/mod_isapi.c in mod_isapi in the Apache HTTP Server 2.0.37 through 2.0.63, 2.2.0 through 2.2.14, and 2.3.x before 2.3.7, when running on Windows, does not ensure that request processing is complete before calling isapi_unload for an ISAPI .dll module, which allows remote attackers to execute arbitrary code via unspecified vectors related to a crafted request, a reset packet, and "orphaned callback pointers.". The Apache mod_isapi module can be forced to unload a specific library before the processing of a request is complete, resulting in memory corruption. This vulnerability may allow a remote attacker to execute arbitrary code. Apache is prone to a memory-corruption vulnerability. Apache versions prior to 2.2.15 are affected. For more information see vulnerability #2: SA38776 Successful exploitation requires that "mod_isapi" is enabled (disabled by default). For more information see vulnerability #2 in: SA38776 SOLUTION: Fixed in the SVN repository. ---------------------------------------------------------------------- Use WSUS to deploy 3rd party patches Public BETA http://secunia.com/vulnerability_scanning/corporate/wsus_3rd_third_party_patching/ ---------------------------------------------------------------------- TITLE: Apache HTTP Server Multiple Vulnerabilities SECUNIA ADVISORY ID: SA38776 VERIFY ADVISORY: http://secunia.com/advisories/38776/ DESCRIPTION: Some vulnerabilities have been reported in Apache HTTP Server, where one has unknown impacts and others can be exploited by malicious people to gain access to potentially sensitive information or cause a DoS (Denial of Service). 1) The "ap_proxy_ajp_request()" function in modules/proxy/mod_proxy_ajp.c of the mod_proxy_ajp module returns the "HTTP_INTERNAL_SERVER_ERROR" error code when processing certain malformed requests. This can be exploited to put the backend server into an error state until the retry timeout expired by sending specially crafted requests. 3) An error exists within the header handling when processing subrequests, which can lead to sensitive information from a request being handled by the wrong thread if a multi-threaded Multi-Processing Module (MPM) is used. Vulnerabilities #1 and #3 are reported in version 2.2.0, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.8, 2.2.9, 2.2.11, 2.2.12, 2.2.13, and 2.2.14. SOLUTION: Fixed in httpd 2.2.15-dev. Update to version 2.2.15 as soon as it becomes available. PROVIDED AND/OR DISCOVERED BY: 1, 2) Reported by the vendor. 3) Reported in a bug report by Philip Pickett ORIGINAL ADVISORY: http://httpd.apache.org/security/vulnerabilities_22.html http://svn.apache.org/viewvc?view=revision&revision=917875 http://svn.apache.org/viewvc?view=revision&revision=917870 https://issues.apache.org/bugzilla/show_bug.cgi?id=48359 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2010-0014 Synopsis: VMware Workstation, Player, and ACE address several security issues. Issue date: 2010-09-23 Updated on: 2010-09-23 (initial release of advisory) CVE numbers: CVE-2010-3277 CVE-2010-1205 CVE-2010-0205 CVE-2010-2249 CVE-2010-0434 CVE-2010-0425 - ------------------------------------------------------------------------ 1. Summary VMware Workstation and Player address a potential installer security issue and security issues in libpng. VMware ACE Management Server (AMS) for Windows updates Apache httpd. 2. Relevant releases VMware Workstation 7.1.1 and earlier, VMware Player 3.1.1 and earlier, VMware ACE Management Server 2.7.1 and earlier, Note: VMware Server was declared End Of Availability on January 2010, support will be limited to Technical Guidance for the duration of the support term. 3. Problem Description a. VMware Workstation and Player installer security issue The Workstation 7.x and Player 3.x installers will load an index.htm file located in the current working directory on which Workstation 7.x or Player 3.x is being installed. This may allow an attacker to display a malicious file if they manage to get their file onto the system prior to installation. The issue can only be exploited at the time that Workstation 7.x or Player 3.x is being installed. The security issue is no longer present in the installer of the new versions of Workstation 7.x and Player 3.x (see table below for the version numbers). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-3277 to this issue. VMware would like to thank Alexander Trofimov and Marc Esher for independently reporting this issue to VMware. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected Workstation 7.x any 7.1.2 build 301548 or later * Workstation 6.5.x any not affected Player 3.x any 3.1.2 build 301548 or later * Player 2.5.x any not affected AMS any any not affected Server any any not affected Fusion any Mac OS/X not affected ESXi any ESXi not affected ESX any ESX not affected * Note: This only affects the installer, if you have a version of Workstation or Player installed you are not vulnerable. b. Third party libpng updated to version 1.2.44 A buffer overflow condition in libpng is addressed that could potentially lead to code execution with the privileges of the application using libpng. Two potential denial of service issues are also addressed in the update. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-1205, CVE-2010-0205, CVE-2010-2249 to these issues. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected Workstation 7.1.x any 7.1.2 build 301548 or later Workstation 6.5.x any affected, patch pending Player 3.1.x any 3.1.2 build 301548 or later Player 2.5.x any affected, patch pending AMS any any not affected Server any any affected, no patch planned Fusion any Mac OS/X not affected ESXi any ESXi not affected ESX any ESX not affected c. VMware ACE Management Server (AMS) for Windows updates Apache httpd version 2.2.15. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-0434 and CVE-2010-0425 to the issues addressed in this update. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected Workstation any any not affected Player any any not affected AMS any Windows 2.7.2 build 301548 or later AMS any Linux affected, patch pending * Server any any not affected Fusion any Mac OS/X not affected ESXi any ESXi not affected ESX any ESX not affected * Note CVE-2010-0425 is not applicable to AMS running on Linux 4. Solution Please review the patch/release notes for your product and version and verify the md5sum and/or the sha1sum of your downloaded file. VMware Workstation 7.1.2 ------------------------ http://www.vmware.com/download/ws/ Release notes: http://downloads.vmware.com/support/ws71/doc/releasenotes_ws712.html Workstation for Windows 32-bit and 64-bit with VMware Tools md5sum: 2e9715ec297dc3ca904ad2707d3e2614 sha1sum: 55b2b99f67c3dacd402fb9880999086efd264e7a Workstation for Windows 32-bit and 64-bit without VMware Tools md5sum: 066929f59aef46f11f4d9fd6c6b36e4d sha1sum: def776a28ee1a21b1ad26e836ae868551fff6fc3 VMware Player 3.1.2 ------------------- http://www.vmware.com/download/player/ Release notes: http://downloads.vmware.com/support/player31/doc/releasenotes_player312.html VMware Player for Windows 32-bit and 64-bit md5sum: 3f289cb33af5e425c92d8512fb22a7ba sha1sum: bf67240c1f410ebeb8dcb4f6d7371334bf9a6b70 VMware Player for Linux 32-bit md5sum: 11e3e3e8753e1d9abbbb92c4e3c1dfe8 sha1sum: dd1dbcdb1f4654eefc11472b68934dcb69842749 VMware Player for Linux 64-bit md5sum: 2ab08e0d4050719845a64d334ca15bb1 sha1sum: f024ad84ec831fce8667dfa9601851da5d9fa59c VMware ACE Management Server 2.7.2 ---------------------------------- http://downloads.vmware.com/d/info/desktop_downloads/vmware_ace/2_7 Release notes: http://downloads.vmware.com/support/ace27/doc/releasenotes_ace272.html ACE Management Server for Windows md5sum: 02f0072b8e48a98ed914b633f070d550 sha1sum: 94a68eac4a328d21a741879b9d063227c0dc1ce4 5. References CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3277 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1205 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0205 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2249 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0434 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0425 - ------------------------------------------------------------------------ 6. Change log 2010-09-23 VMSA-2010-0014 Initial security advisory after release of Workstation 7.1.2, Player 3.1.2 and ACE Management Server 2.7.2 on 2010-09-23 - ----------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Center http://www.vmware.com/security VMware Security Advisories http://www.vmware.com/security/advisoiries VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2010 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) iEYEARECAAYFAkycSrQACgkQS2KysvBH1xmT9wCfbBUS4GYrJohz+QMLYcoiFmSh eTgAoIAmx+ilbe2myj02daLjFrVQfQII =5jlh -----END PGP SIGNATURE----- . 5-Mar-2010 Last Update. - Vendor Notification Date. 9-Feb-2010 Product. Apache HTTP Server Platform. 2.2.14 verified and possibly others. Severity Rating. High Impact. System access Attack Vector. Remote Solution Status. Upgrade to 2.2.15 (as advised by Apache) CVE reference. CVE-2010-0425 Details. The Apache HTTP Server, commonly referred to as Apache, is a popular open source web server software. mod_isapi is a core module of the Apache package that implements the Internet Server extension API. However function pointers still remain in memory and are called when published ISAPI functions are referenced. This results in a dangling pointer vulnerability. Proof of Concept. Proof of concept code is available for this vulnerability. The payload will write a text file (sos.txt) to the Apache working directory demonstrating that code execution is possible. The code can be downloaded from the following link: http://www.senseofsecurity.com.au/advisories/SOS-10-002-pwn-isapi.cpp Furthermore, a video demonstrating the exploitation of this vulnerability using a bind shell has been created. It can be viewed at the following link: http://www.senseofsecurity.com.au/movies/SOS-10-002-apache-isapi.mp4 Solution. Discovered by. Brett Gervasoni from Sense of Security Labs. Sense of Security is a leading provider of information security and risk management solutions. Our team has expert skills in assessment and assurance, strategy and architecture, and deployment through to ongoing management. We are Australia's premier application penetration testing firm and trusted IT security advisor to many of the countries largest organisations. Sense of Security Pty Ltd Level 3, 66 King St Sydney NSW 2000 AUSTRALIA T: +61 (0)2 9290 4444 F: +61 (0)2 9290 4455 W: http://www.senseofsecurity.com.au/consulting/penetration-testing E: info@senseofsecurity.com.au Twitter: ITsecurityAU The latest version of this advisory can be found at: http://www.senseofsecurity.com.au/advisories/SOS-10-002 . ---------------------------------------------------------------------- Proof-of-Concept (PoC) and Extended Analysis available for customers. 1) Sensitive information may be written to the trace log file in cleartext when full SIP (Session Initiation Protocol) tracing is enabled and users connect using Basic authentication. For more information see vulnerability #3: SA38776 3) A vulnerability in the TLS protocol while handling session re-negotiations can be exploited to manipulate certain data. For more information see vulnerability #1: SA37291 4) A vulnerability in mod_proxy_ajp module can be exploited to cause a DoS (Denial of Service). For more information see vulnerability #1: SA38776 5) An error in mod_isapi module can be exploited to compromise a vulnerable system. For more information see vulnerability #2: SA38776 NOTE: Certain sensitive information may also be disclosed when running in debugging mode using the "-trace" option. SOLUTION: Apply APAR PM12247 or Fix Pack 6.1.0.31 when available (currently scheduled for 10th May 2010)

The ap_read_request function in server/protocol.c in the Apache HTTP Server 2.2.x before 2.2.15, when a multithreaded MPM is used, does not properly handle headers in subrequests in certain circumstances involving a parent request that has a body, which might allow remote attackers to obtain sensitive information via a crafted request that triggers access to memory locations associated with an earlier request. The Apache mod_isapi module can be forced to unload a specific library before the processing of a request is complete, resulting in memory corruption. This vulnerability may allow a remote attacker to execute arbitrary code. When using the header customization function through the RequestHeader directive of Hitachi Web Server, if the RequestHeader directive is defined and the mod_headers module is being used through the LoadModule directive, it could allow an attacker to gain access to the data that have been deleted from the memory. If the header customization function of the RequestHeader directive is not used, the vulnerability does not apply.An attacker may gain access to the data that have been deleted from the memory. Apache is prone to an information-disclosure vulnerability. Attackers can leverage this issue to gain access to sensitive information; attacks may also result in denial-of-service conditions. Apache versions prior to 2.2.15 are affected. NOTE: This issue was previously described in BID 38494 (Apache Multiple Security Vulnerabilities), but has been assigned its own record to better document the vulnerability. Background ========== Apache HTTP Server is one of the most popular web servers on the Internet. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker might obtain sensitive information, gain privileges, send requests to unintended servers behind proxies, bypass certain security restrictions, obtain the values of HTTPOnly cookies, or cause a Denial of Service in various ways. A local attacker could gain escalated privileges. Workaround ========== There is no known workaround at this time. Resolution ========== All Apache HTTP Server users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/apache-2.2.22-r1" References ========== [ 1 ] CVE-2010-0408 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0408 [ 2 ] CVE-2010-0434 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0434 [ 3 ] CVE-2010-1452 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1452 [ 4 ] CVE-2010-2791 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2791 [ 5 ] CVE-2011-3192 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3192 [ 6 ] CVE-2011-3348 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3348 [ 7 ] CVE-2011-3368 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3368 [ 8 ] CVE-2011-3607 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3607 [ 9 ] CVE-2011-4317 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4317 [ 10 ] CVE-2012-0021 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0021 [ 11 ] CVE-2012-0031 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0031 [ 12 ] CVE-2012-0053 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0053 [ 13 ] CVE-2012-0883 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0883 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201206-25.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . ---------------------------------------------------------------------- Use WSUS to deploy 3rd party patches Public BETA http://secunia.com/vulnerability_scanning/corporate/wsus_3rd_third_party_patching/ ---------------------------------------------------------------------- TITLE: Apache HTTP Server Multiple Vulnerabilities SECUNIA ADVISORY ID: SA38776 VERIFY ADVISORY: http://secunia.com/advisories/38776/ DESCRIPTION: Some vulnerabilities have been reported in Apache HTTP Server, where one has unknown impacts and others can be exploited by malicious people to gain access to potentially sensitive information or cause a DoS (Denial of Service). 1) The "ap_proxy_ajp_request()" function in modules/proxy/mod_proxy_ajp.c of the mod_proxy_ajp module returns the "HTTP_INTERNAL_SERVER_ERROR" error code when processing certain malformed requests. This can be exploited to put the backend server into an error state until the retry timeout expired by sending specially crafted requests. 3) An error exists within the header handling when processing subrequests, which can lead to sensitive information from a request being handled by the wrong thread if a multi-threaded Multi-Processing Module (MPM) is used. Vulnerabilities #1 and #3 are reported in version 2.2.0, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.8, 2.2.9, 2.2.11, 2.2.12, 2.2.13, and 2.2.14. SOLUTION: Fixed in httpd 2.2.15-dev. Update to version 2.2.15 as soon as it becomes available. PROVIDED AND/OR DISCOVERED BY: 1, 2) Reported by the vendor. 3) Reported in a bug report by Philip Pickett ORIGINAL ADVISORY: http://httpd.apache.org/security/vulnerabilities_22.html http://svn.apache.org/viewvc?view=revision&revision=917875 http://svn.apache.org/viewvc?view=revision&revision=917870 https://issues.apache.org/bugzilla/show_bug.cgi?id=48359 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2010-0014 Synopsis: VMware Workstation, Player, and ACE address several security issues. Issue date: 2010-09-23 Updated on: 2010-09-23 (initial release of advisory) CVE numbers: CVE-2010-3277 CVE-2010-1205 CVE-2010-0205 CVE-2010-2249 CVE-2010-0434 CVE-2010-0425 - ------------------------------------------------------------------------ 1. Summary VMware Workstation and Player address a potential installer security issue and security issues in libpng. VMware ACE Management Server (AMS) for Windows updates Apache httpd. 2. Relevant releases VMware Workstation 7.1.1 and earlier, VMware Player 3.1.1 and earlier, VMware ACE Management Server 2.7.1 and earlier, Note: VMware Server was declared End Of Availability on January 2010, support will be limited to Technical Guidance for the duration of the support term. 3. Problem Description a. VMware Workstation and Player installer security issue The Workstation 7.x and Player 3.x installers will load an index.htm file located in the current working directory on which Workstation 7.x or Player 3.x is being installed. This may allow an attacker to display a malicious file if they manage to get their file onto the system prior to installation. The issue can only be exploited at the time that Workstation 7.x or Player 3.x is being installed. The security issue is no longer present in the installer of the new versions of Workstation 7.x and Player 3.x (see table below for the version numbers). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-3277 to this issue. VMware would like to thank Alexander Trofimov and Marc Esher for independently reporting this issue to VMware. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected Workstation 7.x any 7.1.2 build 301548 or later * Workstation 6.5.x any not affected Player 3.x any 3.1.2 build 301548 or later * Player 2.5.x any not affected AMS any any not affected Server any any not affected Fusion any Mac OS/X not affected ESXi any ESXi not affected ESX any ESX not affected * Note: This only affects the installer, if you have a version of Workstation or Player installed you are not vulnerable. b. Third party libpng updated to version 1.2.44 A buffer overflow condition in libpng is addressed that could potentially lead to code execution with the privileges of the application using libpng. Two potential denial of service issues are also addressed in the update. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-1205, CVE-2010-0205, CVE-2010-2249 to these issues. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected Workstation 7.1.x any 7.1.2 build 301548 or later Workstation 6.5.x any affected, patch pending Player 3.1.x any 3.1.2 build 301548 or later Player 2.5.x any affected, patch pending AMS any any not affected Server any any affected, no patch planned Fusion any Mac OS/X not affected ESXi any ESXi not affected ESX any ESX not affected c. VMware ACE Management Server (AMS) for Windows updates Apache httpd version 2.2.15. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-0434 and CVE-2010-0425 to the issues addressed in this update. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= VirtualCenter any Windows not affected Workstation any any not affected Player any any not affected AMS any Windows 2.7.2 build 301548 or later AMS any Linux affected, patch pending * Server any any not affected Fusion any Mac OS/X not affected ESXi any ESXi not affected ESX any ESX not affected * Note CVE-2010-0425 is not applicable to AMS running on Linux 4. Solution Please review the patch/release notes for your product and version and verify the md5sum and/or the sha1sum of your downloaded file. VMware Workstation 7.1.2 ------------------------ http://www.vmware.com/download/ws/ Release notes: http://downloads.vmware.com/support/ws71/doc/releasenotes_ws712.html Workstation for Windows 32-bit and 64-bit with VMware Tools md5sum: 2e9715ec297dc3ca904ad2707d3e2614 sha1sum: 55b2b99f67c3dacd402fb9880999086efd264e7a Workstation for Windows 32-bit and 64-bit without VMware Tools md5sum: 066929f59aef46f11f4d9fd6c6b36e4d sha1sum: def776a28ee1a21b1ad26e836ae868551fff6fc3 VMware Player 3.1.2 ------------------- http://www.vmware.com/download/player/ Release notes: http://downloads.vmware.com/support/player31/doc/releasenotes_player312.html VMware Player for Windows 32-bit and 64-bit md5sum: 3f289cb33af5e425c92d8512fb22a7ba sha1sum: bf67240c1f410ebeb8dcb4f6d7371334bf9a6b70 VMware Player for Linux 32-bit md5sum: 11e3e3e8753e1d9abbbb92c4e3c1dfe8 sha1sum: dd1dbcdb1f4654eefc11472b68934dcb69842749 VMware Player for Linux 64-bit md5sum: 2ab08e0d4050719845a64d334ca15bb1 sha1sum: f024ad84ec831fce8667dfa9601851da5d9fa59c VMware ACE Management Server 2.7.2 ---------------------------------- http://downloads.vmware.com/d/info/desktop_downloads/vmware_ace/2_7 Release notes: http://downloads.vmware.com/support/ace27/doc/releasenotes_ace272.html ACE Management Server for Windows md5sum: 02f0072b8e48a98ed914b633f070d550 sha1sum: 94a68eac4a328d21a741879b9d063227c0dc1ce4 5. References CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3277 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1205 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0205 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2249 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0434 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0425 - ------------------------------------------------------------------------ 6. Change log 2010-09-23 VMSA-2010-0014 Initial security advisory after release of Workstation 7.1.2, Player 3.1.2 and ACE Management Server 2.7.2 on 2010-09-23 - ----------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Center http://www.vmware.com/security VMware Security Advisories http://www.vmware.com/security/advisoiries VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2010 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) iEYEARECAAYFAkycSrQACgkQS2KysvBH1xmT9wCfbBUS4GYrJohz+QMLYcoiFmSh eTgAoIAmx+ilbe2myj02daLjFrVQfQII =5jlh -----END PGP SIGNATURE----- . =========================================================== Ubuntu Security Notice USN-908-1 March 10, 2010 apache2 vulnerabilities CVE-2010-0408, CVE-2010-0434 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 8.10 Ubuntu 9.04 Ubuntu 9.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: apache2-common 2.0.55-4ubuntu2.10 Ubuntu 8.04 LTS: apache2.2-common 2.2.8-1ubuntu0.15 Ubuntu 8.10: apache2.2-common 2.2.9-7ubuntu3.6 Ubuntu 9.04: apache2.2-common 2.2.11-2ubuntu2.6 Ubuntu 9.10: apache2.2-common 2.2.12-1ubuntu2.2 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: It was discovered that mod_proxy_ajp did not properly handle errors when a client doesn't send a request body. A remote attacker could exploit this with a crafted request and cause a denial of service. This issue affected Ubuntu 8.04 LTS, 8.10, 9.04 and 9.10. (CVE-2010-0408) It was discovered that Apache did not properly handle headers in subrequests under certain conditions. (CVE-2010-0434) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.10.diff.gz Size/MD5: 132089 426096b5df2f66afdc5238e1a36ad7ae http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.10.dsc Size/MD5: 1159 89f54b0237d3770822f4dcfa62bfa873 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55.orig.tar.gz Size/MD5: 6092031 45e32c9432a8e3cf4227f5af91b03622 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.0.55-4ubuntu2.10_all.deb Size/MD5: 2126014 e9b8c902a850462498ab760300ff6cac amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.10_amd64.deb Size/MD5: 834550 7bfe05f8ccc35b49e8998bc75f114e44 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.10_amd64.deb Size/MD5: 229650 ebc761664f68ccd5805e63eaecc1fba6 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.10_amd64.deb Size/MD5: 224730 da6f9cd05b7a8feaa738a91d67f39c74 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.10_amd64.deb Size/MD5: 229224 e087b7f813d42f2622c5292ce30f1ffa http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.10_amd64.deb Size/MD5: 172968 37cfdc9dd428d96eb91e11c94edc4988 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.10_amd64.deb Size/MD5: 173760 3269814929d4a742c3aa4df43b125238 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.10_amd64.deb Size/MD5: 95562 782b22fdd2dca1031065c5d4d6fa6931 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.10_amd64.deb Size/MD5: 37614 448a6d1968f64595bb30644a50ec9dee http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.10_amd64.deb Size/MD5: 287158 882d910084c66b442bbdcd04643b67b2 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.10_amd64.deb Size/MD5: 145732 27844ce798fe5a89b0a612254a31a9ce i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.10_i386.deb Size/MD5: 787934 252a6dcbd54e8107a2e78faaa2cf233a http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.10_i386.deb Size/MD5: 204202 7859818455e0b7729e5c5a7b1351b824 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.10_i386.deb Size/MD5: 200134 dc6ecf58a2877af8233c2022ff26c193 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.10_i386.deb Size/MD5: 203674 4d1017b6964f5dba1baf3a8f6605659a http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.10_i386.deb Size/MD5: 172992 67ae3a23063006ba0c7b85996a216f0b http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.10_i386.deb Size/MD5: 173764 fcff9551d128201554386ca20b4cad04 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.10_i386.deb Size/MD5: 93528 61dcc7a007dd827c0853c43dd817a53c http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.10_i386.deb Size/MD5: 37610 1f5ef7a7233531c6ca3389103ad31081 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.10_i386.deb Size/MD5: 263174 cfb02840f6dfaaedbf6b3afc09781c53 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.10_i386.deb Size/MD5: 133598 417b4a1b229447ad9b3f4a6fcfb23de2 powerpc architecture (Apple Macintosh G3/G4/G5): http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.10_powerpc.deb Size/MD5: 860642 48ff1bc6cb2f03809199402b276d3c79 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.10_powerpc.deb Size/MD5: 221616 ce06bf591c2af7dac0f21c64179b6b9f http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.10_powerpc.deb Size/MD5: 217250 854c8b46a495752ce561bc64f69926a6 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.10_powerpc.deb Size/MD5: 221100 6094b4cda7e06af45d46e82931037912 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.10_powerpc.deb Size/MD5: 172980 bf6bda9d816af33d521aef4d0d19d910 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.10_powerpc.deb Size/MD5: 173760 3ed3d7f93b21bf01acde0cda9f81e3f6 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.10_powerpc.deb Size/MD5: 105290 bab3bec77e0fd96f8f6d71a925c6c4a6 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.10_powerpc.deb Size/MD5: 37612 f950cac274a27ddd8c3e3ba0d51c6e67 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.10_powerpc.deb Size/MD5: 282738 fec6bcf82912a5eb03663ff9897a2730 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.10_powerpc.deb Size/MD5: 142828 7a5f915bc7c92ad390b1b84f02b05167 sparc architecture (Sun SPARC/UltraSPARC): http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-common_2.0.55-4ubuntu2.10_sparc.deb Size/MD5: 805156 d9a317d7cd5165c41b311425c4cd227a http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.0.55-4ubuntu2.10_sparc.deb Size/MD5: 211746 08b1d3606bda53788af291b3b5848601 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.0.55-4ubuntu2.10_sparc.deb Size/MD5: 207470 8154c23c5caaceea57ee8350d829a78d http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.0.55-4ubuntu2.10_sparc.deb Size/MD5: 211134 65758f643c7bcc58881076faed925e43 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.0.55-4ubuntu2.10_sparc.deb Size/MD5: 172970 ba40003b159c9a955dfdd4dd45d30404 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.0.55-4ubuntu2.10_sparc.deb Size/MD5: 173748 856ec4539cb6137db9edd4abb623852e http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.0.55-4ubuntu2.10_sparc.deb Size/MD5: 94610 8420b4b80fb4e1a9fa39e4b04e12578a http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.0.55-4ubuntu2.10_sparc.deb Size/MD5: 37616 2b84d8a572d75fd4d3a10acfdecb8d0e http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0-dev_2.0.55-4ubuntu2.10_sparc.deb Size/MD5: 269164 1ee1afbfba811a082a82114ced122943 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/libapr0_2.0.55-4ubuntu2.10_sparc.deb Size/MD5: 131556 ac64fc4b82792216551a68654da5aca7 Updated packages for Ubuntu 8.04 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.8-1ubuntu0.15.diff.gz Size/MD5: 143511 9ae15355b3b33bfffd57b7c387a623af http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.8-1ubuntu0.15.dsc Size/MD5: 1382 c73a33ddb07551037f66f941f7c09f67 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.8.orig.tar.gz Size/MD5: 6125771 39a755eb0f584c279336387b321e3dfc Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.2.8-1ubuntu0.15_all.deb Size/MD5: 1929148 986e20d917416ba04256f2b65f58af23 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-perchild_2.2.8-1ubuntu0.15_all.deb Size/MD5: 73044 8797cead9183b7b45e26a87f85c03a61 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-src_2.2.8-1ubuntu0.15_all.deb Size/MD5: 6258176 9ddd16e5a205eda2c6a15ec769a9e9ce http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.8-1ubuntu0.15_all.deb Size/MD5: 45970 f63af256575964b262bbb41999cc0a72 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.15_amd64.deb Size/MD5: 253208 84c7f752e5e232464ccf193902b39a77 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.15_amd64.deb Size/MD5: 248818 e5edc28f76ec94116740b83f7f8d76cd http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.15_amd64.deb Size/MD5: 252604 49e3c70c1f97daf2707ae3bf5f0e943f http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.15_amd64.deb Size/MD5: 205706 3b163e56ebd2f5992eef86803679dffd http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.15_amd64.deb Size/MD5: 206460 19cb7386cdf00c156f64b9f2c4bc1250 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.15_amd64.deb Size/MD5: 141812 38463dc035875bba573a420aeb78fc55 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.15_amd64.deb Size/MD5: 804224 7e23a2e17dfa6f8a37588b42c37590e9 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.15_i386.deb Size/MD5: 236194 5e191cc83788c2e66635413453771481 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.15_i386.deb Size/MD5: 231720 c079f54cbdb931cab220c8c587f3936b http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.15_i386.deb Size/MD5: 235446 f64813b7af3c9975d86b4c28892e759b http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.15_i386.deb Size/MD5: 205716 077591e2e4cdca278f2784f97ad3f8d3 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.15_i386.deb Size/MD5: 206484 51e99c350efa425ed768720c4c98313b http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.15_i386.deb Size/MD5: 140770 d328f36ab33f61f3157024501909a139 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.15_i386.deb Size/MD5: 755798 927a56f1405f1309893050ea9237f994 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.15_lpia.deb Size/MD5: 235722 876be7a8737de0a515f21aa629a09d45 http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.15_lpia.deb Size/MD5: 231362 2078e50363d811291351a1c27bc58c0b http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.15_lpia.deb Size/MD5: 234856 0c7d564fd292dbc12b74de8a3484aab5 http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.15_lpia.deb Size/MD5: 205722 9eb8e1d684b3a96c93ff0f86cc709adb http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.15_lpia.deb Size/MD5: 206492 f340746f1893e25a720000bb560b0676 http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.15_lpia.deb Size/MD5: 141342 baeccaadd0e91b7045b7358a6c7cbda8 http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.15_lpia.deb Size/MD5: 749976 b83e2963384a68fe52faa734017b57d0 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.15_powerpc.deb Size/MD5: 254284 d31f219bd5eda15bceb06bc9e25eabab http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.15_powerpc.deb Size/MD5: 249736 c66c5975b356db9cf6b42a042271c6e3 http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.15_powerpc.deb Size/MD5: 253842 5247b89584455be5623c404b24796cec http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.15_powerpc.deb Size/MD5: 205728 58d1431d486459d641db835ad4a35fc2 http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.15_powerpc.deb Size/MD5: 206490 a722a8aa18f08ab19ab127dfda9443a7 http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.15_powerpc.deb Size/MD5: 158536 47458a0cbd6cfa4bdc06e97d67741e75 http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.15_powerpc.deb Size/MD5: 906298 aeccf21a452a6fe9c369ebb2b0b04a4e sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.8-1ubuntu0.15_sparc.deb Size/MD5: 237516 4326c5061f9c765db5d0bcc01e1669be http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.8-1ubuntu0.15_sparc.deb Size/MD5: 233278 0d5babd2b04b62bad540b8ee17fbe06e http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.8-1ubuntu0.15_sparc.deb Size/MD5: 236708 f6699f5dfaf29a1eaecf637e9fdcbdf0 http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.8-1ubuntu0.15_sparc.deb Size/MD5: 205724 da2a97a28c9c2914c55ccc1606ae77e9 http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.8-1ubuntu0.15_sparc.deb Size/MD5: 206490 9ac523aa40acc889678392b2f061725f http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.8-1ubuntu0.15_sparc.deb Size/MD5: 143976 7cc95b10718a6252dc6fa8cc58045192 http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.8-1ubuntu0.15_sparc.deb Size/MD5: 765616 5f1cca257dcce7bb56fe342236b9ea1b Updated packages for Ubuntu 8.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.9-7ubuntu3.6.diff.gz Size/MD5: 139326 10707e14c87b5b776a073113a94c6a1b http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.9-7ubuntu3.6.dsc Size/MD5: 1789 74082691bed2864c646f3a8ac3a16eb4 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.9.orig.tar.gz Size/MD5: 6396996 80d3754fc278338033296f0d41ef2c04 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.2.9-7ubuntu3.6_all.deb Size/MD5: 2041858 706b343b84044f2f532e0941ee93ff03 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-src_2.2.9-7ubuntu3.6_all.deb Size/MD5: 6537860 6a767abce0dd1e61107a459fbf029691 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.9-7ubuntu3.6_all.deb Size/MD5: 45626 84e04ec49010cfac41f939c27b9c9a31 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.9-7ubuntu3.6_amd64.deb Size/MD5: 255130 68f5cf8b5548d407b51d6db614c6b9b2 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.9-7ubuntu3.6_amd64.deb Size/MD5: 249326 796985e36b4ad3423909947fcca71966 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.9-7ubuntu3.6_amd64.deb Size/MD5: 254478 45e12d6d18cadeb552888ca1395a81c4 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.9-7ubuntu3.6_amd64.deb Size/MD5: 208652 63e0d760fcaf0bd82a661336fe39cae6 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-suexec-custom_2.2.9-7ubuntu3.6_amd64.deb Size/MD5: 84610 8a594fba559844dba85496f60e84b7f7 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-suexec_2.2.9-7ubuntu3.6_amd64.deb Size/MD5: 82966 6becc4c35b209a8a09a9715f9e8f44f0 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.9-7ubuntu3.6_amd64.deb Size/MD5: 209682 b28ea955f642c5a9cd3854da82843ef0 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.9-7ubuntu3.6_amd64.deb Size/MD5: 147882 b83148d248dbb4ac13fd57db5ce2650c http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.9-7ubuntu3.6_amd64.deb Size/MD5: 820544 934937ebb87e765ada13608b50b2bd84 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.9-7ubuntu3.6_i386.deb Size/MD5: 241500 53f66d0add4830740f819855f679ad0e http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.9-7ubuntu3.6_i386.deb Size/MD5: 236122 50550a1af2dfb61ac9da7e28367c036e http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.9-7ubuntu3.6_i386.deb Size/MD5: 240782 6d9798847ab81e1d565f1be057a4626e http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.9-7ubuntu3.6_i386.deb Size/MD5: 208662 d1f85491999b1c89f4fbe3c523c854e1 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-suexec-custom_2.2.9-7ubuntu3.6_i386.deb Size/MD5: 84042 470d82a4b6a25286ac4b21f6e59dd373 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-suexec_2.2.9-7ubuntu3.6_i386.deb Size/MD5: 82444 ecf0e6f5465f9f9e38058e756891c8fe http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.9-7ubuntu3.6_i386.deb Size/MD5: 209682 72e627fd62be2175f1caf6979aa33528 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.9-7ubuntu3.6_i386.deb Size/MD5: 146726 09954f0d419252bba5a954c4a749c56d http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.9-7ubuntu3.6_i386.deb Size/MD5: 778764 0cbf3c7a7d0fcb2cdf4c15239c7c9ab7 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.9-7ubuntu3.6_lpia.deb Size/MD5: 238456 c307976b4b9dda8e908db9aab888487f http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.9-7ubuntu3.6_lpia.deb Size/MD5: 233076 df1ab53d9ba76510482ea9e81e0c05ed http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.9-7ubuntu3.6_lpia.deb Size/MD5: 237732 d7a685c6e7c7f85e4596e446c5f81116 http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.9-7ubuntu3.6_lpia.deb Size/MD5: 208660 dad1c46c1e379ad508874730419357c1 http://ports.ubuntu.com/pool/main/a/apache2/apache2-suexec-custom_2.2.9-7ubuntu3.6_lpia.deb Size/MD5: 83998 70e9d64a0b2003a3431af50686dbb3a9 http://ports.ubuntu.com/pool/main/a/apache2/apache2-suexec_2.2.9-7ubuntu3.6_lpia.deb Size/MD5: 82426 14ba830d1f933a00e49bfcb834f01333 http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.9-7ubuntu3.6_lpia.deb Size/MD5: 209688 e2ad15523a015b78aa1d79a457977f6f http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.9-7ubuntu3.6_lpia.deb Size/MD5: 146418 2ea6c8dd9e2e67ca9ca01b5368e8a492 http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.9-7ubuntu3.6_lpia.deb Size/MD5: 766738 939fd23c53ad2e3856950b539c49e572 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.9-7ubuntu3.6_powerpc.deb Size/MD5: 261634 1fd498222280f99f3baa05e76b8b3134 http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.9-7ubuntu3.6_powerpc.deb Size/MD5: 256204 ddb9aebbba56b1247d744c24d620c311 http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.9-7ubuntu3.6_powerpc.deb Size/MD5: 260994 18d27f39cb23053b475b9c797ed4a0b9 http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.9-7ubuntu3.6_powerpc.deb Size/MD5: 208672 a63ee94b91522612a0d9baf8cf8be1e9 http://ports.ubuntu.com/pool/main/a/apache2/apache2-suexec-custom_2.2.9-7ubuntu3.6_powerpc.deb Size/MD5: 84694 442e717226809ef8450ec6640d985165 http://ports.ubuntu.com/pool/main/a/apache2/apache2-suexec_2.2.9-7ubuntu3.6_powerpc.deb Size/MD5: 83042 075c585197c7424b0f075791c26d7fff http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.9-7ubuntu3.6_powerpc.deb Size/MD5: 209692 5f3226ac36647403501e70aea30ae295 http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.9-7ubuntu3.6_powerpc.deb Size/MD5: 161152 f5aef8d2db2ce2f0a61610d220b8554f http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.9-7ubuntu3.6_powerpc.deb Size/MD5: 926422 6ee1f22222dc895c7d4e90a22c6e82e4 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.9-7ubuntu3.6_sparc.deb Size/MD5: 246832 44d9328891ed6a5b27b8b7ca17dd1e65 http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.9-7ubuntu3.6_sparc.deb Size/MD5: 241392 3132cdcdd9ff2390f33c004ba0d06c25 http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.9-7ubuntu3.6_sparc.deb Size/MD5: 246146 a22417d0af89d571057186566cba70d6 http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.9-7ubuntu3.6_sparc.deb Size/MD5: 208658 3a9623afdc7080fdd8ed7571ec44f93b http://ports.ubuntu.com/pool/main/a/apache2/apache2-suexec-custom_2.2.9-7ubuntu3.6_sparc.deb Size/MD5: 84230 23a679c07ac52f14db5d5502c797fbe0 http://ports.ubuntu.com/pool/main/a/apache2/apache2-suexec_2.2.9-7ubuntu3.6_sparc.deb Size/MD5: 82596 58f1b8c280a18ff5714fcde8f31bb767 http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.9-7ubuntu3.6_sparc.deb Size/MD5: 209684 7d0b63fc5c72b67fb67056f75003507d http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.9-7ubuntu3.6_sparc.deb Size/MD5: 151052 bc015d14efdd9b781416fcd4dcbaf3da http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.9-7ubuntu3.6_sparc.deb Size/MD5: 784092 3d4f997fd5cb3372e23e7a7b5b33a818 Updated packages for Ubuntu 9.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.11-2ubuntu2.6.diff.gz Size/MD5: 142681 9290c7aa5d38184a259ed1e8b31f302e http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.11-2ubuntu2.6.dsc Size/MD5: 1796 c92dc8b9df72439a68fb9acabe825d34 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.11.orig.tar.gz Size/MD5: 6806786 03e0a99a5de0f3f568a0087fb9993af9 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.2.11-2ubuntu2.6_all.deb Size/MD5: 2219398 a59488ae00cefb2d9e763986951b46f7 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.11-2ubuntu2.6_all.deb Size/MD5: 46768 d4959ab1a2fcac6febf73d72af47c8ea http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-src_2.2.11-2ubuntu2.6_all.deb Size/MD5: 6948418 f6ad43ce72bed437112d0474764c4e72 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.11-2ubuntu2.6_amd64.deb Size/MD5: 259164 b493228cb147781d7ae20e832a859c6e http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.11-2ubuntu2.6_amd64.deb Size/MD5: 253356 111e4f5738a5c1d25a4c0539dfb3eb01 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.11-2ubuntu2.6_amd64.deb Size/MD5: 258546 953c300480822f9bba76921a551342ff http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.11-2ubuntu2.6_amd64.deb Size/MD5: 213416 9a208bf91694f084f124f7cdb7086ae5 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.11-2ubuntu2.6_amd64.deb Size/MD5: 214372 5c138ead01971ef4e25c6f2fc4a8c081 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.11-2ubuntu2.6_amd64.deb Size/MD5: 151268 c10773d75fc13a933af172f8c25ed928 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.11-2ubuntu2.6_amd64.deb Size/MD5: 827176 9c5f22af93970e386b3392ea6496012a http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-suexec-custom_2.2.11-2ubuntu2.6_amd64.deb Size/MD5: 87926 053a597373bfafedc54c7f56bbc4d36f http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-suexec_2.2.11-2ubuntu2.6_amd64.deb Size/MD5: 86272 99845d4c0c7e1fb6106e12ef89d6b1de i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.11-2ubuntu2.6_i386.deb Size/MD5: 245642 a4975d08a72dbbc7a0c9a1ecb467a625 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.11-2ubuntu2.6_i386.deb Size/MD5: 240198 2c67ecad0ff90d9c3cac969c69cc6403 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.11-2ubuntu2.6_i386.deb Size/MD5: 245072 cc06f54e8e72c9ef88f18c637258c296 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.11-2ubuntu2.6_i386.deb Size/MD5: 213426 5692c703a7442e93cd6c201d0b784609 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.11-2ubuntu2.6_i386.deb Size/MD5: 214390 22e7a59f09641e26a56398e8165548a4 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.11-2ubuntu2.6_i386.deb Size/MD5: 150168 7c2dc8f846d3d11985fb4ea4c9e40714 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.11-2ubuntu2.6_i386.deb Size/MD5: 784518 23be691c35729ab36f7764aeb02ef4c1 http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-suexec-custom_2.2.11-2ubuntu2.6_i386.deb Size/MD5: 87310 2af044869390444fa21197f6bde2c8f0 http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-suexec_2.2.11-2ubuntu2.6_i386.deb Size/MD5: 85706 4814c65a1b0da47ee4c5189b68956890 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.11-2ubuntu2.6_lpia.deb Size/MD5: 242526 0ccc9efc179daa8a3994818daf5d962f http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.11-2ubuntu2.6_lpia.deb Size/MD5: 237034 979638ca12fef068895ca14d40adf1fe http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.11-2ubuntu2.6_lpia.deb Size/MD5: 241914 2e5438ad43673a0b0467946a3904f883 http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.11-2ubuntu2.6_lpia.deb Size/MD5: 213426 fc47493b35308f26cf370d5fc36a764c http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.11-2ubuntu2.6_lpia.deb Size/MD5: 214396 e591f754bfef0e3f097db8f234aef1c4 http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.11-2ubuntu2.6_lpia.deb Size/MD5: 149888 5ff213998d0756589eb12387ec99d53e http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.11-2ubuntu2.6_lpia.deb Size/MD5: 773726 d3347559226812470d87af62e3be7a53 http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec-custom_2.2.11-2ubuntu2.6_lpia.deb Size/MD5: 87248 cd0c669ff56ada0d600dd7f62c3ab406 http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec_2.2.11-2ubuntu2.6_lpia.deb Size/MD5: 85680 6d064bc67f5a528ed3c9aa0f251d536d powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.11-2ubuntu2.6_powerpc.deb Size/MD5: 265602 dd914e1e1392318a1efff84fef689fb4 http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.11-2ubuntu2.6_powerpc.deb Size/MD5: 260618 78b8f50bab2b0e4fed67b49b9a2f34ec http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.11-2ubuntu2.6_powerpc.deb Size/MD5: 265262 05581b19a7ad11ac34237065447137ea http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.11-2ubuntu2.6_powerpc.deb Size/MD5: 213440 17d41a63c07a53b6a47e8ddbaafde343 http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.11-2ubuntu2.6_powerpc.deb Size/MD5: 214406 df3a389b1a92f641b6baed063420f71e http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.11-2ubuntu2.6_powerpc.deb Size/MD5: 164580 259b63754f6f73dbd2857356c04a959a http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.11-2ubuntu2.6_powerpc.deb Size/MD5: 932678 86c9127387640b057ea9e0fdf50a6b40 http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec-custom_2.2.11-2ubuntu2.6_powerpc.deb Size/MD5: 88008 4aabc23270af1875dd1798e21e5ecf41 http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec_2.2.11-2ubuntu2.6_powerpc.deb Size/MD5: 86280 6d918a123609e62508baea60fd579ee9 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-event_2.2.11-2ubuntu2.6_sparc.deb Size/MD5: 250926 080921e0439dd8c221d6fe92ef246e86 http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-prefork_2.2.11-2ubuntu2.6_sparc.deb Size/MD5: 245236 0cd80a701c6e21d779840e590380f60e http://ports.ubuntu.com/pool/main/a/apache2/apache2-mpm-worker_2.2.11-2ubuntu2.6_sparc.deb Size/MD5: 250252 d3510ceebeb7a254dc61d2e37cfb8232 http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.11-2ubuntu2.6_sparc.deb Size/MD5: 213440 50fdbf9ec8d08e9fab9df4352a702703 http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.11-2ubuntu2.6_sparc.deb Size/MD5: 214412 519c15df22f7ff3da1391ddbed717f21 http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.11-2ubuntu2.6_sparc.deb Size/MD5: 154426 ca9003b8a71bbbe73328af4fc0e4428d http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-common_2.2.11-2ubuntu2.6_sparc.deb Size/MD5: 789462 085ceebc571d99f2528891fd138266f7 http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec-custom_2.2.11-2ubuntu2.6_sparc.deb Size/MD5: 87510 2a8052e30ece8670fcd7b5b5cc444adb http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec_2.2.11-2ubuntu2.6_sparc.deb Size/MD5: 85860 ea55b592d9b4c45cd94af4836961f9e0 Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.12-1ubuntu2.2.diff.gz Size/MD5: 185966 1fd1b39b8acae8efd95cfba73035ef5d http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.12-1ubuntu2.2.dsc Size/MD5: 1889 f259c015de981d3f9e6ba6652e89ef53 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.12.orig.tar.gz Size/MD5: 6678149 17f017b571f88aa60abebfe2945d7caf Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-doc_2.2.12-1ubuntu2.2_all.deb Size/MD5: 2246764 243a32914d322c363e8181f4e609eaee http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-event_2.2.12-1ubuntu2.2_all.deb Size/MD5: 2344 d4a431e66497ad75c6c76ef16b94337f http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-prefork_2.2.12-1ubuntu2.2_all.deb Size/MD5: 2376 47b97a23cf9be3fbbda7d4d33b0203f9 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-mpm-worker_2.2.12-1ubuntu2.2_all.deb Size/MD5: 2314 bf4f9dccdb1eb33ef9dde9e845ea69f4 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-common_2.2.12-1ubuntu2.2_all.deb Size/MD5: 285202 04dcce263dc86b401d1341f95fe25906 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2_2.2.12-1ubuntu2.2_all.deb Size/MD5: 1426 0a27231773121ea4ed159283ae664f94 http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-mpm-itk_2.2.12-1ubuntu2.2_all.deb Size/MD5: 2372 df8f7e39a1be46de7e96df5da2013af3 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.12-1ubuntu2.2_amd64.deb Size/MD5: 137082 192e416bdda75ce8c45c5207c7f6b975 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.12-1ubuntu2.2_amd64.deb Size/MD5: 138190 d0e2523df5544601e824d9d6d34eca23 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.12-1ubuntu2.2_amd64.deb Size/MD5: 156784 27d845ebfc48e6935f2b213c9140bb6e http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-bin_2.2.12-1ubuntu2.2_amd64.deb Size/MD5: 1399724 12708155a417a9d090380907d15411ec http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-suexec-custom_2.2.12-1ubuntu2.2_amd64.deb Size/MD5: 92644 887937b07afcc3701bc66a1640ac8733 http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-suexec_2.2.12-1ubuntu2.2_amd64.deb Size/MD5: 91024 6d34a77de75b7152327ceb73775b3915 i386 architecture (x86 compatible Intel/AMD): http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-prefork-dev_2.2.12-1ubuntu2.2_i386.deb Size/MD5: 137092 126e3c92ab8652016340d39f9d223f59 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-threaded-dev_2.2.12-1ubuntu2.2_i386.deb Size/MD5: 138188 31da570017edbce3f6f34628e5d36fa8 http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2-utils_2.2.12-1ubuntu2.2_i386.deb Size/MD5: 155324 0cff520071def0ae1cd458fbb354683f http://security.ubuntu.com/ubuntu/pool/main/a/apache2/apache2.2-bin_2.2.12-1ubuntu2.2_i386.deb Size/MD5: 1309290 3ce857da081471731f401a08e02daa21 http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-suexec-custom_2.2.12-1ubuntu2.2_i386.deb Size/MD5: 92028 f60d21f5b476f5c9e9a3886acf7a1385 http://security.ubuntu.com/ubuntu/pool/universe/a/apache2/apache2-suexec_2.2.12-1ubuntu2.2_i386.deb Size/MD5: 90466 d04da6a2077f9c40796266107c84e747 lpia architecture (Low Power Intel Architecture): http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.12-1ubuntu2.2_lpia.deb Size/MD5: 137090 85e576764c7e72449a1229feacbc3a1d http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.12-1ubuntu2.2_lpia.deb Size/MD5: 138206 b4d5ac7685535fab17c694233f894f83 http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.12-1ubuntu2.2_lpia.deb Size/MD5: 155242 c03cb87555975f754c34537084c374b2 http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-bin_2.2.12-1ubuntu2.2_lpia.deb Size/MD5: 1290654 88629a149a84206ca6e37ee1ce4923a3 http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec-custom_2.2.12-1ubuntu2.2_lpia.deb Size/MD5: 91978 d114a24e4ba510f72b7b7c721b8a7376 http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec_2.2.12-1ubuntu2.2_lpia.deb Size/MD5: 90466 a4d405b139bc75e526807eadd473dc49 powerpc architecture (Apple Macintosh G3/G4/G5): http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.12-1ubuntu2.2_powerpc.deb Size/MD5: 137088 c316a4af0913e33aaadb3621702118f3 http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.12-1ubuntu2.2_powerpc.deb Size/MD5: 138192 f9100a53b31914b16dda8ff5f9afb218 http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.12-1ubuntu2.2_powerpc.deb Size/MD5: 161188 2296d3ec6e45bb715e9d918df985b36c http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-bin_2.2.12-1ubuntu2.2_powerpc.deb Size/MD5: 1390306 8e8c87274ae72fce5d1911ff05a20e2a http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec-custom_2.2.12-1ubuntu2.2_powerpc.deb Size/MD5: 92552 1a28d81a25546498dbbbfaf0d0e929bf http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec_2.2.12-1ubuntu2.2_powerpc.deb Size/MD5: 90918 e368a1ac77fc510630f1696f25268ac3 sparc architecture (Sun SPARC/UltraSPARC): http://ports.ubuntu.com/pool/main/a/apache2/apache2-prefork-dev_2.2.12-1ubuntu2.2_sparc.deb Size/MD5: 137098 259de5ac6919ba28eef8f8c3bdbb5ae0 http://ports.ubuntu.com/pool/main/a/apache2/apache2-threaded-dev_2.2.12-1ubuntu2.2_sparc.deb Size/MD5: 138198 106dfdd3820957cd12d23d9ff14cabf8 http://ports.ubuntu.com/pool/main/a/apache2/apache2-utils_2.2.12-1ubuntu2.2_sparc.deb Size/MD5: 159640 41e05eb97a5e5f2682636b124a52970f http://ports.ubuntu.com/pool/main/a/apache2/apache2.2-bin_2.2.12-1ubuntu2.2_sparc.deb Size/MD5: 1298086 5c7ddce4dc35f6ea81e73b7797b091c7 http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec-custom_2.2.12-1ubuntu2.2_sparc.deb Size/MD5: 92318 89e113250f9925383eb4cd2ac0941d58 http://ports.ubuntu.com/pool/universe/a/apache2/apache2-suexec_2.2.12-1ubuntu2.2_sparc.deb Size/MD5: 90708 f7094a69d4607bd77e24d02559b07aab

cfnetwork.dll 1.450.5.0 in CFNetwork, as used by safari.exe 531.21.10 in Apple Safari 4.0.3 and 4.0.4 on Windows, allows remote attackers to cause a denial of service (application crash) via a long string in the BACKGROUND attribute of a BODY element. Apple Safari is prone to a remote denial-of-service vulnerability. Successful exploits may allow an attacker to crash the affected browser, resulting in a denial-of-service condition. Given the nature of this issue, memory corruption or code execution might be possible, but has not been confirmed. The issue affects Safari 4.0.4 and 4.0.3; other versions may also be affected. Apple Safari is a web browser bundled with the Apple operating system

The dhost web service in Novell eDirectory 8.8.5 uses a predictable session cookie, which makes it easier for remote attackers to hijack sessions via a modified cookie. Novell eDirectory is a cross-platform directory server. Novell eDirectory is prone to a session-hijacking vulnerability. An attacker can exploit this issue to gain access to the affected application. Novell eDirectory 8.8.5 is vulnerable; other versions may also be affected

Hitachi JP1/Cm2/Network Node Manager is prone to a security vulnerability because it sets insecure file permissions. An attacker can exploit this issue to obtain sensitive information or gain escalated privileges. ---------------------------------------------------------------------- Use WSUS to deploy 3rd party patches Public BETA http://secunia.com/vulnerability_scanning/corporate/wsus_3rd_third_party_patching/ ---------------------------------------------------------------------- TITLE: Hitachi JP1/Cm2/Network Node Manager Remote Console Insecure File Permissions SECUNIA ADVISORY ID: SA38740 VERIFY ADVISORY: http://secunia.com/advisories/38740/ DESCRIPTION: Hitachi has acknowledged a security issue in Hitachi JP1/Cm2/Network Node Manager, which can be exploited by malicious, local users to manipulate certain data and potentially gain escalated privileges. The security issue is reported in the following products and versions: * JP1/Cm2/Network Node Manager Enterprise version 06-51 to 06-71 * JP1/Cm2/Network Node Manager 250 version 06-51 to 06-71 * JP1/Cm2/Network Node Manager version 07-00 to 07-10 * JP1/Cm2/Network Node Manager Starter Edition Enterprise version 08-00 to 08-10 * JP1/Cm2/Network Node Manager Starter Edition 250 version 08-00 to 08-10 SOLUTION: Restrict access to trusted users only. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS10-002/index.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple Hitachi products are prone to a cross-site scripting vulnerability because they fail to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. ---------------------------------------------------------------------- Use WSUS to deploy 3rd party patches Public BETA http://secunia.com/vulnerability_scanning/corporate/wsus_3rd_third_party_patching/ ---------------------------------------------------------------------- TITLE: Hitachi Cosminexus Products uCosminexus Portal Framework Cross-Site Scripting SECUNIA ADVISORY ID: SA38737 VERIFY ADVISORY: http://secunia.com/advisories/38737/ DESCRIPTION: A vulnerability has been reported in Hitachi products, which can be exploited by malicious people to conduct cross-site scripting attacks. Unspecified input passed to the "uCosminexus Portal Framework" and "uCosminexus Portal Framework - Light" component is not properly sanitised before being returned to the user. Please see the vendor's advisory for a list of affected products and versions. SOLUTION: Please see the vendor's advisory for fix information. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS10-001/index.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Stack consumption vulnerability in the WebCore::CSSSelector function in WebKit, as used in Apple Safari 4.0.4, Apple Safari on iPhone OS and iPhone OS for iPod touch, and Google Chrome 4.0.249, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a STYLE element composed of a large number of *> sequences. WebKit is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause the affected browser to crash, effectively denying service to legitimate users. Note: This BID was originally titled "Apple Safari Style Tag Remote Memory Corruption Vulnerability". Reports indicate that the underlying flaw affects the WebKit library. Update (March 5, 2010): This issue has been downgraded to a denial-of-service vulnerability. Arbitrary code execution is not possible. If the user includes a large number of \"* > \" characters in the STYLE element of the HTML page, the browser will crash. ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: SUSE update for Multiple Packages SECUNIA ADVISORY ID: SA43068 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43068/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43068 RELEASE DATE: 2011-01-25 DISCUSS ADVISORY: http://secunia.com/advisories/43068/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43068/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43068 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: SUSE has issued an update for multiple packages, which fixes multiple vulnerabilities. For more information: SA32349 SA33495 SA35095 SA35379 SA35411 SA35449 SA35758 SA36269 SA36677 SA37273 SA37346 SA37769 SA38061 SA38545 SA38932 SA39029 SA39091 SA39384 SA39661 SA39937 SA40002 SA40072 SA40105 SA40112 SA40148 SA40196 SA40257 SA40664 SA40783 SA41014 SA41085 SA41242 SA41328 SA41390 SA41443 SA41535 SA41841 SA41888 SA41968 SA42151 SA42264 SA42290 SA42312 SA42443 SA42461 SA42658 SA42769 SA42886 SA42956 SA43053 SOLUTION: Apply updated packages via YaST Online Update or the SUSE FTP server. ORIGINAL ADVISORY: SUSE-SR:2011:002: http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in the Portlet Palette in IBM WebSphere Portal 6.0.1.5 wp6015_008_01 allows remote attackers to inject arbitrary web script or HTML via the search field. The IBM WebSphere Portal server is a commercial portal solution. is prone to a cross-site scripting vulnerability. Other versions may also be affected. SOLUTION: Apply APAR PM05829. PROVIDED AND/OR DISCOVERED BY: The vendor credits Sjoerd Resink, Fox-IT BV. ORIGINAL ADVISORY: http://www-01.ibm.com/support/docview.wss?uid=swg1PM05829 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Huawei HG510 is a terminal device for home digital networks that provides ADSL connectivity. The Huawei HG510 has a security vulnerability that allows an attacker to bypass security restrictions and perform cross-site request forgery attacks: - The device does not perform any security checks to allow the user to perform some operations through HTTP requests, such as rebooting the device or changing settings (including passwords). - The device does not properly restrict access to the script rebootinfo.cgi, and can directly access the script to restart the device. Note that this also attacks through cross-site request forgery attacks. ---------------------------------------------------------------------- Public Beta of CSI and WSUS Integration http://secunia.com/blog/74 ---------------------------------------------------------------------- TITLE: Huawei HG510 Security Bypass and Cross-Site Request Forgery Vulnerabilities SECUNIA ADVISORY ID: SA38591 VERIFY ADVISORY: http://secunia.com/advisories/38591/ DESCRIPTION: Ivan Markovic has reported some vulnerabilities in Huawei HG510, which can be exploited by malicious people to bypass certain security restrictions and conduct cross-site request forgery attacks. This can be exploited to e.g. reboot the device or change certain settings (including passwords). Do not browse untrusted websites or follow untrusted links while logged in to the device. PROVIDED AND/OR DISCOVERED BY: Ivan Markovic, Network Security Solutions ORIGINAL ADVISORY: http://archives.neohapsis.com/archives/bugtraq/2010-02/0155.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

UplusFtp is a free green free installation FTP server. A stack overflow vulnerability exists in the UplusFTP server when processing user-submitted HTTP request parameters. A remote attacker can trigger this overflow by submitting an HTTP request containing a very long path parameter to the list.html page, causing arbitrary code to be executed. Easy FTP Server (also known as UplusFTP) is prone to a buffer-overflow vulnerability. Successful exploits may allow attackers to execute arbitrary code within the context of the application. Failed exploit attempts will likely result in a denial-of-service condition

WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp in WebKit before r52401, as used in Google Chrome before 4.0.249.78, allows remote attackers to bypass the Same Origin Policy via vectors involving the window.open method. WebKit is prone to a cross-domain scripting vulnerability because it fails to properly enforce the same-origin policy. An attacker can exploit this issue to execute arbitrary code in the context of a different domain. Successful exploits may result in privilege escalation. Versions prior to WebKit r52401 are vulnerable. NOTE: This issue was previously documented in BID 37948 (Google Chrome prior to 4.0.249.78 Multiple Security Vulnerabilities) but has been assigned its own record to better document it. WebKit is an open source browser web page layout engine, and the corresponding engines are Gecko (the layout engine used by Mozilla, Firefox, etc.) and Trident (also known as MSHTML, the layout engine used by IE). Credit to Tokuji Akamine, Senior Consultant at Symantec Consulting Services (for Chromium) and Lostmon Lords (for Flock). References: https://bugs.webkit.org/show_bug.cgi?id=32647 http://code.google.com/p/chromium/issues/detail?id=30660 -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJMj6tpAAoJEPzFtDWO6ceqVloP/19NsAyXYRvtQABv7ztHyOxd bGdsp0FMVp/fMbpDIwzStHbfnlYnFqDAzWb6Zy64jKuFzK8mKXYcoAqbz3EoX3Ux Y0IUyKDdfR1HvnttXRYnAw7M4UKN54MYLAOD80j8ztjt1sjMluWPUxlKSewR8SfM pnIxID3nD7R9DmhABtDKOnTCfrHBgHnKbl1/nMcyUj+x0MtCNktddcYLO3dtaop+ 8FdbKNyFkrKLjqyNqIIa0FNBk4VgDfggLRPHC3PpfBLTcxlXr1/kDLnzIP7PPBuM HpaM/IO/RotzBIDEvJR3tN9YnoTXxR++ExPg0nZuAi3CUS0Jr2jfrarkfs5VzZOs J4WbCWilqccwqzanNdBu6FncYn3R9IytpZiCznO/mpek4lIV6fZlx6LnX9ZFFWsL ExWZ7jqNPj81mifDVuTeMa0BkZ2SvFhOXU1kUmfZvb+/Bu5oQ5hhX5Cpkb0EXBz0 CkNLC7tIq5O4Szczrlt0jb5XiRvhAocinq3yDdPnK9zHKHf+ia1BWt86kxf+fxXJ kQA8hl8fUgN53uoxs6BrQCjo8HrrMxDXojNOtcrw5U7XOWMHm9P0kbJd4PXGjb+c NMSoAoXnXXwm5QKURVxbApZ8vvJiB2LQRvj5A1OMcbYkAUlhS6CJbh0cAET4AutW VugAZ6Q8Wnrk5d6Eoqbc =FVwj -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: SUSE update for Multiple Packages SECUNIA ADVISORY ID: SA43068 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43068/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43068 RELEASE DATE: 2011-01-25 DISCUSS ADVISORY: http://secunia.com/advisories/43068/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43068/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43068 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: SUSE has issued an update for multiple packages, which fixes multiple vulnerabilities. For more information: SA32349 SA33495 SA35095 SA35379 SA35411 SA35449 SA35758 SA36269 SA36677 SA37273 SA37346 SA37769 SA38061 SA38545 SA38932 SA39029 SA39091 SA39384 SA39661 SA39937 SA40002 SA40072 SA40105 SA40112 SA40148 SA40196 SA40257 SA40664 SA40783 SA41014 SA41085 SA41242 SA41328 SA41390 SA41443 SA41535 SA41841 SA41888 SA41968 SA42151 SA42264 SA42290 SA42312 SA42443 SA42461 SA42658 SA42769 SA42886 SA42956 SA43053 SOLUTION: Apply updated packages via YaST Online Update or the SUSE FTP server. ORIGINAL ADVISORY: SUSE-SR:2011:002: http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Cisco ASA 5500 Series Adaptive Security Appliance 7.0 before 7.0(8.10), 7.2 before 7.2(4.45), 8.0 before 8.0(5.1), 8.1 before 8.1(2.37), and 8.2 before 8.2(1.15); and Cisco PIX 500 Series Security Appliance; allows remote attackers to cause a denial of service (active IPsec tunnel loss and prevention of new tunnels) via a malformed IKE message through an existing tunnel to UDP port 4500, aka Bug ID CSCtc47782. The problem is Bug ID : CSCtc47782 It is a problem.By a third party UDP 4500 Illegal via the existing tunnel to port No. IKE Service disruption via message (DoS) There is a possibility of being put into a state. Attackers can exploit this issue to cause all IPsec tunnels to terminate. This issue is documented in Cisco bug ID CSCtc47782. 4) An error in WebVPN can be exploited to trigger an appliance reload via a specially crafted DTLS packet. 7) An error in the implementation of the NT LAN Manager version 1 (NTLMv1) protocol can be exploited to bypass authentication via a specially crafted username. SOLUTION: Update to a fixed version. Please see the vendor's advisory for detailed patch information. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. There are workarounds for some of the vulnerabilities disclosed in this advisory. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml. For specific version information, refer to the "Software Versions and Fixes" section of this advisory. Appliances that are running versions 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected when they are configured for any of the following features: * SSL VPNs * Cisco Adaptive Security Device Manager (ASDM) Administrative Access * Telnet Access * SSH Access * Virtual Telnet * Virtual HTTP * Transport Layer Security (TLS) Proxy for Encrypted Voice Inspection SIP Inspection Denial of Service Vulnerabilities +----------------------------------------------- Two denial of service (DoS) vulnerabilities affect the SIP inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances. Versions 7.0.x, 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. SIP inspection is enabled by default. To check if SIP inspection is enabled, issue the "show service-policy | include sip" command and confirm that some output is returned. Sample output is displayed in the following example: ciscoasa#show service-policy | include sip Inspect: sip , packet 0, drop 0, reset-drop 0 Alternatively, an appliance that has SIP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sip ... Versions 8.0.x, 8.1.x, and 8.2.x are affected. SCCP inspection is enabled by default. To check if SCCP inspection is enabled, issue the "show service-policy | include skinny" command and confirm that some output is returned. Sample output is displayed in the following example: ciscoasa#show service-policy | include skinny Inspect: skinny , packet 0, drop 0, reset-drop 0 Alternatively, an appliance that has SCCP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect skinny ... Affected versions include 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x. Administrators can enable WebVPN with the "enable <interface name>" command in "webvpn" configuration mode. DTLS can be enabled by issuing the "svc dtls enable" command in "group policy webvpn" configuration mode. The following configuration snippet provides an example of a WebVPN configuration that enables DTLS: webvpn enable outside svc enable ... ! group-policy <group name> internal group-policy <group name> attributes ... webvpn svc dtls enable ... Altough WebVPN is disabled by default, DTLS is enabled by default in recent software releases. This vulnerability only affects configurations that use the "nailed" option at the end of their static statement. Additionally, traffic that matches "static" statement must also be inspected by a Cisco AIP-SSM (an Intrusion Prevention System (IPS) module) in inline mode. IPS inline operation mode is enabled by using the "ips inline {fail-close | fail-open}" command in "class" configuration mode. Versions 7.0.x, 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. IKE is not enabled by default. If IKE is enabled, the "isakmp enable <interface name>" command appears in the configuration. Versions 7.0.x, 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. Administrators can configure NTLMv1 authentication by defining an Authentication, Authorization, and Accounting (AAA) server group that uses the NTLMv1 protocol with the "aaa-server <AAA server group tag> protocol nt" command and then configuring a service that requires authentication to use that AAA server group. To verify that NTLMv1 authentication is enabled and active, issue the "show aaa-server protocol nt" command. For more information, refer to the End of Life announcement at: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/end_of_life_notice_cisco_pix_525_sec_app.html. How To Determine The Running Software Version +-------------------------------------------- To determine whether a vulnerable version of Cisco ASA Software is running on an appliance, administrators can issue the "show version" command-line interface (CLI) command. The following example shows a Cisco ASA 5500 Series Adaptive Security Appliance that is running software version 8.0(4): ASA#show version Cisco Adaptive Security Appliance Software Version 8.0(4) Device Manager Version 6.0(1) <output truncated> Customers who use Cisco ASDM to manage devices can locate the software version in the table that is displayed in the login window or upper-left corner of the Cisco ASDM window. Products Confirmed Not Vulnerable +-------------------------------- The Cisco Firewall Services Module (FWSM) is affected by some of the vulnerabilities in this advisory. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20100217-fwsm.shtml. With the exception of the Cisco FWSM, no other Cisco products are currently known to be affected by these vulnerabilities. It offers firewall, intrusion prevention (IPS), anti-X, and VPN services. This vulnerability is triggered only when specific TCP segments are sent to certain TCP-based services that terminate on the affected appliance. Although exploitation of this vulnerability requires a TCP three-way handshake, authentication is not required. Appliances are only vulnerable when SIP inspection is enabled. Only transit traffic can trigger these vulnerabilities; traffic that is destined to the appliance will not trigger the vulnerabilities. Appliances are only vulnerable when SCCP inspection is enabled. Only transit traffic can trigger this vulnerability; traffic that is destined to the appliance will not trigger the vulnerabily. Appliances are only vulnerable when they are configured for WebVPN and DTLS transport. This vulnerability is only triggered by traffic that is destined to the appliance; transit traffic will not trigger the vulnerability. A malformed, transit TCP segment is received. 2. The TCP segment matches a static NAT translation that has the "nailed" option configured on it. 3. The TCP segment is also processed by the Cisco AIP-SSM, which is configured for inline mode of operation. A TCP three-way handshake is not necessary to exploit this vulnerability. The tunnels are not torn down immediately; IPsec traffic will continue to flow until the next rekey, at which time the rekey will fail and the tunnels will be torn down. Both site-to-site and remote access VPN tunnels are affected. The only way to recover and re-establish IPsec VPN tunnels is to reload the appliance. When this vulnerability is exploited, the security appliance will generate syslog messages 713903 and 713906, which will be followed by the loss of IPsec peers. NTLMv1 Authentication Bypass Vulnerability +----------------------------------------- Cisco ASA 5500 Series Adaptive Security Appliances contain a vulnerability that could result in authentication bypass when the affected appliance is configured to authenticate users against Microsoft Windows servers using the NTLMv1 protocol. Users can bypass authentication by providing an an invalid, crafted username during an authentication request. Any services that use a AAA server group that is configured to use the NTLMv1 authentication protocol is affected. Affected services include: * Telnet access to the security appliance * SSH access to the security appliance * HTTPS access to the security appliance (including Cisco ASDM access) * Serial console access * Privileged (enable) mode access * Cut-through proxy for network access * VPN access This vulnerability is documented in Cisco bug ID CSCte21953 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-0568. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss. TCP Connection Exhaustion Denial of Service Vulnerability +-------------------------------------------------------- * CSCsz77717 ("TCP sessions remain in CLOSEWAIT indefinitely") CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.9 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed SIP Inspection Denial of Service Vulnerabilities +----------------------------------------------- * CSCsy91157 ("Watchdog when inspecting malformed SIP traffic") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtc96018 ("ASA watchdog when inspecting malformed SIP traffic") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- * CSCsz79757 ("Traceback - Thread Name: Dispatch Unit with skinny inspect enabled") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed WebVPN DTLS Denial of Service Vulnerability +------------------------------------------ * CSCtb64913 ("WEBVPN: page fault in thread name dispath unit, eip udpmod_user_put") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Crafted TCP Segment Denial of Service Vulnerability +-------------------------------------------------- * CSCtb37219 ("Traceback in Dispatch Unit AIP-SSM Inline and nailed option on static") CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.9 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Crafted IKE Message Denial of Service Vulnerability +-------------------------------------------------- * CSCtc47782 ("Malformed IKE traffic causes rekey to fail") CVSS Base Score - 5.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Partial CVSS Temporal Score - 4.1 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed NTLMv1 Authentication Bypass Vulnerability +----------------------------------------- * CSCte21953 ("ASA may allow authentication of an invalid username for NT auth") CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 6.2 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== TCP Connection Exhaustion Denial of Service Vulnerability +-------------------------------------------------------- Successful exploitation of this vulnerability may lead to an exhaustion condition where the affected appliance cannot accept new TCP connections. A reload of the appliance is necessary to recover from the TCP connection exhaustion condition. If a TCP-based protocol is used for device management (like telnet, SSH, or HTTPS), a serial console connection may be needed to access to the appliance. SIP Inspection Denial of Service Vulnerabilities +----------------------------------------------- Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition. SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition. WebVPN DTLS Denial of Service Vulnerability +------------------------------------------ Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition. Crafted TCP Segment Denial of Service Vulnerability +-------------------------------------------------- Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition. A manual reload of the appliance is required to re-establish all VPN tunnels. NTLMv1 Authentication Bypass Vulnerability +----------------------------------------- Successful exploitation of this vulnerability could result in unauthorized access to the network or appliance. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. The following table contains the first fixed software release of each vulnerability. A device running a version of the given release in a specific row (less than the First Fixed Release) is known to be vulnerable. +---------------------------------------+ | | Major | First | | Vulnerability | Release | Fixed | | | | Release | |-----------------+---------+-----------| | | 7.0 | Not | | | | affected | |TCP Connection |---------+-----------| | Exhaustion | 7.2 | 7.2(4.46) | |Denial of |---------+-----------| | Service | 8.0 | 8.0(4.38) | |Vulnerability ( |---------+-----------| | CSCsz77717) | 8.1 | 8.1(2.29) | | |---------+-----------| | | 8.2 | 8.2(1.5) | |-----------------+---------+-----------| | | 7.0 | 7.0(8.10) | |SIP Inspection |---------+-----------| | Denial of | 7.2 | 7.2(4.45) | |Service |---------+-----------| | Vulnerabilities | 8.0 | 8.0(5.2) | |(CSCsy91157 and |---------+-----------| | CSCtc96018) | 8.1 | 8.1(2.37) | | |---------+-----------| | | 8.2 | 8.2(1.16) | |-----------------+---------+-----------| | | 7.0 | Not | | | | affected | | |---------+-----------| | SCCP Inspection | 7.2 | Not | | Denial of | | affected | |Service |---------+-----------| | Vulnerability ( | 8.0 | 8.0(4.38) | |CSCsz79757) |---------+-----------| | | 8.1 | 8.1(2.29) | | |---------+-----------| | | 8.2 | 8.2(1.2) | |-----------------+---------+-----------| | | 7.0 | Not | | | | affected | |WebVPN DTLS |---------+-----------| | Denial of | 7.2 | 7.2(4.45) | |Service |---------+-----------| | Vulnerability ( | 8.0 | 8.0(4.44) | |CSCtb64913) |---------+-----------| | | 8.1 | 8.1(2.35) | | |---------+-----------| | | 8.2 | 8.2(1.10) | |-----------------+---------+-----------| | | 7.0 | 7.0(8.10) | | |---------+-----------| | Crafted TCP | 7.2 | 7.2(4.45) | |Segment Denial |---------+-----------| | of Service | 8.0 | 8.0(4.44) | |Vulnerability ( |---------+-----------| | CSCtb37219) | 8.1 | 8.1(2.35) | | |---------+-----------| | | 8.2 | 8.2(1.10) | |-----------------+---------+-----------| | | 7.0 | 7.0(8.10) | | |---------+-----------| | Crafted IKE | 7.2 | 7.2(4.45) | |Message Denial |---------+-----------| | of Service | 8.0 | 8.0(5.1) | |Vulnerability ( |---------+-----------| | CSCtc47782) | 8.1 | 8.1(2.37) | | |---------+-----------| | | 8.2 | 8.2(1.15) | |-----------------+---------+-----------| | | 7.0 | 7.0(8.10) | | |---------+-----------| | | 7.2 | 7.2(4.45) | | |---------+-----------| | NTLMv1 | 8.0 | 8.0(5.7) | |Authentication |---------+-----------| | Bypass | | 8.1 | | Vulnerability ( | | (2.40), | | CSCte21953) | 8.1 | available | | | | early | | | | March | | | | 2010 | | |---------+-----------| | | 8.2 | 8.2(2.1) | +---------------------------------------+ Note: Cisco ASA Software versions 7.1.x are affected by some of the vulnerabilities in this advisory. However, no fixed 7.1.x software versions are planned because the 7.1.x major release has reached the End of Software Maintenance Releases milestone. Fixed Cisco ASA Software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT?psrtdcat20e2 Recommended Releases +------------------- Releases 7.0(8.10), 7.2(4.46), 8.0(5.9), 8.1(2.40) (available early March 2010), and 8.2(2.4) are recommended releases because they contain the fixes for all vulnerabilities in this advisory. Cisco recommends upgrading to a release that is equal to or later than these recommended releases. Workarounds =========== TCP Connection Exhaustion Denial of Service Vulnerability +-------------------------------------------------------- It is possible to mitigate this vulnerability for TCP-based services that are offered to known clients. For example, it may be possible to restrict SSH, Cisco ASDM/HTTPS, and Telnet administrative access to known hosts or IP subnetworks. For other services like remote access SSL VPN, where clients connect from unknown hosts and networks, no mitigations exist. SIP Inspection Denial of Service Vulnerabilities +----------------------------------------------- These vulnerabilities can be mitigated by disabling SIP inspection if it is not required. Administrators can disable SIP inspection by issuing the "no inspect sip" command in class configuration sub-mode within policy-map configuration. SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- This vulnerability can be mitigated by disabling SCCP inspection if it is not required. Administrators can disable SCCP inspection by issuing the "no inspect skinny" command in class configuration sub-mode within the policy-map configuration. WebVPN DTLS Denial of Service Vulnerability +------------------------------------------ This vulnerability can be mitigated by disabling DTLS transport for WebVPN. Administrators can disable DTLS by issuing the "no svc dtls enable" command under the "webvpn" attributes section of the corresponding group policy. Crafted TCP Segment Denial of Service Vulnerability +-------------------------------------------------- Possible workarounds for this vulnerability are the following: * Migrate from "nailed" static NAT entries to TCP-state bypass. * Use the Cisco AIP-SSM in promiscuous mode. This mode can be configured by issuing the "ips promiscuous" command in "class" configuration mode. * Disable IPS inspection for "nailed" static NAT entries. * If possible, change "nailed" static NAT entries to standard static NAT entries. This may be feasible since in most cases there is no need for allowing IPsec tunnels inside IPsec tunnels. Filtering out UDP port 4500 traffic across an IPsec tunnel can be accomplished by using a VPN filter, as shown in the following example: !-- Deny only UDP port 4500 traffic and allow everything else access-list VPNFILTER extended deny udp any any eq 4500 access-list VPNFILTER extended permit ip any any !-- Create a group policy and specify a VPN filter that uses the !-- previous ACL group-policy VPNPOL internal group-policy VPNPOL attributes vpn-filter value VPNFILTER !-- Reference the group policy with the VPN filter from the tunnel group tunnel-group 172.16.0.1 type ipsec-l2l tunnel-group 172.16.0.1 general-attributes default-group-policy VPNPOL For this workaround to be effective, the group policy needs to be applied to all site-to-site (tunnel type "ipsec-l2l") and remote access (tunnel type "ipsec-ra") tunnel groups. Warning: In addition to filtering out IKE traffic on UDP port 4500, this workaround may also affect other procotols like DNS and SNMP that send traffic on UDP port 4500. For example, if a DNS resolver sends traffic from UDP port 4500 to a DNS server, the response from the DNS server will be destined to UDP port 4500, which then may be filtered out by the filter used in this workaround. NTLMv1 Authentication Bypass Vulnerability +----------------------------------------- If NTLMv1 authentication is required, there are no workarounds for this vulnerability. If NTLMv1 authentication can be substituted by other authentication protocols (LDAP, RADIUS, TACACS+, etc.), it is possible to mitigate the vulnerability. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of any of the vulnerabilities described in this advisory. TCP Connection Exhaustion Denial of Service Vulnerability +-------------------------------------------------------- This vulnerability was discovered during the resolution of a customer service request. SIP Inspection Denial of Service Vulnerabilities +----------------------------------------------- CSCsy91157 was discovered during internal testing. CSCtc96018 was discovered during the resolution of customer service requests. SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- This vulnerability was discovered during the resolution of customer service requests. WebVPN DTLS Denial of Service Vulnerability +------------------------------------------ This vulnerability was discovered during the resolution of customer service requests. Crafted TCP Segment Denial of Service Vulnerability +-------------------------------------------------- This vulnerability was discovered during internal testing. Crafted IKE Message Denial of Service Vulnerability +-------------------------------------------------- This vulnerability was discovered during the resolution of customer service requests. NTLMv1 Authentication Bypass Vulnerability +----------------------------------------- This vulnerability was discovered during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2010-February-17 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2008-2010 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Feb 17, 2010 Document ID: 111485 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkt8GTYACgkQ86n/Gc8U/uBi6QCfYFKvAUdFrRvusqKoaFmMwfcH XOYAnRymbNOcRg5gmPFMO/zqgm2wOyKQ =JUg3 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Unspecified vulnerability in Cisco ASA 5500 Series Adaptive Security Appliance 7.0 before 7.0(8.10), 7.2 before 7.2(4.45), 8.0 before 8.0(5.7), 8.1 before 8.1(2.40), and 8.2 before 8.2(2.1); and Cisco PIX 500 Series Security Appliance; allows remote attackers to bypass NTLMv1 authentication via a crafted username, aka Bug ID CSCte21953. The problem is Bug ID : CSCte21953 It is a problem.Through a crafted username by a third party, NTLMv1 Authentication may be bypassed. Successful exploits allow remote attackers to gain access to vulnerable devices, without requiring successful authentication. This issue is being tracked by Cisco bug ID CSCte21953. 4) An error in WebVPN can be exploited to trigger an appliance reload via a specially crafted DTLS packet. 7) An error in the implementation of the NT LAN Manager version 1 (NTLMv1) protocol can be exploited to bypass authentication via a specially crafted username. SOLUTION: Update to a fixed version. Please see the vendor's advisory for detailed patch information. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances Advisory ID: cisco-sa-20100217-asa Revision 1.0 For Public Release 2010 February 17 1600 UTC (GMT) +--------------------------------------------------------------------- Summary ======= Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities: * TCP Connection Exhaustion Denial of Service Vulnerability * Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerabilities * Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability * WebVPN Datagram Transport Layer Security (DTLS) Denial of Service Vulnerability * Crafted TCP Segment Denial of Service Vulnerability * Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability * NT LAN Manager version 1 (NTLMv1) Authentication Bypass Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. There are workarounds for some of the vulnerabilities disclosed in this advisory. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml. For specific version information, refer to the "Software Versions and Fixes" section of this advisory. TCP Connection Exhaustion Denial of Service Vulnerability +-------------------------------------------------------- Cisco ASA 5500 Series Adaptive Security Appliances may experience a TCP connection exhaustion condition (no new TCP connections are accepted) that can be triggered through the receipt of specific TCP segments during the TCP connection termination phase. Appliances that are running versions 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected when they are configured for any of the following features: * SSL VPNs * Cisco Adaptive Security Device Manager (ASDM) Administrative Access * Telnet Access * SSH Access * Virtual Telnet * Virtual HTTP * Transport Layer Security (TLS) Proxy for Encrypted Voice Inspection SIP Inspection Denial of Service Vulnerabilities +----------------------------------------------- Two denial of service (DoS) vulnerabilities affect the SIP inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances. Versions 7.0.x, 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. SIP inspection is enabled by default. To check if SIP inspection is enabled, issue the "show service-policy | include sip" command and confirm that some output is returned. Sample output is displayed in the following example: ciscoasa#show service-policy | include sip Inspect: sip , packet 0, drop 0, reset-drop 0 Alternatively, an appliance that has SIP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sip ... Versions 8.0.x, 8.1.x, and 8.2.x are affected. SCCP inspection is enabled by default. To check if SCCP inspection is enabled, issue the "show service-policy | include skinny" command and confirm that some output is returned. Sample output is displayed in the following example: ciscoasa#show service-policy | include skinny Inspect: skinny , packet 0, drop 0, reset-drop 0 Alternatively, an appliance that has SCCP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect skinny ... Affected versions include 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x. Administrators can enable WebVPN with the "enable <interface name>" command in "webvpn" configuration mode. DTLS can be enabled by issuing the "svc dtls enable" command in "group policy webvpn" configuration mode. The following configuration snippet provides an example of a WebVPN configuration that enables DTLS: webvpn enable outside svc enable ... ! group-policy <group name> internal group-policy <group name> attributes ... webvpn svc dtls enable ... Altough WebVPN is disabled by default, DTLS is enabled by default in recent software releases. This vulnerability only affects configurations that use the "nailed" option at the end of their static statement. Additionally, traffic that matches "static" statement must also be inspected by a Cisco AIP-SSM (an Intrusion Prevention System (IPS) module) in inline mode. IPS inline operation mode is enabled by using the "ips inline {fail-close | fail-open}" command in "class" configuration mode. Versions 7.0.x, 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. IKE is not enabled by default. If IKE is enabled, the "isakmp enable <interface name>" command appears in the configuration. Versions 7.0.x, 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. Administrators can configure NTLMv1 authentication by defining an Authentication, Authorization, and Accounting (AAA) server group that uses the NTLMv1 protocol with the "aaa-server <AAA server group tag> protocol nt" command and then configuring a service that requires authentication to use that AAA server group. To verify that NTLMv1 authentication is enabled and active, issue the "show aaa-server protocol nt" command. Sample output is displayed in the following example: ciscoasa#show aaa-server protocol nt Server Group: test Server Protocol: nt Server Address: 192.168.10.11 Server port: 139 Server status: ACTIVE, Last transaction (success) at 11:10:08 UTC Fri Jan 29 <output truncated> Cisco PIX 500 Series Security Appliance Vulnerability Status +----------------------------------------------------------- Cisco PIX 500 Series Security Appliances are affected by the following vulnerabilities: * TCP Connection Exhaustion Denial of Service Vulnerability * SIP Inspection Denial of Service Vulnerabilities * SCCP Inspection Denial of Service Vulnerability * Crafted IKE Message Denial of Service Vulnerability * NTLMv1 Authentication Bypass Vulnerability Because the Cisco PIX 500 Series Security Appliances reached End of Software Maintenance Releases on July 28, 2009, no further software releases will be available for the Cisco PIX 500 Series Security Appliances. For more information, refer to the End of Life announcement at: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/end_of_life_notice_cisco_pix_525_sec_app.html. How To Determine The Running Software Version +-------------------------------------------- To determine whether a vulnerable version of Cisco ASA Software is running on an appliance, administrators can issue the "show version" command-line interface (CLI) command. The following example shows a Cisco ASA 5500 Series Adaptive Security Appliance that is running software version 8.0(4): ASA#show version Cisco Adaptive Security Appliance Software Version 8.0(4) Device Manager Version 6.0(1) <output truncated> Customers who use Cisco ASDM to manage devices can locate the software version in the table that is displayed in the login window or upper-left corner of the Cisco ASDM window. Products Confirmed Not Vulnerable +-------------------------------- The Cisco Firewall Services Module (FWSM) is affected by some of the vulnerabilities in this advisory. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20100217-fwsm.shtml. With the exception of the Cisco FWSM, no other Cisco products are currently known to be affected by these vulnerabilities. It offers firewall, intrusion prevention (IPS), anti-X, and VPN services. Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities: TCP Connection Exhaustion Denial of Service Vulnerability +-------------------------------------------------------- Cisco ASA 5500 Series Adaptive Security Appliances may experience a TCP connection exhaustion condition (no new TCP connections are accepted) when specific TCP segments are received during the TCP connection termination phase. This vulnerability is triggered only when specific TCP segments are sent to certain TCP-based services that terminate on the affected appliance. Although exploitation of this vulnerability requires a TCP three-way handshake, authentication is not required. SIP Inspection Denial of Service Vulnerabilities +----------------------------------------------- Cisco ASA 5500 Series Adaptive Security Appliances are affected by two denial of service vulnerabilities that may cause an appliance to reload during the processing of SIP messages. Appliances are only vulnerable when SIP inspection is enabled. Only transit traffic can trigger these vulnerabilities; traffic that is destined to the appliance will not trigger the vulnerabilities. These vulnerabilities are documented in Cisco bug IDs CSCsy91157, and CSCtc96018, and have been assigned CVE IDs CVE-2010-0150, and CVE-2010-0569 respectively. Appliances are only vulnerable when SCCP inspection is enabled. Only transit traffic can trigger this vulnerability; traffic that is destined to the appliance will not trigger the vulnerabily. Appliances are only vulnerable when they are configured for WebVPN and DTLS transport. This vulnerability is only triggered by traffic that is destined to the appliance; transit traffic will not trigger the vulnerability. A malformed, transit TCP segment is received. 2. The TCP segment matches a static NAT translation that has the "nailed" option configured on it. 3. The TCP segment is also processed by the Cisco AIP-SSM, which is configured for inline mode of operation. A TCP three-way handshake is not necessary to exploit this vulnerability. The tunnels are not torn down immediately; IPsec traffic will continue to flow until the next rekey, at which time the rekey will fail and the tunnels will be torn down. Both site-to-site and remote access VPN tunnels are affected. The vulnerability is triggered when the appliance processes a malformed IKE message on port UDP 4500 that traverses an existing IPsec tunnel. The only way to recover and re-establish IPsec VPN tunnels is to reload the appliance. When this vulnerability is exploited, the security appliance will generate syslog messages 713903 and 713906, which will be followed by the loss of IPsec peers. Any services that use a AAA server group that is configured to use the NTLMv1 authentication protocol is affected. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss. TCP Connection Exhaustion Denial of Service Vulnerability +-------------------------------------------------------- * CSCsz77717 ("TCP sessions remain in CLOSEWAIT indefinitely") CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.9 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed SIP Inspection Denial of Service Vulnerabilities +----------------------------------------------- * CSCsy91157 ("Watchdog when inspecting malformed SIP traffic") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtc96018 ("ASA watchdog when inspecting malformed SIP traffic") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- * CSCsz79757 ("Traceback - Thread Name: Dispatch Unit with skinny inspect enabled") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed WebVPN DTLS Denial of Service Vulnerability +------------------------------------------ * CSCtb64913 ("WEBVPN: page fault in thread name dispath unit, eip udpmod_user_put") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Crafted TCP Segment Denial of Service Vulnerability +-------------------------------------------------- * CSCtb37219 ("Traceback in Dispatch Unit AIP-SSM Inline and nailed option on static") CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.9 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Crafted IKE Message Denial of Service Vulnerability +-------------------------------------------------- * CSCtc47782 ("Malformed IKE traffic causes rekey to fail") CVSS Base Score - 5.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Partial CVSS Temporal Score - 4.1 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed NTLMv1 Authentication Bypass Vulnerability +----------------------------------------- * CSCte21953 ("ASA may allow authentication of an invalid username for NT auth") CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 6.2 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== TCP Connection Exhaustion Denial of Service Vulnerability +-------------------------------------------------------- Successful exploitation of this vulnerability may lead to an exhaustion condition where the affected appliance cannot accept new TCP connections. A reload of the appliance is necessary to recover from the TCP connection exhaustion condition. If a TCP-based protocol is used for device management (like telnet, SSH, or HTTPS), a serial console connection may be needed to access to the appliance. SIP Inspection Denial of Service Vulnerabilities +----------------------------------------------- Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition. SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition. WebVPN DTLS Denial of Service Vulnerability +------------------------------------------ Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition. Crafted TCP Segment Denial of Service Vulnerability +-------------------------------------------------- Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition. Crafted IKE Message Denial of Service Vulnerability +-------------------------------------------------- Successful exploitation of this vulnerability could cause all IPsec VPN tunnels (LAN-to-LAN or remote) that terminate on the security appliance to be torn down and prevent new tunnels from being established. A manual reload of the appliance is required to re-establish all VPN tunnels. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. The following table contains the first fixed software release of each vulnerability. A device running a version of the given release in a specific row (less than the First Fixed Release) is known to be vulnerable. +---------------------------------------+ | | Major | First | | Vulnerability | Release | Fixed | | | | Release | |-----------------+---------+-----------| | | 7.0 | Not | | | | affected | |TCP Connection |---------+-----------| | Exhaustion | 7.2 | 7.2(4.46) | |Denial of |---------+-----------| | Service | 8.0 | 8.0(4.38) | |Vulnerability ( |---------+-----------| | CSCsz77717) | 8.1 | 8.1(2.29) | | |---------+-----------| | | 8.2 | 8.2(1.5) | |-----------------+---------+-----------| | | 7.0 | 7.0(8.10) | |SIP Inspection |---------+-----------| | Denial of | 7.2 | 7.2(4.45) | |Service |---------+-----------| | Vulnerabilities | 8.0 | 8.0(5.2) | |(CSCsy91157 and |---------+-----------| | CSCtc96018) | 8.1 | 8.1(2.37) | | |---------+-----------| | | 8.2 | 8.2(1.16) | |-----------------+---------+-----------| | | 7.0 | Not | | | | affected | | |---------+-----------| | SCCP Inspection | 7.2 | Not | | Denial of | | affected | |Service |---------+-----------| | Vulnerability ( | 8.0 | 8.0(4.38) | |CSCsz79757) |---------+-----------| | | 8.1 | 8.1(2.29) | | |---------+-----------| | | 8.2 | 8.2(1.2) | |-----------------+---------+-----------| | | 7.0 | Not | | | | affected | |WebVPN DTLS |---------+-----------| | Denial of | 7.2 | 7.2(4.45) | |Service |---------+-----------| | Vulnerability ( | 8.0 | 8.0(4.44) | |CSCtb64913) |---------+-----------| | | 8.1 | 8.1(2.35) | | |---------+-----------| | | 8.2 | 8.2(1.10) | |-----------------+---------+-----------| | | 7.0 | 7.0(8.10) | | |---------+-----------| | Crafted TCP | 7.2 | 7.2(4.45) | |Segment Denial |---------+-----------| | of Service | 8.0 | 8.0(4.44) | |Vulnerability ( |---------+-----------| | CSCtb37219) | 8.1 | 8.1(2.35) | | |---------+-----------| | | 8.2 | 8.2(1.10) | |-----------------+---------+-----------| | | 7.0 | 7.0(8.10) | | |---------+-----------| | Crafted IKE | 7.2 | 7.2(4.45) | |Message Denial |---------+-----------| | of Service | 8.0 | 8.0(5.1) | |Vulnerability ( |---------+-----------| | CSCtc47782) | 8.1 | 8.1(2.37) | | |---------+-----------| | | 8.2 | 8.2(1.15) | |-----------------+---------+-----------| | | 7.0 | 7.0(8.10) | | |---------+-----------| | | 7.2 | 7.2(4.45) | | |---------+-----------| | NTLMv1 | 8.0 | 8.0(5.7) | |Authentication |---------+-----------| | Bypass | | 8.1 | | Vulnerability ( | | (2.40), | | CSCte21953) | 8.1 | available | | | | early | | | | March | | | | 2010 | | |---------+-----------| | | 8.2 | 8.2(2.1) | +---------------------------------------+ Note: Cisco ASA Software versions 7.1.x are affected by some of the vulnerabilities in this advisory. However, no fixed 7.1.x software versions are planned because the 7.1.x major release has reached the End of Software Maintenance Releases milestone. Fixed Cisco ASA Software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT?psrtdcat20e2 Recommended Releases +------------------- Releases 7.0(8.10), 7.2(4.46), 8.0(5.9), 8.1(2.40) (available early March 2010), and 8.2(2.4) are recommended releases because they contain the fixes for all vulnerabilities in this advisory. Cisco recommends upgrading to a release that is equal to or later than these recommended releases. Workarounds =========== TCP Connection Exhaustion Denial of Service Vulnerability +-------------------------------------------------------- It is possible to mitigate this vulnerability for TCP-based services that are offered to known clients. For example, it may be possible to restrict SSH, Cisco ASDM/HTTPS, and Telnet administrative access to known hosts or IP subnetworks. For other services like remote access SSL VPN, where clients connect from unknown hosts and networks, no mitigations exist. SIP Inspection Denial of Service Vulnerabilities +----------------------------------------------- These vulnerabilities can be mitigated by disabling SIP inspection if it is not required. Administrators can disable SIP inspection by issuing the "no inspect sip" command in class configuration sub-mode within policy-map configuration. SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- This vulnerability can be mitigated by disabling SCCP inspection if it is not required. Administrators can disable SCCP inspection by issuing the "no inspect skinny" command in class configuration sub-mode within the policy-map configuration. WebVPN DTLS Denial of Service Vulnerability +------------------------------------------ This vulnerability can be mitigated by disabling DTLS transport for WebVPN. Administrators can disable DTLS by issuing the "no svc dtls enable" command under the "webvpn" attributes section of the corresponding group policy. Crafted TCP Segment Denial of Service Vulnerability +-------------------------------------------------- Possible workarounds for this vulnerability are the following: * Migrate from "nailed" static NAT entries to TCP-state bypass. * Use the Cisco AIP-SSM in promiscuous mode. This mode can be configured by issuing the "ips promiscuous" command in "class" configuration mode. * Disable IPS inspection for "nailed" static NAT entries. * If possible, change "nailed" static NAT entries to standard static NAT entries. This may be feasible since in most cases there is no need for allowing IPsec tunnels inside IPsec tunnels. Filtering out UDP port 4500 traffic across an IPsec tunnel can be accomplished by using a VPN filter, as shown in the following example: !-- Deny only UDP port 4500 traffic and allow everything else access-list VPNFILTER extended deny udp any any eq 4500 access-list VPNFILTER extended permit ip any any !-- Create a group policy and specify a VPN filter that uses the !-- previous ACL group-policy VPNPOL internal group-policy VPNPOL attributes vpn-filter value VPNFILTER !-- Reference the group policy with the VPN filter from the tunnel group tunnel-group 172.16.0.1 type ipsec-l2l tunnel-group 172.16.0.1 general-attributes default-group-policy VPNPOL For this workaround to be effective, the group policy needs to be applied to all site-to-site (tunnel type "ipsec-l2l") and remote access (tunnel type "ipsec-ra") tunnel groups. Warning: In addition to filtering out IKE traffic on UDP port 4500, this workaround may also affect other procotols like DNS and SNMP that send traffic on UDP port 4500. For example, if a DNS resolver sends traffic from UDP port 4500 to a DNS server, the response from the DNS server will be destined to UDP port 4500, which then may be filtered out by the filter used in this workaround. For a more comprehensive example of the VPN filter feature of the Cisco ASA 5500 Series Adaptive Security Appliances, refer to the whitepaper "PIX/ASA 7.x and Later: VPN Filter (Permit Specific Port or Protocol) Configuration Example for L2L and Remote Access" available at: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml In addition, if the security appliance does not terminate any tunnels, the vulnerability can be mitigated by disabling IKE by issuing the "no isakmp enable <interface name>" command. NTLMv1 Authentication Bypass Vulnerability +----------------------------------------- If NTLMv1 authentication is required, there are no workarounds for this vulnerability. If NTLMv1 authentication can be substituted by other authentication protocols (LDAP, RADIUS, TACACS+, etc.), it is possible to mitigate the vulnerability. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of any of the vulnerabilities described in this advisory. TCP Connection Exhaustion Denial of Service Vulnerability +-------------------------------------------------------- This vulnerability was discovered during the resolution of a customer service request. SIP Inspection Denial of Service Vulnerabilities +----------------------------------------------- CSCsy91157 was discovered during internal testing. CSCtc96018 was discovered during the resolution of customer service requests. SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- This vulnerability was discovered during the resolution of customer service requests. WebVPN DTLS Denial of Service Vulnerability +------------------------------------------ This vulnerability was discovered during the resolution of customer service requests. Crafted TCP Segment Denial of Service Vulnerability +-------------------------------------------------- This vulnerability was discovered during internal testing. Crafted IKE Message Denial of Service Vulnerability +-------------------------------------------------- This vulnerability was discovered during the resolution of customer service requests. NTLMv1 Authentication Bypass Vulnerability +----------------------------------------- This vulnerability was discovered during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2010-February-17 | Initial public release. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2008-2010 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Feb 17, 2010 Document ID: 111485 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkt8GTYACgkQ86n/Gc8U/uBi6QCfYFKvAUdFrRvusqKoaFmMwfcH XOYAnRymbNOcRg5gmPFMO/zqgm2wOyKQ =JUg3 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Unspecified vulnerability in Cisco ASA 5500 Series Adaptive Security Appliance 7.0 before 7.0(8.10), 7.2 before 7.2(4.45), 8.0 before 8.0(5.2), 8.1 before 8.1(2.37), and 8.2 before 8.2(1.16); and Cisco PIX 500 Series Security Appliance; allows remote attackers to cause a denial of service (device reload) via malformed SIP messages, aka Bug ID CSCtc96018. The problem is Bug ID : CSCtc96018 It is a problem.Unauthorized by a third party SIP Service disruption via message (DoS) There is a possibility of being put into a state. This issue is tracked by Cisco Bug ID CSCtc96018. An attacker can exploit this issue to cause a vulnerable device to crash, denying service to legitimate users. For more information see vulnerabilities #1, #2, #3, #6, and #7 in: SA38618 SOLUTION: Affected products have reached End of Software Maintenance Releases on July 28, 2009. 1) An error when receiving certain TCP segments while a connection is being terminated can be exploited to make a device unable to accept new TCP connections. 2) Two errors in the Session Initiation Protocol (SIP) inspection feature can be exploited to trigger an appliance reload. 3) An error in the Skinny Client Control Protocol (SCCP) inspection feature can be exploited to trigger an appliance reload. 4) An error in WebVPN can be exploited to trigger an appliance reload via a specially crafted DTLS packet. 5) An error when using the "nailed" option can be exploited to reload an appliance via a specially crafted TCP segment that transits the appliance. 6) An error when parsing Internet Key Exchange (IKE) messages can be exploited to disrupt all IPsec tunnels that terminate on an affected device. 7) An error in the implementation of the NT LAN Manager version 1 (NTLMv1) protocol can be exploited to bypass authentication via a specially crafted username. SOLUTION: Update to a fixed version. Please see the vendor's advisory for detailed patch information. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . TPTI-11-05: Adobe Shockwave PFR1 Font Chunk Parsing Remote Code Execution Vulnerability http://dvlabs.tippingpoint.com/advisory/TPTI-11-05 February 8, 2011 -- CVE ID: CVE-2011-0569 -- CVSS: 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) -- Affected Vendors: Adobe -- Affected Products: Adobe Shockwave Player -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 10825. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the code responsible for parsing font structures within Director files. While processing data within the PFR1 chunk, the process trusts a size value and compares a sign-extended counter against it within a copy loop. By providing a sufficiently large value, this flaw can be abused by a remote attacker to execute arbitrary code under the context of the user running the browser. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb11-01.html -- Disclosure Timeline: 2011-01-24 - Vulnerability reported to vendor 2011-02-08 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Logan Brown and Aaron Portnoy, TippingPoint DVLabs * Luigi Auriemma

Buffer overflow in an ActiveX control (SYMLTCOM.dll) in Symantec N360 1.0 and 2.0; Norton Internet Security, AntiVirus, SystemWorks, and Confidential 2006 through 2008; and Symantec Client Security 3.0.x before 3.1 MR9, and 3.1.x before MR9; allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors. NOTE: this is only a vulnerability if the attacker can "masquerade as an authorized site.". Multiple Symantec products are prone to a stack-based buffer-overflow vulnerability because the applications utilize an ActiveX control that fails to adequately validate user-supplied input. An attacker can exploit this issue to execute arbitrary code in the context of the application using the ActiveX control (typically Internet Explorer). Failed attacks will likely cause denial-of-service conditions. Remote Attacker An attacker can pass an unidentified vector, causing a denial of service. ---------------------------------------------------------------------- Public Beta of CSI and WSUS Integration http://secunia.com/blog/74 ---------------------------------------------------------------------- TITLE: Symantec Products "SYMLTCOM.dll" ActiveX Control Buffer Overflow SECUNIA ADVISORY ID: SA38654 VERIFY ADVISORY: http://secunia.com/advisories/38654/ DESCRIPTION: A vulnerability has been reported in some Symantec products, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an input validation error in the SYMLTCOM.dll ActiveX control, which can be exploited to cause e.g. a stack-based buffer overflow when a user visits a specially crafted web page. Successful exploitation allows execution of arbitrary code, but is limited to a certain unspecified domain. Symantec Client Security 3.0.x: Update to SCS 3.1 MR9. Symantec Client Security 3.1.x: Update to MR9. PROVIDED AND/OR DISCOVERED BY: The vendor credits FrSIRT. ORIGINAL ADVISORY: Symantec SYM10-003: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100217_01 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . VUPEN Security Research - Symantec Products "SYMLTCOM.dll" Buffer Overflow Vulnerability http://www.vupen.com/english/research.php I. DESCRIPTION --------------------- VUPEN Vulnerability Research Team discovered a vulnerability in various Symantec security products. II. CREDIT -------------- The vulnerabilities were discovered by VUPEN Security V. ABOUT VUPEN Security --------------------------------- VUPEN is a leading IT security research company providing vulnerability management services to allow enterprises and organizations to eliminate vulnerabilities before they can be exploited, ensure security policy compliance and meaningfully measure and manage risks. VUPEN also provides research services for security vendors (antivirus, IDS, IPS,etc) to supplement their internal vulnerability research efforts and quickly develop vulnerability-based and exploit-based signatures, rules, and filters, and proactively protect their customers against potential threats. * VUPEN Vulnerability Notification Service: http://www.vupen.com/english/services * VUPEN Exploits and In-Depth Vulnerability Analysis: http://www.vupen.com/exploits VI. REFERENCES ---------------------- http://www.vupen.com/english/advisories/2010/0411 http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2010&suid=20100217_01 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0107 VII. DISCLOSURE TIMELINE ----------------------------------- 2008-04-07 - Vendor notified 2008-04-08 - Vendor response 2008-05-09 - Status update received 2008-06-10 - Status update received 2008-12-05 - Status update received 2010-02-18 - Patches available, public disclosure

Directory traversal vulnerability in the Management Center for Cisco Security Agents 6.0 allows remote authenticated users to read arbitrary files via unspecified vectors. Cisco Security Agent is prone to a directory-traversal vulnerability. This issue is tracked by Cisco BugID CSCtd73275. Cisco Security Agent adopts behavior-based evaluation criteria to identify and protect servers and terminal computers, instead of relying only on signature matching for analysis and identification, successfully solving the security risks brought by unknown viruses. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Security Agent Advisory ID: cisco-sa-20100217-csa Revision 1.0 For Public Release 2010 February 17 1600 UTC (GMT) +--------------------------------------------------------------------- Summary ======= The Management Center for Cisco Security Agents is affected by a directory traversal vulnerability and a SQL injection vulnerability. Successful exploitation of the SQL injection vulnerability may allow an authenticated attacker to execute SQL statements that can cause instability of the product or changes in the configuration. Repeated exploitation could result in a sustained DoS condition. These vulnerabilities are independent of each other. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100217-csa.shtml Affected Products ================= Vulnerable Products +------------------ Cisco Security Agent releases 5.1, 5.2 and 6.0 are affected by the SQL injection vulnerability. The agents installed on user end-points are not affected. Standalone agents are installed in the following products: * Cisco Unified Communications Manager (CallManager) * Cisco Conference Connection (CCC) * Emergency Responder * IPCC Express * IPCC Enterprise * IPCC Hosted * IP Interactive Voice Response (IP IVR) * IP Queue Manager * Intelligent Contact Management (ICM) * Cisco Voice Portal (CVP) * Cisco Unified Meeting Place * Cisco Personal Assistant (PA) * Cisco Unity * Cisco Unity Connection * Cisco Unity Bridge * Cisco Secure ACS Solution Engine * Cisco Internet Service Node (ISN) * Cisco Security Manager (CSM) Note: The Sun Solaris version of the Cisco Security Agent is not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. This vulnerability is documented in Cisco Bug ID CSCtd73275 and has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0146. These configuration changes may result in modifications to the security policies of the endpoints. This vulnerability is documented in Cisco Bug ID CSCtd73290 and has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0147. This vulnerability is documented in Cisco Bug ID CSCtb89870 and has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2010-0148. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCtd73275 - Directory Traversal in the Management Center for Cisco Security Agents CVSS Base Score - 6.8 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 5.9 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed CSCtd73290 - Management Center for Cisco Security Agents: SQL Injection CVSS Base Score - 9 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtb89870 - Kernel Panic When Receiving Certain TCP Packets CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the directory traversal vulnerability may allow an authenticated attacker to view and download arbitrary files from the server that is hosting the Management Center for Cisco Security Agents. Repeated exploitation could result in a sustained DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +-----------------------------------------------------+ | | Cisco | First | | | Vulnerability | Security | Fixed | Recommended | | | Agent | Version | Release | | | Release | | | |---------------+----------+------------+-------------| | | 5.1 | Not | Not | | | | vulnerable | vulnerable | |Directory |----------+------------+-------------| | Traversal | 5.2 | Not | Not | | Vulnerability | | vulnerable | vulnerable | | |----------+------------+-------------| | | 6.0 | 6.0.1.132 | 6.0.1.132 | |---------------+----------+------------+-------------| | | 5.1 | 5.1.0.117 | 5.1.0.117 | |SQL Injection |----------+------------+-------------| | Vulnerability | 5.2 | 5.2.0.296 | 5.2.0.296 | | |----------+------------+-------------| | | 6.0 | 6.0.1.132 | 6.0.1.132 | |---------------+----------+------------+-------------| | | 5.1 | Not | 5.1.0.117 | | | | vulnerable | | |Denial of |----------+------------+-------------| | Service | 5.2 | 5.2.0.285 | 5.2.0.296 | |Vulnerability |----------+------------+-------------| | | 6.0 | Not | 6.0.1.132 | | | | vulnerable | | +-----------------------------------------------------+ Cisco CSA software can be downloaded from the following link: http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=278065206 Workarounds =========== There are no workarounds available to mitigate these vulnerabilities. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this Advisory: http://www.cisco.com/warp/public/707/cisco-amb-20100217-csa.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. The directory traversal and SQL injection vulnerabilities were discovered and reported to Cisco by Gabriele Giuseppini from Cigital. Cisco PSIRT appreciates the opportunity to work with researchers on security vulnerabilities and welcomes the opportunity to review and assist in product reports. The DoS vulnerability was found during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100217-csa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2010-February-17 | public | | | | release. | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFLew9U86n/Gc8U/uARAifvAJ9oLuXJY6iy962givBVY7701k4ktACfa3wK O9O+Q4F1alHxm6CIbUIXkUs= =+hka -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. NOTE: This vulnerability affects both managed and standalone versions. SOLUTION: Update to version 6.0.1.132, 5.1.0.117, or 5.2.0.296: http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=278065206 PROVIDED AND/OR DISCOVERED BY: 1, 2) The vendor credits Gabriele Giuseppini from Cigital. 3) Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20100217-csa.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

SQL injection vulnerability in the Management Center for Cisco Security Agents 5.1 before 5.1.0.117, 5.2 before 5.2.0.296, and 6.0 before 6.0.1.132 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. This issue is tracked by Cisco Bug ID CSCtd73290. Cisco Security Agent 5.1, 5.2, and 6.0 are vulnerable. Successful exploitation of the directory traversal vulnerability may allow an authenticated attacker to view and download arbitrary files from the server hosting the Management Center. Repeated exploitation could result in a sustained DoS condition. These vulnerabilities are independent of each other. Cisco has released free software updates that address these vulnerabilities. The agents installed on user end-points are not affected. Only Cisco Security Agent release 5.2 for Windows and Linux, either managed or standalone, are affected by the DoS vulnerability. Standalone agents are installed in the following products: * Cisco Unified Communications Manager (CallManager) * Cisco Conference Connection (CCC) * Emergency Responder * IPCC Express * IPCC Enterprise * IPCC Hosted * IP Interactive Voice Response (IP IVR) * IP Queue Manager * Intelligent Contact Management (ICM) * Cisco Voice Portal (CVP) * Cisco Unified Meeting Place * Cisco Personal Assistant (PA) * Cisco Unity * Cisco Unity Connection * Cisco Unity Bridge * Cisco Secure ACS Solution Engine * Cisco Internet Service Node (ISN) * Cisco Security Manager (CSM) Note: The Sun Solaris version of the Cisco Security Agent is not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. These configuration changes may result in modifications to the security policies of the endpoints. Cisco Security Agent Denial of Service Vulnerability +--------------------------------------------------- Cisco Security Agent is affected by a DoS vulnerability that could allow an unauthenticated attacker to cause a system to crash by sending a series of TCP packets. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCtd73275 - Directory Traversal in the Management Center for Cisco Security Agents CVSS Base Score - 6.8 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 5.9 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed CSCtd73290 - Management Center for Cisco Security Agents: SQL Injection CVSS Base Score - 9 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtb89870 - Kernel Panic When Receiving Certain TCP Packets CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the directory traversal vulnerability may allow an authenticated attacker to view and download arbitrary files from the server that is hosting the Management Center for Cisco Security Agents. Repeated exploitation could result in a sustained DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +-----------------------------------------------------+ | | Cisco | First | | | Vulnerability | Security | Fixed | Recommended | | | Agent | Version | Release | | | Release | | | |---------------+----------+------------+-------------| | | 5.1 | Not | Not | | | | vulnerable | vulnerable | |Directory |----------+------------+-------------| | Traversal | 5.2 | Not | Not | | Vulnerability | | vulnerable | vulnerable | | |----------+------------+-------------| | | 6.0 | 6.0.1.132 | 6.0.1.132 | |---------------+----------+------------+-------------| | | 5.1 | 5.1.0.117 | 5.1.0.117 | |SQL Injection |----------+------------+-------------| | Vulnerability | 5.2 | 5.2.0.296 | 5.2.0.296 | | |----------+------------+-------------| | | 6.0 | 6.0.1.132 | 6.0.1.132 | |---------------+----------+------------+-------------| | | 5.1 | Not | 5.1.0.117 | | | | vulnerable | | |Denial of |----------+------------+-------------| | Service | 5.2 | 5.2.0.285 | 5.2.0.296 | |Vulnerability |----------+------------+-------------| | | 6.0 | Not | 6.0.1.132 | | | | vulnerable | | +-----------------------------------------------------+ Cisco CSA software can be downloaded from the following link: http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=278065206 Workarounds =========== There are no workarounds available to mitigate these vulnerabilities. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this Advisory: http://www.cisco.com/warp/public/707/cisco-amb-20100217-csa.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. The directory traversal and SQL injection vulnerabilities were discovered and reported to Cisco by Gabriele Giuseppini from Cigital. Cisco PSIRT appreciates the opportunity to work with researchers on security vulnerabilities and welcomes the opportunity to review and assist in product reports. The DoS vulnerability was found during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100217-csa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2010-February-17 | public | | | | release. | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFLew9U86n/Gc8U/uARAifvAJ9oLuXJY6iy962givBVY7701k4ktACfa3wK O9O+Q4F1alHxm6CIbUIXkUs= =+hka -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. NOTE: This vulnerability affects both managed and standalone versions. SOLUTION: Update to version 6.0.1.132, 5.1.0.117, or 5.2.0.296: http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=278065206 PROVIDED AND/OR DISCOVERED BY: 1, 2) The vendor credits Gabriele Giuseppini from Cigital. 3) Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20100217-csa.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Cisco Security Agent 5.2 before 5.2.0.285, when running on Linux, allows remote attackers to cause a denial of service (kernel panic) via "a series of TCP packets.". The Cisco Security Agent is prone to a denial-of-service vulnerability. This issue is tracked by Cisco Bug ID CSCtb89870. An attacker can exploit this issue to cause the vulnerable computer to crash, denying service to legitimate users. Cisco Security Agent 5.2 for Windows and Linux is vulnerable. Cisco Security Agent adopts behavior-based evaluation criteria to identify and protect servers and terminal computers, instead of relying only on signature matching for analysis and identification, successfully solving the security risks brought by unknown viruses. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Security Agent Advisory ID: cisco-sa-20100217-csa Revision 1.0 For Public Release 2010 February 17 1600 UTC (GMT) +--------------------------------------------------------------------- Summary ======= The Management Center for Cisco Security Agents is affected by a directory traversal vulnerability and a SQL injection vulnerability. Successful exploitation of the directory traversal vulnerability may allow an authenticated attacker to view and download arbitrary files from the server hosting the Management Center. Successful exploitation of the SQL injection vulnerability may allow an authenticated attacker to execute SQL statements that can cause instability of the product or changes in the configuration. Repeated exploitation could result in a sustained DoS condition. These vulnerabilities are independent of each other. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20100217-csa.shtml Affected Products ================= Vulnerable Products +------------------ Cisco Security Agent releases 5.1, 5.2 and 6.0 are affected by the SQL injection vulnerability. Note: Only the Management Center for Cisco Security Agents is affected by the directory traversal and SQL injection vulnerabilities. The agents installed on user end-points are not affected. Standalone agents are installed in the following products: * Cisco Unified Communications Manager (CallManager) * Cisco Conference Connection (CCC) * Emergency Responder * IPCC Express * IPCC Enterprise * IPCC Hosted * IP Interactive Voice Response (IP IVR) * IP Queue Manager * Intelligent Contact Management (ICM) * Cisco Voice Portal (CVP) * Cisco Unified Meeting Place * Cisco Personal Assistant (PA) * Cisco Unity * Cisco Unity Connection * Cisco Unity Bridge * Cisco Secure ACS Solution Engine * Cisco Internet Service Node (ISN) * Cisco Security Manager (CSM) Note: The Sun Solaris version of the Cisco Security Agent is not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Management Center for Cisco Security Agents Directory Traversal Vulnerability +---------------------------------------------------------------------------- The Management Center for Cisco Security Agents is affected by a directory traversal vulnerability that may allow an authenticated attacker to view and download arbitrary files from the server that is hosting the Management Center for Cisco Security Agents. Management Center for Cisco Security Agents SQL Injection Vulnerability +---------------------------------------------------------------------- The Management Center for Cisco Security Agents is also affected by a SQL injection vulnerability that may allow an authenticated attacker to execute SQL statements that can cause the Management Center for Cisco Security Agents to become unstable or modify its configuration. These configuration changes may result in modifications to the security policies of the endpoints. Additionally, an attacker may create, delete, or modify management user accounts that are found in the Management Center for Cisco Security Agents. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCtd73275 - Directory Traversal in the Management Center for Cisco Security Agents CVSS Base Score - 6.8 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 5.9 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed CSCtd73290 - Management Center for Cisco Security Agents: SQL Injection CVSS Base Score - 9 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCtb89870 - Kernel Panic When Receiving Certain TCP Packets CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the directory traversal vulnerability may allow an authenticated attacker to view and download arbitrary files from the server that is hosting the Management Center for Cisco Security Agents. Successful exploitation of the SQL injection vulnerability may allow an authenticated attacker to execute SQL statements that can cause the Management Center for Cisco Security Agents to become unstable or modify its configuration. Repeated exploitation could result in a sustained DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. +-----------------------------------------------------+ | | Cisco | First | | | Vulnerability | Security | Fixed | Recommended | | | Agent | Version | Release | | | Release | | | |---------------+----------+------------+-------------| | | 5.1 | Not | Not | | | | vulnerable | vulnerable | |Directory |----------+------------+-------------| | Traversal | 5.2 | Not | Not | | Vulnerability | | vulnerable | vulnerable | | |----------+------------+-------------| | | 6.0 | 6.0.1.132 | 6.0.1.132 | |---------------+----------+------------+-------------| | | 5.1 | 5.1.0.117 | 5.1.0.117 | |SQL Injection |----------+------------+-------------| | Vulnerability | 5.2 | 5.2.0.296 | 5.2.0.296 | | |----------+------------+-------------| | | 6.0 | 6.0.1.132 | 6.0.1.132 | |---------------+----------+------------+-------------| | | 5.1 | Not | 5.1.0.117 | | | | vulnerable | | |Denial of |----------+------------+-------------| | Service | 5.2 | 5.2.0.285 | 5.2.0.296 | |Vulnerability |----------+------------+-------------| | | 6.0 | Not | 6.0.1.132 | | | | vulnerable | | +-----------------------------------------------------+ Cisco CSA software can be downloaded from the following link: http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=278065206 Workarounds =========== There are no workarounds available to mitigate these vulnerabilities. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this Advisory: http://www.cisco.com/warp/public/707/cisco-amb-20100217-csa.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. The directory traversal and SQL injection vulnerabilities were discovered and reported to Cisco by Gabriele Giuseppini from Cigital. Cisco PSIRT appreciates the opportunity to work with researchers on security vulnerabilities and welcomes the opportunity to review and assist in product reports. The DoS vulnerability was found during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100217-csa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------+ | Revision | | Initial | | 1.0 | 2010-February-17 | public | | | | release. | +----------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFLew9U86n/Gc8U/uARAifvAJ9oLuXJY6iy962givBVY7701k4ktACfa3wK O9O+Q4F1alHxm6CIbUIXkUs= =+hka -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. NOTE: This vulnerability affects both managed and standalone versions. SOLUTION: Update to version 6.0.1.132, 5.1.0.117, or 5.2.0.296: http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=278065206 PROVIDED AND/OR DISCOVERED BY: 1, 2) The vendor credits Gabriele Giuseppini from Cigital. 3) Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20100217-csa.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Cisco ASA 5500 Series Adaptive Security Appliance 7.2 before 7.2(4.46), 8.0 before 8.0(4.38), 8.1 before 8.1(2.29), and 8.2 before 8.2(1.5); and Cisco PIX 500 Series Security Appliance; allows remote attackers to cause a denial of service (prevention of new connections) via crafted TCP segments during termination of the TCP connection that cause the connection to remain in CLOSEWAIT status, aka "TCP Connection Exhaustion Denial of Service Vulnerability.". Cisco ASA security appliances are prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to exhaust available TCP connections, resulting in a denial-of-service condition. This issue is documented in Cisco bug ID CSCsz77717. 4) An error in WebVPN can be exploited to trigger an appliance reload via a specially crafted DTLS packet. 7) An error in the implementation of the NT LAN Manager version 1 (NTLMv1) protocol can be exploited to bypass authentication via a specially crafted username. SOLUTION: Update to a fixed version. Please see the vendor's advisory for detailed patch information. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. There are workarounds for some of the vulnerabilities disclosed in this advisory. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml. For specific version information, refer to the "Software Versions and Fixes" section of this advisory. Versions 7.0.x, 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. SIP inspection is enabled by default. To check if SIP inspection is enabled, issue the "show service-policy | include sip" command and confirm that some output is returned. Sample output is displayed in the following example: ciscoasa#show service-policy | include sip Inspect: sip , packet 0, drop 0, reset-drop 0 Alternatively, an appliance that has SIP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sip ... Versions 8.0.x, 8.1.x, and 8.2.x are affected. SCCP inspection is enabled by default. To check if SCCP inspection is enabled, issue the "show service-policy | include skinny" command and confirm that some output is returned. Sample output is displayed in the following example: ciscoasa#show service-policy | include skinny Inspect: skinny , packet 0, drop 0, reset-drop 0 Alternatively, an appliance that has SCCP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect skinny ... Affected versions include 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x. Administrators can enable WebVPN with the "enable <interface name>" command in "webvpn" configuration mode. DTLS can be enabled by issuing the "svc dtls enable" command in "group policy webvpn" configuration mode. The following configuration snippet provides an example of a WebVPN configuration that enables DTLS: webvpn enable outside svc enable ... ! group-policy <group name> internal group-policy <group name> attributes ... webvpn svc dtls enable ... Altough WebVPN is disabled by default, DTLS is enabled by default in recent software releases. This vulnerability only affects configurations that use the "nailed" option at the end of their static statement. Additionally, traffic that matches "static" statement must also be inspected by a Cisco AIP-SSM (an Intrusion Prevention System (IPS) module) in inline mode. IPS inline operation mode is enabled by using the "ips inline {fail-close | fail-open}" command in "class" configuration mode. Versions 7.0.x, 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. IKE is not enabled by default. If IKE is enabled, the "isakmp enable <interface name>" command appears in the configuration. Versions 7.0.x, 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. Administrators can configure NTLMv1 authentication by defining an Authentication, Authorization, and Accounting (AAA) server group that uses the NTLMv1 protocol with the "aaa-server <AAA server group tag> protocol nt" command and then configuring a service that requires authentication to use that AAA server group. To verify that NTLMv1 authentication is enabled and active, issue the "show aaa-server protocol nt" command. For more information, refer to the End of Life announcement at: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/end_of_life_notice_cisco_pix_525_sec_app.html. How To Determine The Running Software Version +-------------------------------------------- To determine whether a vulnerable version of Cisco ASA Software is running on an appliance, administrators can issue the "show version" command-line interface (CLI) command. The following example shows a Cisco ASA 5500 Series Adaptive Security Appliance that is running software version 8.0(4): ASA#show version Cisco Adaptive Security Appliance Software Version 8.0(4) Device Manager Version 6.0(1) <output truncated> Customers who use Cisco ASDM to manage devices can locate the software version in the table that is displayed in the login window or upper-left corner of the Cisco ASDM window. Products Confirmed Not Vulnerable +-------------------------------- The Cisco Firewall Services Module (FWSM) is affected by some of the vulnerabilities in this advisory. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20100217-fwsm.shtml. With the exception of the Cisco FWSM, no other Cisco products are currently known to be affected by these vulnerabilities. It offers firewall, intrusion prevention (IPS), anti-X, and VPN services. This vulnerability is triggered only when specific TCP segments are sent to certain TCP-based services that terminate on the affected appliance. Although exploitation of this vulnerability requires a TCP three-way handshake, authentication is not required. Appliances are only vulnerable when SIP inspection is enabled. Only transit traffic can trigger these vulnerabilities; traffic that is destined to the appliance will not trigger the vulnerabilities. Appliances are only vulnerable when SCCP inspection is enabled. Only transit traffic can trigger this vulnerability; traffic that is destined to the appliance will not trigger the vulnerabily. Appliances are only vulnerable when they are configured for WebVPN and DTLS transport. This vulnerability is only triggered by traffic that is destined to the appliance; transit traffic will not trigger the vulnerability. A malformed, transit TCP segment is received. 2. The TCP segment matches a static NAT translation that has the "nailed" option configured on it. 3. The TCP segment is also processed by the Cisco AIP-SSM, which is configured for inline mode of operation. A TCP three-way handshake is not necessary to exploit this vulnerability. The tunnels are not torn down immediately; IPsec traffic will continue to flow until the next rekey, at which time the rekey will fail and the tunnels will be torn down. Both site-to-site and remote access VPN tunnels are affected. The vulnerability is triggered when the appliance processes a malformed IKE message on port UDP 4500 that traverses an existing IPsec tunnel. The only way to recover and re-establish IPsec VPN tunnels is to reload the appliance. When this vulnerability is exploited, the security appliance will generate syslog messages 713903 and 713906, which will be followed by the loss of IPsec peers. NTLMv1 Authentication Bypass Vulnerability +----------------------------------------- Cisco ASA 5500 Series Adaptive Security Appliances contain a vulnerability that could result in authentication bypass when the affected appliance is configured to authenticate users against Microsoft Windows servers using the NTLMv1 protocol. Users can bypass authentication by providing an an invalid, crafted username during an authentication request. Any services that use a AAA server group that is configured to use the NTLMv1 authentication protocol is affected. Affected services include: * Telnet access to the security appliance * SSH access to the security appliance * HTTPS access to the security appliance (including Cisco ASDM access) * Serial console access * Privileged (enable) mode access * Cut-through proxy for network access * VPN access This vulnerability is documented in Cisco bug ID CSCte21953 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2010-0568. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss. TCP Connection Exhaustion Denial of Service Vulnerability +-------------------------------------------------------- * CSCsz77717 ("TCP sessions remain in CLOSEWAIT indefinitely") CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.9 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed SIP Inspection Denial of Service Vulnerabilities +----------------------------------------------- * CSCsy91157 ("Watchdog when inspecting malformed SIP traffic") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtc96018 ("ASA watchdog when inspecting malformed SIP traffic") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- * CSCsz79757 ("Traceback - Thread Name: Dispatch Unit with skinny inspect enabled") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed WebVPN DTLS Denial of Service Vulnerability +------------------------------------------ * CSCtb64913 ("WEBVPN: page fault in thread name dispath unit, eip udpmod_user_put") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Crafted TCP Segment Denial of Service Vulnerability +-------------------------------------------------- * CSCtb37219 ("Traceback in Dispatch Unit AIP-SSM Inline and nailed option on static") CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.9 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Crafted IKE Message Denial of Service Vulnerability +-------------------------------------------------- * CSCtc47782 ("Malformed IKE traffic causes rekey to fail") CVSS Base Score - 5.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Partial CVSS Temporal Score - 4.1 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed NTLMv1 Authentication Bypass Vulnerability +----------------------------------------- * CSCte21953 ("ASA may allow authentication of an invalid username for NT auth") CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 6.2 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== TCP Connection Exhaustion Denial of Service Vulnerability +-------------------------------------------------------- Successful exploitation of this vulnerability may lead to an exhaustion condition where the affected appliance cannot accept new TCP connections. A reload of the appliance is necessary to recover from the TCP connection exhaustion condition. If a TCP-based protocol is used for device management (like telnet, SSH, or HTTPS), a serial console connection may be needed to access to the appliance. SIP Inspection Denial of Service Vulnerabilities +----------------------------------------------- Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition. SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition. WebVPN DTLS Denial of Service Vulnerability +------------------------------------------ Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition. Repeated exploitation could result in a sustained DoS condition. A manual reload of the appliance is required to re-establish all VPN tunnels. NTLMv1 Authentication Bypass Vulnerability +----------------------------------------- Successful exploitation of this vulnerability could result in unauthorized access to the network or appliance. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. The following table contains the first fixed software release of each vulnerability. A device running a version of the given release in a specific row (less than the First Fixed Release) is known to be vulnerable. However, no fixed 7.1.x software versions are planned because the 7.1.x major release has reached the End of Software Maintenance Releases milestone. Fixed Cisco ASA Software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT?psrtdcat20e2 Recommended Releases +------------------- Releases 7.0(8.10), 7.2(4.46), 8.0(5.9), 8.1(2.40) (available early March 2010), and 8.2(2.4) are recommended releases because they contain the fixes for all vulnerabilities in this advisory. Cisco recommends upgrading to a release that is equal to or later than these recommended releases. For example, it may be possible to restrict SSH, Cisco ASDM/HTTPS, and Telnet administrative access to known hosts or IP subnetworks. For other services like remote access SSL VPN, where clients connect from unknown hosts and networks, no mitigations exist. SIP Inspection Denial of Service Vulnerabilities +----------------------------------------------- These vulnerabilities can be mitigated by disabling SIP inspection if it is not required. Administrators can disable SIP inspection by issuing the "no inspect sip" command in class configuration sub-mode within policy-map configuration. SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- This vulnerability can be mitigated by disabling SCCP inspection if it is not required. Administrators can disable SCCP inspection by issuing the "no inspect skinny" command in class configuration sub-mode within the policy-map configuration. WebVPN DTLS Denial of Service Vulnerability +------------------------------------------ This vulnerability can be mitigated by disabling DTLS transport for WebVPN. Administrators can disable DTLS by issuing the "no svc dtls enable" command under the "webvpn" attributes section of the corresponding group policy. Crafted TCP Segment Denial of Service Vulnerability +-------------------------------------------------- Possible workarounds for this vulnerability are the following: * Migrate from "nailed" static NAT entries to TCP-state bypass. * Use the Cisco AIP-SSM in promiscuous mode. This mode can be configured by issuing the "ips promiscuous" command in "class" configuration mode. * Disable IPS inspection for "nailed" static NAT entries. * If possible, change "nailed" static NAT entries to standard static NAT entries. This may be feasible since in most cases there is no need for allowing IPsec tunnels inside IPsec tunnels. Filtering out UDP port 4500 traffic across an IPsec tunnel can be accomplished by using a VPN filter, as shown in the following example: !-- Deny only UDP port 4500 traffic and allow everything else access-list VPNFILTER extended deny udp any any eq 4500 access-list VPNFILTER extended permit ip any any !-- Create a group policy and specify a VPN filter that uses the !-- previous ACL group-policy VPNPOL internal group-policy VPNPOL attributes vpn-filter value VPNFILTER !-- Reference the group policy with the VPN filter from the tunnel group tunnel-group 172.16.0.1 type ipsec-l2l tunnel-group 172.16.0.1 general-attributes default-group-policy VPNPOL For this workaround to be effective, the group policy needs to be applied to all site-to-site (tunnel type "ipsec-l2l") and remote access (tunnel type "ipsec-ra") tunnel groups. Warning: In addition to filtering out IKE traffic on UDP port 4500, this workaround may also affect other procotols like DNS and SNMP that send traffic on UDP port 4500. For example, if a DNS resolver sends traffic from UDP port 4500 to a DNS server, the response from the DNS server will be destined to UDP port 4500, which then may be filtered out by the filter used in this workaround. For a more comprehensive example of the VPN filter feature of the Cisco ASA 5500 Series Adaptive Security Appliances, refer to the whitepaper "PIX/ASA 7.x and Later: VPN Filter (Permit Specific Port or Protocol) Configuration Example for L2L and Remote Access" available at: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml In addition, if the security appliance does not terminate any tunnels, the vulnerability can be mitigated by disabling IKE by issuing the "no isakmp enable <interface name>" command. NTLMv1 Authentication Bypass Vulnerability +----------------------------------------- If NTLMv1 authentication is required, there are no workarounds for this vulnerability. If NTLMv1 authentication can be substituted by other authentication protocols (LDAP, RADIUS, TACACS+, etc.), it is possible to mitigate the vulnerability. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of any of the vulnerabilities described in this advisory. SIP Inspection Denial of Service Vulnerabilities +----------------------------------------------- CSCsy91157 was discovered during internal testing. CSCtc96018 was discovered during the resolution of customer service requests. SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- This vulnerability was discovered during the resolution of customer service requests. WebVPN DTLS Denial of Service Vulnerability +------------------------------------------ This vulnerability was discovered during the resolution of customer service requests. Crafted TCP Segment Denial of Service Vulnerability +-------------------------------------------------- This vulnerability was discovered during internal testing. Crafted IKE Message Denial of Service Vulnerability +-------------------------------------------------- This vulnerability was discovered during the resolution of customer service requests. NTLMv1 Authentication Bypass Vulnerability +----------------------------------------- This vulnerability was discovered during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2010-February-17 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2008-2010 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Feb 17, 2010 Document ID: 111485 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkt8GTYACgkQ86n/Gc8U/uBi6QCfYFKvAUdFrRvusqKoaFmMwfcH XOYAnRymbNOcRg5gmPFMO/zqgm2wOyKQ =JUg3 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

Unspecified vulnerability in Cisco ASA 5500 Series Adaptive Security Appliance 7.0 before 7.0(8.10), 7.2 before 7.2(4.45), 8.0 before 8.0(5.2), 8.1 before 8.1(2.37), and 8.2 before 8.2(1.16); and Cisco PIX 500 Series Security Appliance; allows remote attackers to cause a denial of service (device reload) via malformed SIP messages, aka Bug ID CSCsy91157. The problem is Bug ID : CSCsy91157 It is a problem.Unauthorized by a third party SIP Service disruption via message (DoS) There is a possibility of being put into a state. This issue is tracked by Cisco Bug ID CSCsy91157. An attacker can exploit this issue to cause the vulnerable device to crash, denying service to legitimate users. 4) An error in WebVPN can be exploited to trigger an appliance reload via a specially crafted DTLS packet. 7) An error in the implementation of the NT LAN Manager version 1 (NTLMv1) protocol can be exploited to bypass authentication via a specially crafted username. SOLUTION: Update to a fixed version. Please see the vendor's advisory for detailed patch information. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances Advisory ID: cisco-sa-20100217-asa Revision 1.0 For Public Release 2010 February 17 1600 UTC (GMT) +--------------------------------------------------------------------- Summary ======= Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities: * TCP Connection Exhaustion Denial of Service Vulnerability * Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerabilities * Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability * WebVPN Datagram Transport Layer Security (DTLS) Denial of Service Vulnerability * Crafted TCP Segment Denial of Service Vulnerability * Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability * NT LAN Manager version 1 (NTLMv1) Authentication Bypass Vulnerability These vulnerabilities are not interdependent; a release that is affected by one vulnerability is not necessarily affected by the others. There are workarounds for some of the vulnerabilities disclosed in this advisory. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml. For specific version information, refer to the "Software Versions and Fixes" section of this advisory. TCP Connection Exhaustion Denial of Service Vulnerability +-------------------------------------------------------- Cisco ASA 5500 Series Adaptive Security Appliances may experience a TCP connection exhaustion condition (no new TCP connections are accepted) that can be triggered through the receipt of specific TCP segments during the TCP connection termination phase. Versions 7.0.x, 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. SIP inspection is enabled by default. To check if SIP inspection is enabled, issue the "show service-policy | include sip" command and confirm that some output is returned. Sample output is displayed in the following example: ciscoasa#show service-policy | include sip Inspect: sip , packet 0, drop 0, reset-drop 0 Alternatively, an appliance that has SIP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect sip ... Versions 8.0.x, 8.1.x, and 8.2.x are affected. SCCP inspection is enabled by default. To check if SCCP inspection is enabled, issue the "show service-policy | include skinny" command and confirm that some output is returned. Sample output is displayed in the following example: ciscoasa#show service-policy | include skinny Inspect: skinny , packet 0, drop 0, reset-drop 0 Alternatively, an appliance that has SCCP inspection enabled has a configuration similar to the following: class-map inspection_default match default-inspection-traffic ! policy-map global_policy class inspection_default ... inspect skinny ... Affected versions include 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x. Administrators can enable WebVPN with the "enable <interface name>" command in "webvpn" configuration mode. DTLS can be enabled by issuing the "svc dtls enable" command in "group policy webvpn" configuration mode. The following configuration snippet provides an example of a WebVPN configuration that enables DTLS: webvpn enable outside svc enable ... ! group-policy <group name> internal group-policy <group name> attributes ... webvpn svc dtls enable ... Altough WebVPN is disabled by default, DTLS is enabled by default in recent software releases. This vulnerability only affects configurations that use the "nailed" option at the end of their static statement. Additionally, traffic that matches "static" statement must also be inspected by a Cisco AIP-SSM (an Intrusion Prevention System (IPS) module) in inline mode. IPS inline operation mode is enabled by using the "ips inline {fail-close | fail-open}" command in "class" configuration mode. Versions 7.0.x, 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. IKE is not enabled by default. If IKE is enabled, the "isakmp enable <interface name>" command appears in the configuration. Versions 7.0.x, 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected. Administrators can configure NTLMv1 authentication by defining an Authentication, Authorization, and Accounting (AAA) server group that uses the NTLMv1 protocol with the "aaa-server <AAA server group tag> protocol nt" command and then configuring a service that requires authentication to use that AAA server group. To verify that NTLMv1 authentication is enabled and active, issue the "show aaa-server protocol nt" command. For more information, refer to the End of Life announcement at: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/end_of_life_notice_cisco_pix_525_sec_app.html. How To Determine The Running Software Version +-------------------------------------------- To determine whether a vulnerable version of Cisco ASA Software is running on an appliance, administrators can issue the "show version" command-line interface (CLI) command. The following example shows a Cisco ASA 5500 Series Adaptive Security Appliance that is running software version 8.0(4): ASA#show version Cisco Adaptive Security Appliance Software Version 8.0(4) Device Manager Version 6.0(1) <output truncated> Customers who use Cisco ASDM to manage devices can locate the software version in the table that is displayed in the login window or upper-left corner of the Cisco ASDM window. Products Confirmed Not Vulnerable +-------------------------------- The Cisco Firewall Services Module (FWSM) is affected by some of the vulnerabilities in this advisory. A separate Cisco Security Advisory has been published to disclose the vulnerabilities that affect the FWSM. This advisory is available at http://www.cisco.com/warp/public/707/cisco-sa-20100217-fwsm.shtml. With the exception of the Cisco FWSM, no other Cisco products are currently known to be affected by these vulnerabilities. It offers firewall, intrusion prevention (IPS), anti-X, and VPN services. This vulnerability is triggered only when specific TCP segments are sent to certain TCP-based services that terminate on the affected appliance. Although exploitation of this vulnerability requires a TCP three-way handshake, authentication is not required. Appliances are only vulnerable when SIP inspection is enabled. Only transit traffic can trigger these vulnerabilities; traffic that is destined to the appliance will not trigger the vulnerabilities. These vulnerabilities are documented in Cisco bug IDs CSCsy91157, and CSCtc96018, and have been assigned CVE IDs CVE-2010-0150, and CVE-2010-0569 respectively. Appliances are only vulnerable when SCCP inspection is enabled. Only transit traffic can trigger this vulnerability; traffic that is destined to the appliance will not trigger the vulnerabily. Appliances are only vulnerable when they are configured for WebVPN and DTLS transport. This vulnerability is only triggered by traffic that is destined to the appliance; transit traffic will not trigger the vulnerability. A malformed, transit TCP segment is received. 2. The TCP segment matches a static NAT translation that has the "nailed" option configured on it. 3. The TCP segment is also processed by the Cisco AIP-SSM, which is configured for inline mode of operation. A TCP three-way handshake is not necessary to exploit this vulnerability. The tunnels are not torn down immediately; IPsec traffic will continue to flow until the next rekey, at which time the rekey will fail and the tunnels will be torn down. Both site-to-site and remote access VPN tunnels are affected. The vulnerability is triggered when the appliance processes a malformed IKE message on port UDP 4500 that traverses an existing IPsec tunnel. The only way to recover and re-establish IPsec VPN tunnels is to reload the appliance. When this vulnerability is exploited, the security appliance will generate syslog messages 713903 and 713906, which will be followed by the loss of IPsec peers. Users can bypass authentication by providing an an invalid, crafted username during an authentication request. Any services that use a AAA server group that is configured to use the NTLMv1 authentication protocol is affected. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss. TCP Connection Exhaustion Denial of Service Vulnerability +-------------------------------------------------------- * CSCsz77717 ("TCP sessions remain in CLOSEWAIT indefinitely") CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.9 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed SIP Inspection Denial of Service Vulnerabilities +----------------------------------------------- * CSCsy91157 ("Watchdog when inspecting malformed SIP traffic") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCtc96018 ("ASA watchdog when inspecting malformed SIP traffic") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- * CSCsz79757 ("Traceback - Thread Name: Dispatch Unit with skinny inspect enabled") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed WebVPN DTLS Denial of Service Vulnerability +------------------------------------------ * CSCtb64913 ("WEBVPN: page fault in thread name dispath unit, eip udpmod_user_put") CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Crafted TCP Segment Denial of Service Vulnerability +-------------------------------------------------- * CSCtb37219 ("Traceback in Dispatch Unit AIP-SSM Inline and nailed option on static") CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 5.9 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Crafted IKE Message Denial of Service Vulnerability +-------------------------------------------------- * CSCtc47782 ("Malformed IKE traffic causes rekey to fail") CVSS Base Score - 5.0 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Partial CVSS Temporal Score - 4.1 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed NTLMv1 Authentication Bypass Vulnerability +----------------------------------------- * CSCte21953 ("ASA may allow authentication of an invalid username for NT auth") CVSS Base Score - 7.1 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 6.2 Exploitability - High Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== TCP Connection Exhaustion Denial of Service Vulnerability +-------------------------------------------------------- Successful exploitation of this vulnerability may lead to an exhaustion condition where the affected appliance cannot accept new TCP connections. A reload of the appliance is necessary to recover from the TCP connection exhaustion condition. If a TCP-based protocol is used for device management (like telnet, SSH, or HTTPS), a serial console connection may be needed to access to the appliance. SIP Inspection Denial of Service Vulnerabilities +----------------------------------------------- Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition. SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition. WebVPN DTLS Denial of Service Vulnerability +------------------------------------------ Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition. Crafted TCP Segment Denial of Service Vulnerability +-------------------------------------------------- Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated exploitation could result in a sustained DoS condition. Crafted IKE Message Denial of Service Vulnerability +-------------------------------------------------- Successful exploitation of this vulnerability could cause all IPsec VPN tunnels (LAN-to-LAN or remote) that terminate on the security appliance to be torn down and prevent new tunnels from being established. A manual reload of the appliance is required to re-establish all VPN tunnels. NTLMv1 Authentication Bypass Vulnerability +----------------------------------------- Successful exploitation of this vulnerability could result in unauthorized access to the network or appliance. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. The following table contains the first fixed software release of each vulnerability. A device running a version of the given release in a specific row (less than the First Fixed Release) is known to be vulnerable. +---------------------------------------+ | | Major | First | | Vulnerability | Release | Fixed | | | | Release | |-----------------+---------+-----------| | | 7.0 | Not | | | | affected | |TCP Connection |---------+-----------| | Exhaustion | 7.2 | 7.2(4.46) | |Denial of |---------+-----------| | Service | 8.0 | 8.0(4.38) | |Vulnerability ( |---------+-----------| | CSCsz77717) | 8.1 | 8.1(2.29) | | |---------+-----------| | | 8.2 | 8.2(1.5) | |-----------------+---------+-----------| | | 7.0 | 7.0(8.10) | |SIP Inspection |---------+-----------| | Denial of | 7.2 | 7.2(4.45) | |Service |---------+-----------| | Vulnerabilities | 8.0 | 8.0(5.2) | |(CSCsy91157 and |---------+-----------| | CSCtc96018) | 8.1 | 8.1(2.37) | | |---------+-----------| | | 8.2 | 8.2(1.16) | |-----------------+---------+-----------| | | 7.0 | Not | | | | affected | | |---------+-----------| | SCCP Inspection | 7.2 | Not | | Denial of | | affected | |Service |---------+-----------| | Vulnerability ( | 8.0 | 8.0(4.38) | |CSCsz79757) |---------+-----------| | | 8.1 | 8.1(2.29) | | |---------+-----------| | | 8.2 | 8.2(1.2) | |-----------------+---------+-----------| | | 7.0 | Not | | | | affected | |WebVPN DTLS |---------+-----------| | Denial of | 7.2 | 7.2(4.45) | |Service |---------+-----------| | Vulnerability ( | 8.0 | 8.0(4.44) | |CSCtb64913) |---------+-----------| | | 8.1 | 8.1(2.35) | | |---------+-----------| | | 8.2 | 8.2(1.10) | |-----------------+---------+-----------| | | 7.0 | 7.0(8.10) | | |---------+-----------| | Crafted TCP | 7.2 | 7.2(4.45) | |Segment Denial |---------+-----------| | of Service | 8.0 | 8.0(4.44) | |Vulnerability ( |---------+-----------| | CSCtb37219) | 8.1 | 8.1(2.35) | | |---------+-----------| | | 8.2 | 8.2(1.10) | |-----------------+---------+-----------| | | 7.0 | 7.0(8.10) | | |---------+-----------| | Crafted IKE | 7.2 | 7.2(4.45) | |Message Denial |---------+-----------| | of Service | 8.0 | 8.0(5.1) | |Vulnerability ( |---------+-----------| | CSCtc47782) | 8.1 | 8.1(2.37) | | |---------+-----------| | | 8.2 | 8.2(1.15) | |-----------------+---------+-----------| | | 7.0 | 7.0(8.10) | | |---------+-----------| | | 7.2 | 7.2(4.45) | | |---------+-----------| | NTLMv1 | 8.0 | 8.0(5.7) | |Authentication |---------+-----------| | Bypass | | 8.1 | | Vulnerability ( | | (2.40), | | CSCte21953) | 8.1 | available | | | | early | | | | March | | | | 2010 | | |---------+-----------| | | 8.2 | 8.2(2.1) | +---------------------------------------+ Note: Cisco ASA Software versions 7.1.x are affected by some of the vulnerabilities in this advisory. However, no fixed 7.1.x software versions are planned because the 7.1.x major release has reached the End of Software Maintenance Releases milestone. Fixed Cisco ASA Software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT?psrtdcat20e2 Recommended Releases +------------------- Releases 7.0(8.10), 7.2(4.46), 8.0(5.9), 8.1(2.40) (available early March 2010), and 8.2(2.4) are recommended releases because they contain the fixes for all vulnerabilities in this advisory. Cisco recommends upgrading to a release that is equal to or later than these recommended releases. Workarounds =========== TCP Connection Exhaustion Denial of Service Vulnerability +-------------------------------------------------------- It is possible to mitigate this vulnerability for TCP-based services that are offered to known clients. For example, it may be possible to restrict SSH, Cisco ASDM/HTTPS, and Telnet administrative access to known hosts or IP subnetworks. For other services like remote access SSL VPN, where clients connect from unknown hosts and networks, no mitigations exist. SIP Inspection Denial of Service Vulnerabilities +----------------------------------------------- These vulnerabilities can be mitigated by disabling SIP inspection if it is not required. Administrators can disable SIP inspection by issuing the "no inspect sip" command in class configuration sub-mode within policy-map configuration. SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- This vulnerability can be mitigated by disabling SCCP inspection if it is not required. Administrators can disable SCCP inspection by issuing the "no inspect skinny" command in class configuration sub-mode within the policy-map configuration. WebVPN DTLS Denial of Service Vulnerability +------------------------------------------ This vulnerability can be mitigated by disabling DTLS transport for WebVPN. Administrators can disable DTLS by issuing the "no svc dtls enable" command under the "webvpn" attributes section of the corresponding group policy. Crafted TCP Segment Denial of Service Vulnerability +-------------------------------------------------- Possible workarounds for this vulnerability are the following: * Migrate from "nailed" static NAT entries to TCP-state bypass. * Use the Cisco AIP-SSM in promiscuous mode. This mode can be configured by issuing the "ips promiscuous" command in "class" configuration mode. * Disable IPS inspection for "nailed" static NAT entries. * If possible, change "nailed" static NAT entries to standard static NAT entries. This may be feasible since in most cases there is no need for allowing IPsec tunnels inside IPsec tunnels. Filtering out UDP port 4500 traffic across an IPsec tunnel can be accomplished by using a VPN filter, as shown in the following example: !-- Deny only UDP port 4500 traffic and allow everything else access-list VPNFILTER extended deny udp any any eq 4500 access-list VPNFILTER extended permit ip any any !-- Create a group policy and specify a VPN filter that uses the !-- previous ACL group-policy VPNPOL internal group-policy VPNPOL attributes vpn-filter value VPNFILTER !-- Reference the group policy with the VPN filter from the tunnel group tunnel-group 172.16.0.1 type ipsec-l2l tunnel-group 172.16.0.1 general-attributes default-group-policy VPNPOL For this workaround to be effective, the group policy needs to be applied to all site-to-site (tunnel type "ipsec-l2l") and remote access (tunnel type "ipsec-ra") tunnel groups. Warning: In addition to filtering out IKE traffic on UDP port 4500, this workaround may also affect other procotols like DNS and SNMP that send traffic on UDP port 4500. For example, if a DNS resolver sends traffic from UDP port 4500 to a DNS server, the response from the DNS server will be destined to UDP port 4500, which then may be filtered out by the filter used in this workaround. For a more comprehensive example of the VPN filter feature of the Cisco ASA 5500 Series Adaptive Security Appliances, refer to the whitepaper "PIX/ASA 7.x and Later: VPN Filter (Permit Specific Port or Protocol) Configuration Example for L2L and Remote Access" available at: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml In addition, if the security appliance does not terminate any tunnels, the vulnerability can be mitigated by disabling IKE by issuing the "no isakmp enable <interface name>" command. NTLMv1 Authentication Bypass Vulnerability +----------------------------------------- If NTLMv1 authentication is required, there are no workarounds for this vulnerability. If NTLMv1 authentication can be substituted by other authentication protocols (LDAP, RADIUS, TACACS+, etc.), it is possible to mitigate the vulnerability. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of any of the vulnerabilities described in this advisory. TCP Connection Exhaustion Denial of Service Vulnerability +-------------------------------------------------------- This vulnerability was discovered during the resolution of a customer service request. SIP Inspection Denial of Service Vulnerabilities +----------------------------------------------- CSCsy91157 was discovered during internal testing. CSCtc96018 was discovered during the resolution of customer service requests. SCCP Inspection Denial of Service Vulnerability +---------------------------------------------- This vulnerability was discovered during the resolution of customer service requests. WebVPN DTLS Denial of Service Vulnerability +------------------------------------------ This vulnerability was discovered during the resolution of customer service requests. Crafted TCP Segment Denial of Service Vulnerability +-------------------------------------------------- This vulnerability was discovered during internal testing. Crafted IKE Message Denial of Service Vulnerability +-------------------------------------------------- This vulnerability was discovered during the resolution of customer service requests. NTLMv1 Authentication Bypass Vulnerability +----------------------------------------- This vulnerability was discovered during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20100217-asa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2010-February-17 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2008-2010 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Feb 17, 2010 Document ID: 111485 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkt8GTYACgkQ86n/Gc8U/uBi6QCfYFKvAUdFrRvusqKoaFmMwfcH XOYAnRymbNOcRg5gmPFMO/zqgm2wOyKQ =JUg3 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/