VARIoT IoT vulnerabilities database

VAR-200703-0019 | CVE-2007-0718 | Apple QuickTime 3GP integer overflow |
CVSS V2: 5.8 CVSS V3: - Severity: MEDIUM |
Heap-based buffer overflow in Apple QuickTime before 7.1.5 allows remote user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a QTIF file with a Video Sample Description containing a Color table ID of 0, which triggers memory corruption when QuickTime assumes that a color table exists. The Apple QuickTime player contains a heap buffer overflow vulnerability. This vulnerability may allow an attacker to execute arbitrary code or create a denial-of-service condition. Apple QuickTime is prone to multiple unspecified remote code-execution vulnerabilities including mulitple heap and stack-based buffer-overflow and integer-overflow issues.
These issues arise when the application handles specially crafted 3GP, MIDI, MOV, PICT, and QTIF files. Successful attacks can result in the compromise of the applicaiton or can cause denial-of-service conditions.
Few details regarding these issues are currently available. Separate BIDs for each issue will be created as new information becomes available.
QuickTime versions prior to 7.1.5 are vulnerable. QuickTime is prone to a heap-overflow vulnerability because it fails to perform adequate bounds checking on user-supplied data. There are multiple buffer overflow vulnerabilities in QuickTime's processing of various media formats. Remote attackers may exploit these vulnerabilities to control the user's machine by enticing the user to open and process malformed media files. (CVE-2007-0718). BACKGROUND
Quicktime is Apple's media player product used to render video and other
media. For more information visit http://www.apple.com/quicktime/
II.
The vulnerability specifically exists in QuickTime players handling of
Video media atoms. A byte swap process is then performed
on the memory following the description, regardless if a table is present
or not. Heap corruption will occur in the case when the memory following
the description is not part of the heap chunk being processed.
III.
In order to exploit this vulnerability, an attacker must persuade a victim
into opening a specially crafted media file. This could be accomplished by
either a direct link or referenced from a website under the attacker's
control. No further interaction is required in the default configuration.
IV. DETECTION
iDefense Labs confirmed this vulnerability exists in version 7.1.3 of
QuickTime on Windows.
V. WORKAROUND
iDefense is currently unaware of any effective workarounds for this
vulnerability.
VI. More information can be found in Apple Advisory
APPLE-SA-2007-03-05 at the following URL.
http://docs.info.apple.com/article.html?artnum=305149
VII. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
12/06/2006 Initial vendor notification
12/11/2007 Initial vendor response
02/01/2007 Second vendor notification
03/05/2007 Coordinated public disclosure
IX. CREDIT
This vulnerability was reported to iDefense by Ruben Santamarta of
Reversemode Labs (www.reversemode.com).
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright \xa9 2007 iDefense, Inc.
Permission is granted for the redistribution of this alert electronically.
It may not be edited in any way without the express written consent of
iDefense. If you wish to reprint the whole or any part of this alert in
any other medium other than electronically, please e-mail
customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate at
the time of publishing based on currently available information. Use of
the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on, this
information.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
VAR-200703-0012 | CVE-2007-0714 | Apple Quicktime UDTA ATOM Integer Overflow Vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Integer overflow in Apple QuickTime before 7.1.5 allows remote user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted QuickTime movie with a User Data Atom (UDTA) with an Atom size field with a large value. The Apple QuickTime player contains a heap buffer overflow vulnerability. This vulnerability may allow an attacker to execute arbitrary code or create a denial-of-service condition. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of forged size fields in user-defined data atoms (UDTA). By setting this field to an overly large value, an integer overflow occurs resulting in an exploitable heap overflow. Successful exploitation results in code execution under the context of the running user. Apple QuickTime is prone to multiple unspecified remote code-execution vulnerabilities including mulitple heap and stack-based buffer-overflow and integer-overflow issues.
These issues arise when the application handles specially crafted 3GP, MIDI, MOV, PICT, and QTIF files. Successful attacks can result in the compromise of the applicaiton or can cause denial-of-service conditions.
Few details regarding these issues are currently available. Separate BIDs for each issue will be created as new information becomes available.
QuickTime versions prior to 7.1.5 are vulnerable. ZDI-07-010: Apple Quicktime UDTA Parsing Heap Overflow Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-07-010.html
March 7, 2007
-- CVE ID:
CVE-2007-0714
-- Affected Vendor:
Apple
-- Affected Products:
Quicktime Player 7.1
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability since May 23, 2006 by the pre-existing Digital Vaccine
protection filter ID 4411.
-- Vendor Response:
Apple has issued an update to correct this vulnerability. More details
can be found at:
http://docs.info.apple.com/article.html?artnum=61798
-- Disclosure Timeline:
2006.05.23 - Pre-existing Digital Vaccine released to TippingPoint
customers
2006.08.14 - Vulnerability reported to vendor
2007.03.07 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by an anonymous researcher.
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, a division of 3Com, The Zero Day Initiative
(ZDI) represents a best-of-breed model for rewarding security
researchers for responsibly disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is used.
3Com does not re-sell the vulnerability details or any exploit code.
Instead, upon notifying the affected product vendor, 3Com provides its
customers with zero day protection through its intrusion prevention
technology. Explicit details regarding the specifics of the
vulnerability are not exposed to any parties until an official vendor
patch is publicly available. Furthermore, with the altruistic aim of
helping to secure a broader user base, 3Com provides this vulnerability
information confidentially to security vendors (including competitors)
who have a vulnerability protection or mitigation product. Apple QuickTime udta ATOM Integer Overflow
By Sowhat of Nevis Labs
Date: 2007.03.06
http://www.nevisnetworks.com
http://secway.org/advisory/AD20070306.txt
http://secway.org/advisory/AD20060512.txt
CVE: CVE-2007-0714
Vendor:
Apple Inc.
The CVE-2006-1460 does not patch the root cause of this vulnerability.
The layout of a udta(user data atom) atom:
Bytes
_______________________
| User data atom |
| Atom size | 4
| Type = 'udta' | 4
| |
| User data list |
| Atom size | 4
| Type = user data types| 4
| |
-----------------------
By setting the value of the Atom size to a large value such as 0xFFFFFFFF,
an insufficiently-sized heap block will be allocated, and resulting in a
classic complete heap memory overwrite during the RtlAllocateHeap() function.
Vendor Response:
2006.05.06 Vendor notified via product-security@apple.com
2006.05.07 Vendor responded
2006.05.09 Vendor ask for more information
2006.05.11 Vendor released QuickTime 7.1, the code path was
influenced, but the root cause was not fixed.
2007.03.06 Vendor released the fixed version
2007.03.06 Advisory release
Reference:
1. http://developer.apple.com/documentation/QuickTime/QTFF/index.html
2. http://docs.info.apple.com/article.html?artnum=305149
3. http://secway.org/advisory/AD20060512.txt
--
Sowhat
http://secway.org
"Life is like a bug, Do you know how to exploit it ?"
VAR-200703-0042 | CVE-2007-1330 | CFP In HKLM\SYSTEM\Software\Comodo\Personal Firewall Vulnerability that bypasses driver protection for registry keys |
CVSS V2: 4.4 CVSS V3: - Severity: MEDIUM |
Comodo Firewall Pro (CFP) (formerly Comodo Personal Firewall) 2.4.18.184 and earlier allows local users to bypass driver protections on the HKLM\SYSTEM\Software\Comodo\Personal Firewall registry key by guessing the name of a named pipe under \Device\NamedPipe\OLE and attempting to open it multiple times. Comodo Firewall Pro is prone to a protection-mechanism-bypass vulnerability.
Exploiting this issue allows local attackers to bypass protection mechanisms implemented to restrict access to altering the firewall's configuration settings. This allows them to disable the firewall, aiding them in further attacks. This protection mechanism can be bypassed if very specific conditions are met. CFP uses a named pipe internally. Although the name changes, it can be judged. Processes that open this pipe multiple times can control protected CFP settings, and modifying the settings may result in disabling all protection mechanisms after a restart
VAR-200703-0084 | CVE-2007-1257 | Cisco Catalyst Systems with a NAM may allow system access via spoofing the SNMP communication |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The Network Analysis Module (NAM) in Cisco Catalyst Series 6000, 6500, and 7600 allows remote attackers to execute arbitrary commands via certain SNMP packets that are spoofed from the NAM's own IP address. According to Cisco Systems information NAM Model number WS-SVC-NAM-1, WS-SVC-NAM-2, WS-X6380-NAM Will be affected. For details, check the information provided by the vendor.Crafted by a third party SNMP Arbitrary commands may be executed due to packet processing. According to Cisco Systems information, the device may be completely controlled.
An attacker can leverage this issue to gain complete control of the affected device. NAM uses the Simple Network Management Protocol (SNMP) to communicate with the Catalyst system.
----------------------------------------------------------------------
Want a new job?
http://secunia.com/secunia_vacancies/
Secunia is looking for new researchers with a reversing background
and experience in writing exploit code:
http://secunia.com/hardcore_disassembler_and_reverse_engineer/
http://secunia.com/Disassembling_og_Reversing/
----------------------------------------------------------------------
TITLE:
Cisco Products NAM SNMP Spoofing Vulnerability
SECUNIA ADVISORY ID:
SA24344
VERIFY ADVISORY:
http://secunia.com/advisories/24344/
CRITICAL:
Moderately critical
IMPACT:
System access
WHERE:
>From local network
OPERATING SYSTEM:
Cisco IOS R12.x
http://secunia.com/product/50/
Cisco IOS 12.x
http://secunia.com/product/182/
Cisco CATOS 8.x
http://secunia.com/product/3564/
Cisco CATOS 7.x
http://secunia.com/product/185/
SOFTWARE:
Cisco Catalyst 6500 Series Network Analysis Module (NAM-1/NAM-2)
http://secunia.com/product/2272/
Cisco Catalyst 6500 Series Network Analysis Module (First Generation)
http://secunia.com/product/2271/
DESCRIPTION:
A vulnerability has been reported in various Cisco products, which
can be exploited by malicious people to compromise a vulnerable
system.
SOLUTION:
Update to a fixed version (see vendor advisory for details).
http://www.cisco.com/warp/public/707/cisco-sa-20070228-nam.shtml
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20070228-nam.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200703-0085 | CVE-2007-1258 | Cisco IOS of MPLS Service disruption due to processing (DoS) Vulnerabilities |
CVSS V2: 6.1 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in Cisco IOS 12.2SXA, SXB, SXD, and SXF; and the MSFC2, MSFC2a and MSFC3 running in Hybrid Mode on Cisco Catalyst 6000, 6500 and Cisco 7600 series systems; allows remote attackers on a local network segment to cause a denial of service (software reload) via a certain MPLS packet. According to Cisco Systems information, the affected systems are limited. For details, check the information provided by the vendor.Crafted by a third party MSPLS By processing the packet, a specific device may interfere with service operation (DoS) It may be in a state. Cisco Catalyst switches and routers are prone to multiple remote denial-of-service vulnerabilities because the device fails to handle exceptional conditions.
An attacker can exploit these issues to restart the affected device. Repeated exploits may lead to denial-of-service conditions. IOS is prone to a denial-of-service vulnerability.
The vulnerability is caused due to an unspecified error when
processing MPLS packets and can be exploited to reload an affected
system.
http://www.cisco.com/warp/public/707/cisco-sa-20070228-mpls.shtml
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20070228-mpls.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200703-0141 | CVE-2007-1222 | Mac For Parrallels Desktop Vulnerable to writing files to the host file system |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
Parallels Desktop for Mac before 20070216 implements Drag and Drop by sharing the entire host filesystem as the .psf share, which allows local users of the guest operating system to write arbitrary files to the host filesystem, and execute arbitrary code via launchd by writing a plist file to a LaunchAgents directory.
----------------------------------------------------------------------
Secunia is proud to announce the availability of the Secunia Software
Inspector.
The Secunia Software Inspector is a free service that detects insecure
versions of software that you may have installed in your system. When
insecure versions are detected, the Secunia Software Inspector also
provides thorough guidelines for updating the software to the latest
secure version from the vendor.
Try it out online:
http://secunia.com/software_inspector/
----------------------------------------------------------------------
TITLE:
Parallels Desktop for Mac Shared Folder Security Issue
SECUNIA ADVISORY ID:
SA24171
VERIFY ADVISORY:
http://secunia.com/advisories/24171/
CRITICAL:
Less critical
IMPACT:
Security Bypass
WHERE:
Local system
SOFTWARE:
Parallels Desktop for Mac
http://secunia.com/product/12498/
DESCRIPTION:
Rich Mogull has reported a security issue in Parallels Desktop for
Mac, which can be exploited by malicious software to bypass certain
security restrictions.
The problem is that the Drag-and-Drop functionality of the VM
(virtual machine) is implemented via a shared folder with
"read-write" access to the host system. This can be exploited to
write or manipulate files on the host system e.g. by malware in the
VM.
SOLUTION:
Disable Drag-and-Drop.
PROVIDED AND/OR DISCOVERED BY:
Rich Mogull
ORIGINAL ADVISORY:
http://lists.immunitysec.com/pipermail/dailydave/2007-February/004091.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200702-0537 | No CVE | CNVD-2007-1386 |
CVSS V2: - CVSS V3: - Severity: - |
A vulnerability exists in Parallels Desktop for Mac before 20070216, allowing remote attackers to execute arbitrary code.
VAR-200702-0535 | CVE-2007-1093 | NNM Service disruption in (DoS) Vulnerabilities |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Multiple unspecified vulnerabilities in JP1/Cm2/Network Node Manager (NNM) before 07-10-05, and before 08-00-02 in the 08-x series, allow remote attackers to execute arbitrary code, cause a denial of service, or trigger invalid Web utility behavior. Hitachi JP1/Cm2/Network Node Manger is prone to multiple unspecified vulnerabilities.
Further technical details are unknown at this time. This BID will be updated as more information becomes available.
An attacker can exploit these issues to deny access to legitimate users or to execute arbitrary code, which could result in the compromise of the application and computer; other attacks are also possible.
----------------------------------------------------------------------
Secunia is proud to announce the availability of the Secunia Software
Inspector.
The Secunia Software Inspector is a free service that detects insecure
versions of software that you may have installed in your system. When
insecure versions are detected, the Secunia Software Inspector also
provides thorough guidelines for updating the software to the latest
secure version from the vendor.
Try it out online:
http://secunia.com/software_inspector/
----------------------------------------------------------------------
TITLE:
Hitachi JP1/Cm2/Network Node Manager Unspecified Vulnerabilities
SECUNIA ADVISORY ID:
SA24276
VERIFY ADVISORY:
http://secunia.com/advisories/24276/
CRITICAL:
Moderately critical
IMPACT:
DoS, System access
WHERE:
>From local network
SOFTWARE:
Hitachi JP1/Cm2/Network Node Manager
http://secunia.com/product/9570/
DESCRIPTION:
Some vulnerabilities have been reported in Hitachi JP1/Cm2/Network
Node Manager, which can be exploited by malicious people to cause a
DoS (Denial of Service) or to compromise a vulnerable system.
Please see the vendor's advisory for a list of affected products and
versions.
SOLUTION:
Please see the vendor's advisory for fix information.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
Hitachi:
http://www.hitachi-support.com/security_e/vuls_e/HS07-002_e/index-e.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200702-0413 | CVE-2007-1108 | Christian Schneider CS-Gallery of index.php In PHP Remote file inclusion vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
PHP remote file inclusion vulnerability in index.php in Christian Schneider CS-Gallery 2.0 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the album parameter during a securealbum todo action. CS-Gallery is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data.
Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also possible.
CS-Gallery 2.0 is vulnerable; other versions may also be affected.
----------------------------------------------------------------------
Secunia is proud to announce the availability of the Secunia Software
Inspector.
The Secunia Software Inspector is a free service that detects insecure
versions of software that you may have installed in your system. When
insecure versions are detected, the Secunia Software Inspector also
provides thorough guidelines for updating the software to the latest
secure version from the vendor.
Try it out online:
http://secunia.com/software_inspector/
----------------------------------------------------------------------
TITLE:
CS-Gallery "album" File Inclusion Vulnerability
SECUNIA ADVISORY ID:
SA24291
VERIFY ADVISORY:
http://secunia.com/advisories/24291/
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
>From remote
SOFTWARE:
CS-Gallery 2.x
http://secunia.com/product/13564/
DESCRIPTION:
burncycle has discovered a vulnerability in CS-Gallery, which can be
exploited by malicious people to compromise a vulnerable system.
Input passed to the "album" parameter in index.php is not properly
verified before being used to include files. This can be exploited to
include arbitrary files from local or external resources.
Successful exploitation requires that "register_globals" is enabled
and that the "todo" parameter is set to "securealbum".
The vulnerability is confirmed in version 2.0.
SOLUTION:
Edit the source code to ensure that input is properly verified.
PROVIDED AND/OR DISCOVERED BY:
burncycle
ORIGINAL ADVISORY:
http://www.milw0rm.com/exploits/3372
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200702-0422 | CVE-2007-1119 |
Novell ZENworks 7 Desktop Management Support Pack 1 Vulnerabilities in uploading images to specific folders
Related entries in the VARIoT exploits database: VAR-E-200702-0526 |
CVSS V2: 6.4 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in Novell ZENworks 7 Desktop Management Support Pack 1 before Hot patch 3 (ZDM7SP1HP3) allows remote attackers to upload images to certain folders that were not configured in the "Only allow uploads to the following directories" setting via unspecified vectors.
Novell Zenworks Desktop Management version 7 Support Pack 1 - ZDM7 SP1 and ZDM7 SP1 Imaging are vulnerable to this issue.
----------------------------------------------------------------------
Secunia is proud to announce the availability of the Secunia Software
Inspector.
The Secunia Software Inspector is a free service that detects insecure
versions of software that you may have installed in your system. When
insecure versions are detected, the Secunia Software Inspector also
provides thorough guidelines for updating the software to the latest
secure version from the vendor.
SOLUTION:
Apply ZDM7SP1HP3.
http://download.novell.com/Download?buildid=GcDUupyC8Zg
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
https://secure-support.novell.com/KanisaPlatform/Publishing/408/3563780_f.SAL_Public.html
https://secure-support.novell.com/KanisaPlatform/Publishing/650/3484245_f.SAL_Public.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200702-0006 | CVE-2006-6490 | SupportSoft ActiveX controls contain multiple buffer overflows |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Multiple buffer overflows in the SupportSoft (1) SmartIssue (tgctlsi.dll) and (2) ScriptRunner (tgctlsr.dll) ActiveX controls, as used by Symantec Automated Support Assistant and Norton AntiVirus, Internet Security, and System Works 2006, allows remote attackers to execute arbitrary code via a crafted HTML message.
The affected software component is included in several third-party applications. SupportSoft is a software that implements self-service functions, and users can use it to solve some problems they encounter. Symantec's Norton Internet Security 2006 suite, which includes the SupportSoft tool, is also affected by the vulnerability.
----------------------------------------------------------------------
Secunia is proud to announce the availability of the Secunia Software
Inspector.
The Secunia Software Inspector is a free service that detects insecure
versions of software that you may have installed in your system. When
insecure versions are detected, the Secunia Software Inspector also
provides thorough guidelines for updating the software to the latest
secure version from the vendor.
Try it out online:
http://secunia.com/software_inspector/
----------------------------------------------------------------------
TITLE:
SupportSoft ActiveX Controls Buffer Overflow Vulnerabilities
SECUNIA ADVISORY ID:
SA24251
VERIFY ADVISORY:
http://secunia.com/advisories/24251/
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
>From remote
SOFTWARE:
SupportSoft ActiveX Controls 5.x
http://secunia.com/product/13545/
SupportSoft ActiveX Controls 6.x
http://secunia.com/product/13546/
DESCRIPTION:
Some vulnerabilities have been reported in various SupportSoft
ActiveX controls, which can be exploited by malicious people to
compromise a user's system.
The vulnerabilities are caused due to boundary errors within the
SmartIssue, RemoteAssist, and Probe ActiveX controls. These can be
exploited to cause stack-based buffer overflows via overly long
arguments passed to various methods.
Successful exploitation allows execution of arbitrary code but
requires that the user is e.g. tricked into visiting a malicious web
site.
The vulnerabilities reportedly affect versions 5.5, 5.6, and 6.x.
SOLUTION:
Apply updates.
http://www.supportsoft.com/support/controls_update.asp
PROVIDED AND/OR DISCOVERED BY:
Independently discovered by:
* Mark Litchfield, NGSSoftware
* Peter Vreugdenhil, reported via iDefense Labs
* Will Dormann, CERT/CC
ORIGINAL ADVISORY:
SupportSoft:
http://www.supportsoft.com/support/Security%20Advisory%202006-01-V2007.pdf
US-CERT VU#441785:
http://www.kb.cert.org/vuls/id/441785
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=478
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. Symantec Security Advisory
SYM07-002
http://www.symantec.com/avcenter/security/Content/2007.02.22.html
BID 22564
22 Feb, 2007
Stack Overflow in Third-Party ActiveX Controls affects Multiple Vendor Products Including Some Symantec Consumer Products and Automated Support
Assistant
Revision History
None
Severity
High (dependent on configuration and user interaction)
BID22564
http://www.symantec.com/avcenter/security/Content/2007.02.22.html
Remote Access Yes
Local Access No
Authentication Required No
Exploit publicly available No
Overview
Vulnerabilities were identified in third-party trouble-shooting ActiveX
controls, developed by SupportSoft, www.supportsoft.com . Two of these controls were signed, shipped and installed with the identified versions of Symantec\x92s consumer products and as part of the Symantec Automated Support Assistant
support tool. The vulnerability identified in the Symantec shipped controls could potentially result in a stack overflow requiring user interaction to exploit. If successfully exploited this vulnerability could potentially compromise a user\x92s system possibly allowing execution of arbitrary code or unauthorized access to system
assets with the permissions of the user\x92s browser.
Supported Symantec Product(s) Affected
Product Solution(s)
Symantec Automated Support Assistant
Update Available
Symantec Norton AntiVirus 2006
Update Available
Symantec Norton Internet Security 2006
Update Available
Symantec Norton System Works 2006
Update Available
Symantec Products NOT Affected
Product(s) Version
Symantec 2007 Consumer Products All
Symantec Norton 360
Symantec Corporate and Enterprise Products All
NOTE: Only Symantec Consumer products indicated as affected above shipped with these vulnerable components. The Symantec Automated Support Assistant is used by online consumer customer support when a consumer customer visits the support site requiring assistance.
The Automated Support Assistant tool aids in providing the user with solution information to their problems. TheSupportSoft ActiveX controls were initially implemented mid-2005 on Symantec's consumer support site. During the timeframe up to
August 2006, when the non-vulnerable controls were made available, vulnerable controls could potentially be installed by the Automated Support Assistant on customer systems running Symantec
consumer products and versions other than those listed above.
See Symantec Response section to determine if your product has a vulnerable version of the Automated Support Assistant fix tool.
Symantec Corporate and Enterprise products do not ship with these components and are NOT vulnerable to this issue.
These SupportSoft ActiveX components did not properly validate external input. This failure could potentially lead to unauthorized access to system resources or the possible execution of
malicious code with the privileges of the user\x92s browser, resulting in a potential compromise of the user\x92s system.
Any attempt to exploit these issues would require interactive user
involvement. An attacker would need to be able to effectively entice a user to visit a malicious web site where their malicious code was hosted
or to click on a malicious URL in any attempt to compromise the user\x92s system. While these SupportSoft-developed components should also
have been effectively site-locked, which would havefurther reduced the severity, this capability was found to be improperly implemented in the vulnerable versions.
Symantec Response
Symantec worked closely with SupportSoft to ensure updates were quickly made available for the identified controls. SupportSoft has posted a
Security Bulletin, http://www.supportsoft.com/support/controls_update.asp,
for the controls Symantec uses and controls used in other products on their support site, www.supportsoft.com.
Symantec immediately removed the vulnerable controls from its consumer support site. Symantec engineers tested the updates provided by
SupportSoft extensively and once tested updated the Symantec Automated Support Assistant on Symantec's support site. Additionally, in November 2006, the vulnerable versions of these controls were disabled through LiveUpdate for Symantec consumer customers who regularly run interactive updates to their Symantec applications.
Those Symantec consumer customers who rely solely on Automatic LiveUpdate would have received an automatic notification to initiate an
interactive LiveUpdate session to obtain all pending updates. To ensure all updates have been properly retrieved and applied to Symantec
consumer products, users should regularly run an interactive LiveUpdate session as follows:
* Open any installed Symantec consumer product
* Click on LiveUpdate in the GUI toolbar
* Run LiveUpdate until all available Symantec product updates are downloaded and installed or you are advised that your system has the latest
updates available.
Symantec recommends customers always ensure they have the latest updates to protect against threats.
Symantec customers who previously downloaded the Symantec Automated Support Assistant tool beginning in July 2005 and those who have installed versions of the consumer products indicated above may also go to the Symantec
support site, https://www-secure.symantec.com/techsupp/asa/install.jsp to ensure they have the updated version of the Automated Support Assistant fix tool. By
downloading the updated version of the Symantec Automated Support Assistant fix tool, any existing legacy controls are updated with non-vulnerable
versions.
Customers, who have received support assistance since August 2006, will already have the latest non-vulnerable versions of these controls.
Symantec has not seen any active attempts against or customer impact from these issues.
Mitigation
Symantec Security Response is releasing an AntiVirus Bloodhound definition
Bloodhound.Exploit.119, a heuristic detection and prevention for attempts to exploit these vulnerable controls. Virus definitions containing this heuristic will be available through Symantec LiveUpdate or Symantec's Intelligent Updater.
IDS signatures have also been released to detect and block attempts to exploit this issue. Customers using Symantec Norton Internet Security or Norton Personal Firewall receive regular signature updates if they run LiveUpdate automatically. If not using the Automatic LiveUpdate function, Symantec recommends customers interactively run Symantec LiveUpdate frequently to ensure they have the most current protection available.
Establishing more secure Internet zone settings for the local user can prohibit activation of ActiveX controls without the user\x92s consent.
An attacker who successfully exploited this vulnerability could gain the user rights of the local user. Users whose accounts are configured to have fewer user rights on the system would be less impacted than users who operate with administrative privileges.
As always, if previously unknown malicious code were attempted to be distributed in this manner, Symantec Security Response would react quickly
to updated definitions via LiveUpdate to detect and deter any new threat(s).
Best Practices
As part of normal best practices, Symantec strongly recommends a multi-layered approach to security:
* Run under the principle of least privilege where possible.
* Keep all operating systems and applications updated with the latest vendor patches.
* Users, at a minimum, should run both a personal firewall and antivirus application with current updates to provide multiple points of detection
and protection to both inbound and outbound threats.
* Users should be cautious of mysterious attachments and executables delivered via email and be cautious of browsing unknown/untrusted websites or clicking on unknown/untrusted URL links.
* Do not open unidentified attachments or executables from unknown sources or that you didn't request or were unaware of.
* Always err on the side of caution. Even if the sender is known, the source address may be spoofed.
* If in doubt, contact the sender to confirm they sent it and why before opening the attachment. If still in doubt, delete the attachment without
opening it.
CVE
A CVE Candidate CVE-2006-6490 has been assigned. This issue is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
Credit:
Symantec has coordinated very closely with SupportSoft to help ensure that all additional affected vendor customer bases has been provide with information concerning affected controls and updates to address the vulnerability.
Symantec wants to thank Mark Litchfield of NGS Software Ltd. for the initial identification and notification of this issue and for the
excellent, in-depth coordination with both Symantec and SupportSoft while resolving the issue.
Additionally, this issue was independently identified by the analysts at CERT,
in CERT Vulnerability Note VU#441785, who reported their findings to and worked closely with both Symantec and SupportSoft through to resolution
and by Peter Vreugdenhil, working through iDefense who coordinated with Symantec as we resolved the issue.
Symantec takes the security and proper functionality of its products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec follows the principles of responsible disclosure.
Symantec also subscribes to the vulnerability guidelines outlined by the National Infrastructure Advisory Council (NIAC). Please contact
secure@symantec.com if you feel you have discovered a potential or actual security issue with a Symantec product. A Symantec Product
Security team member will contact you regarding your submission.
Symantec has developed a Product Vulnerability Handling Process document outlining the process we follow in addressing suspected vulnerabilities in
our products.
We support responsible disclosure of all vulnerability information in a timely manner to protect Symantec customers and the security of the
Internet as a result of vulnerability. This document is available from
http://www.symantec.com/security/
Symantec strongly recommends using encrypted email for reporting vulnerability information to secure@symantec.com. The Symantec Product
Security PGP key can be obtained from the location provided above
VAR-200702-0472 | CVE-2007-1072 | Cisco Unified IP Phone 7906G Service disruption in (DoS) Vulnerabilities |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
The command line interface (CLI) in Cisco Unified IP Phone 7906G, 7911G, 7941G, 7961G, 7970G, and 7971G, with firmware 8.0(4)SR1 and earlier allows local users to obtain privileges or cause a denial of service via unspecified vectors. NOTE: this issue can be leveraged remotely via CVE-2007-1063. The problem is CVE-2007-1063 It is a problem that can be attacked remotely via.Authorization and denial of service by local user (DoS) There is a possibility of being put into a state. Unified Ip Phone 7970G is prone to a denial-of-service vulnerability. The CLI in several Cisco products is vulnerable to permissions and access control issues. The vulnerability stems from the lack of effective permissions and access control measures in network systems or products.
----------------------------------------------------------------------
Secunia is proud to announce the availability of the Secunia Software
Inspector.
The Secunia Software Inspector is a free service that detects insecure
versions of software that you may have installed in your system. When
insecure versions are detected, the Secunia Software Inspector also
provides thorough guidelines for updating the software to the latest
secure version from the vendor.
Try it out online:
http://secunia.com/software_inspector/
----------------------------------------------------------------------
TITLE:
Cisco Unified IP Conference Station / IP Phone Default Accounts
SECUNIA ADVISORY ID:
SA24262
VERIFY ADVISORY:
http://secunia.com/advisories/24262/
CRITICAL:
Moderately critical
IMPACT:
Security Bypass
WHERE:
>From local network
OPERATING SYSTEM:
Cisco Unified IP Conference Station 7936
http://secunia.com/product/13540/
Cisco Unified IP Conference Station 7935
http://secunia.com/product/13541/
Cisco Unified IP Phones 7900 Series
http://secunia.com/product/13543/
DESCRIPTION:
Some security issues have been reported in Cisco Unified IP
Conference Station and IP Phones, which can be exploited by malicious
people to access a vulnerable device.
1) A design error in way the administrative HTTP interface of Cisco
Unified IP Conference Station handles the state of administrator
login sessions can be exploited to bypass the user authentication by
accessing management URLs directly.
SOLUTION:
Update to a fixed version (see the vendor's advisory for details).
PROVIDED AND/OR DISCOVERED BY:
1) The vendor credits Christian Reichert, Christian Blum, and Jens
Link of Intact Integrated Services.
2) Reported by the vendor.
ORIGINAL ADVISORY:
Cisco Systems:
http://www.cisco.com/warp/public/707/cisco-sa-20070221-phone.shtml
http://www.cisco.com/warp/public/707/cisco-air-20070221-phone.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200702-0154 | CVE-2006-7034 | Super Link Exchange Script of directory.php In SQL Injection vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
SQL injection vulnerability in directory.php in Super Link Exchange Script 1.0 might allow remote attackers to execute arbitrary SQL queries via the cat parameter
VAR-200702-0463 | CVE-2007-1062 | Cisco Unified IP Conference Station 7935 Vulnerability that can bypass authentication control |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The Cisco Unified IP Conference Station 7935 3.2(15) and earlier, and Station 7936 3.3(12) and earlier does not properly handle administrator HTTP sessions, which allows remote attackers to bypass authentication controls via a direct URL request to the administrative HTTP interface for a limited time. Cisco Unified IP Conference Station and Unified IP Phone are prone to multiple remote vulnerabilities. These issues include an administrative-bypass issue, an unauthorized-access issue, and a privilege-escalation issue.
An attacker can exploit these issues to completely compromise affected devices. The attacker may be able to gain administrative access to the affected device, execute arbitrary code with administrative privileges, or cause the device to become unstable, denying service to legitimate users. This vulnerability stems from the lack of authentication measures or insufficient authentication strength in network systems or products.
----------------------------------------------------------------------
Secunia is proud to announce the availability of the Secunia Software
Inspector.
The Secunia Software Inspector is a free service that detects insecure
versions of software that you may have installed in your system. When
insecure versions are detected, the Secunia Software Inspector also
provides thorough guidelines for updating the software to the latest
secure version from the vendor. This can further be exploited to cause a DoS
(Denial of Service) or gain escalated privileges.
SOLUTION:
Update to a fixed version (see the vendor's advisory for details).
PROVIDED AND/OR DISCOVERED BY:
1) The vendor credits Christian Reichert, Christian Blum, and Jens
Link of Intact Integrated Services.
2) Reported by the vendor.
ORIGINAL ADVISORY:
Cisco Systems:
http://www.cisco.com/warp/public/707/cisco-sa-20070221-phone.shtml
http://www.cisco.com/warp/public/707/cisco-air-20070221-phone.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200702-0464 | CVE-2007-1063 | SSH server in Cisco Unified IP Phone Device access vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
The SSH server in Cisco Unified IP Phone 7906G, 7911G, 7941G, 7961G, 7970G, and 7971G, with firmware 8.0(4)SR1 and earlier, uses a hard-coded username and password, which allows remote attackers to access the device. Cisco Unified IP Conference Station and Unified IP Phone are prone to multiple remote vulnerabilities. These issues include an administrative-bypass issue, an unauthorized-access issue, and a privilege-escalation issue.
An attacker can exploit these issues to completely compromise affected devices. The attacker may be able to gain administrative access to the affected device, execute arbitrary code with administrative privileges, or cause the device to become unstable, denying service to legitimate users. The SSH server in many Cisco products has a trust management vulnerability. This vulnerability stems from the lack of an effective trust management mechanism in network systems or products. Attackers can use default passwords or hard-coded passwords, hard-coded certificates, etc. to attack affected components.
----------------------------------------------------------------------
Secunia is proud to announce the availability of the Secunia Software
Inspector.
The Secunia Software Inspector is a free service that detects insecure
versions of software that you may have installed in your system. When
insecure versions are detected, the Secunia Software Inspector also
provides thorough guidelines for updating the software to the latest
secure version from the vendor.
1) A design error in way the administrative HTTP interface of Cisco
Unified IP Conference Station handles the state of administrator
login sessions can be exploited to bypass the user authentication by
accessing management URLs directly. This can further be exploited to cause a DoS
(Denial of Service) or gain escalated privileges.
SOLUTION:
Update to a fixed version (see the vendor's advisory for details).
PROVIDED AND/OR DISCOVERED BY:
1) The vendor credits Christian Reichert, Christian Blum, and Jens
Link of Intact Integrated Services.
2) Reported by the vendor.
ORIGINAL ADVISORY:
Cisco Systems:
http://www.cisco.com/warp/public/707/cisco-sa-20070221-phone.shtml
http://www.cisco.com/warp/public/707/cisco-air-20070221-phone.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200702-0465 | CVE-2007-1064 | CSSC Vulnerability that can be obtained authority in products such as |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Cisco Secure Services Client (CSSC) 4.x, Trust Agent 1.x and 2.x, Cisco Security Agent (CSA) 5.0 and 5.1 (when a vulnerable Trust Agent has been deployed), and the Meetinghouse AEGIS SecureConnect Client do not drop privileges when the help facility in the supplicant GUI is invoked, which allows local users to gain privileges, aka CSCsf14120. Cisco CSSC and CTA products are prone to an information-disclosure issue and multiple privilege-escalation vulnerabilities because of design flaws in the software.
Exploiting these issues allows local attackers to access sensitive information and to elevate their privileges on affected computers. Cisco Secure Services Client is a tool for deploying a single 802.1X-based authentication framework across multiple Cisco devices. Privilege Escalation+-------------------- * An unprivileged user logged into a computer can elevate privileges locally through the helper tool in the supplicant GUI system user. This vulnerability is documented as Cisco Bug ID CSCsf14120.
----------------------------------------------------------------------
Secunia is proud to announce the availability of the Secunia Software
Inspector.
The Secunia Software Inspector is a free service that detects insecure
versions of software that you may have installed in your system. When
insecure versions are detected, the Secunia Software Inspector also
provides thorough guidelines for updating the software to the latest
secure version from the vendor.
1) Various design errors can be exploited to gain escalated
privileges via e.g. the help functionality, when launching programs,
by injecting threads, and when parsing commands.
2) When using various authentication methods, the user's password is
stored in cleartext in the application log files.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
Cisco Systems:
http://www.cisco.com/warp/public/707/cisco-sa-20070221-supplicant.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200702-0466 | CVE-2007-1065 | CSSC In products such as SYSTEM Privileged vulnerability |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Cisco Secure Services Client (CSSC) 4.x, Trust Agent 1.x and 2.x, Cisco Security Agent (CSA) 5.0 and 5.1 (when a vulnerable Trust Agent has been deployed), and the Meetinghouse AEGIS SecureConnect Client allows local users to gain SYSTEM privileges via unspecified vectors in the supplicant, aka CSCsf15836. Cisco CSSC and CTA products are prone to an information-disclosure issue and multiple privilege-escalation vulnerabilities because of design flaws in the software.
Exploiting these issues allows local attackers to access sensitive information and to elevate their privileges on affected computers. Cisco Secure Services Client is a tool for deploying a single 802.1X-based authentication framework across multiple Cisco devices. Privilege Escalation+-------------------- * An unprivileged user logged into the computer can launch arbitrary programs on the system, running with SYSTEM privileges from the requester application. This vulnerability is documented as Cisco Bug ID CSCsf15836.
----------------------------------------------------------------------
Secunia is proud to announce the availability of the Secunia Software
Inspector.
The Secunia Software Inspector is a free service that detects insecure
versions of software that you may have installed in your system. When
insecure versions are detected, the Secunia Software Inspector also
provides thorough guidelines for updating the software to the latest
secure version from the vendor.
1) Various design errors can be exploited to gain escalated
privileges via e.g. the help functionality, when launching programs,
by injecting threads, and when parsing commands.
2) When using various authentication methods, the user's password is
stored in cleartext in the application log files.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
Cisco Systems:
http://www.cisco.com/warp/public/707/cisco-sa-20070221-supplicant.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200702-0467 | CVE-2007-1066 | CSSC Vulnerability that can be obtained authority in products such as |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Cisco Secure Services Client (CSSC) 4.x, Trust Agent 1.x and 2.x, Cisco Security Agent (CSA) 5.0 and 5.1 (when a vulnerable Trust Agent has been deployed), and the Meetinghouse AEGIS SecureConnect Client use an insecure default Discretionary Access Control Lists (DACL) for the connection client GUI, which allows local users to gain privileges by injecting "a thread under ConnectionClient.exe," aka CSCsg20558. Cisco CSSC and CTA products are prone to an information-disclosure issue and multiple privilege-escalation vulnerabilities because of design flaws in the software.
Exploiting these issues allows local attackers to access sensitive information and to elevate their privileges on affected computers. Cisco Secure Services Client is a tool for deploying a single 802.1X-based authentication framework across multiple Cisco devices. This vulnerability is documented as CiscoBug ID CSCsg20558.
----------------------------------------------------------------------
Secunia is proud to announce the availability of the Secunia Software
Inspector.
The Secunia Software Inspector is a free service that detects insecure
versions of software that you may have installed in your system. When
insecure versions are detected, the Secunia Software Inspector also
provides thorough guidelines for updating the software to the latest
secure version from the vendor.
1) Various design errors can be exploited to gain escalated
privileges via e.g. the help functionality, when launching programs,
by injecting threads, and when parsing commands.
2) When using various authentication methods, the user's password is
stored in cleartext in the application log files.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
Cisco Systems:
http://www.cisco.com/warp/public/707/cisco-sa-20070221-supplicant.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200702-0468 | CVE-2007-1067 | CSSC Vulnerability that can be obtained authority in products such as |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
Cisco Secure Services Client (CSSC) 4.x, Trust Agent 1.x and 2.x, Cisco Security Agent (CSA) 5.0 and 5.1 (when a vulnerable Trust Agent has been deployed), and the Meetinghouse AEGIS SecureConnect Client do not properly parse commands, which allows local users to gain privileges via unspecified vectors, aka CSCsh30624. Cisco CSSC and CTA products are prone to an information-disclosure issue and multiple privilege-escalation vulnerabilities because of design flaws in the software.
Exploiting these issues allows local attackers to access sensitive information and to elevate their privileges on affected computers. Cisco Secure Services Client is a tool for deploying a single 802.1X-based authentication framework across multiple Cisco devices. Privilege Escalation+-------------------- Due to the way it is used in parsing commands, it is possible for an unprivileged user logged on to a computer to start a process with the privileges of the local system user. This vulnerability is documented as Cisco Bug IDs CSCsh30297 and CSCsh30624.
----------------------------------------------------------------------
Secunia is proud to announce the availability of the Secunia Software
Inspector.
The Secunia Software Inspector is a free service that detects insecure
versions of software that you may have installed in your system. When
insecure versions are detected, the Secunia Software Inspector also
provides thorough guidelines for updating the software to the latest
secure version from the vendor.
1) Various design errors can be exploited to gain escalated
privileges via e.g. the help functionality, when launching programs,
by injecting threads, and when parsing commands.
2) When using various authentication methods, the user's password is
stored in cleartext in the application log files.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
Cisco Systems:
http://www.cisco.com/warp/public/707/cisco-sa-20070221-supplicant.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
VAR-200702-0469 | CVE-2007-1068 | CSSC Of products such as Vulnerability in the acquisition of important information in authentication methods |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
The (1) TTLS CHAP, (2) TTLS MSCHAP, (3) TTLS MSCHAPv2, (4) TTLS PAP, (5) MD5, (6) GTC, (7) LEAP, (8) PEAP MSCHAPv2, (9) PEAP GTC, and (10) FAST authentication methods in Cisco Secure Services Client (CSSC) 4.x, Trust Agent 1.x and 2.x, Cisco Security Agent (CSA) 5.0 and 5.1 (when a vulnerable Trust Agent has been deployed), and the Meetinghouse AEGIS SecureConnect Client store transmitted authentication credentials in plaintext log files, which allows local users to obtain sensitive information by reading these files, aka CSCsg34423. (1) TTLS CHAP Authentication method (2) TTLS MSCHAP Authentication method (3) TTLS MSCHAPv2 Authentication method (4) TTLS PAP Authentication method (5) MD5 Authentication method (6) GTC Authentication method (7) LEAP Authentication method (8) PEAP MSCHAPv2 Authentication method (9) PEAP GTC Authentication method (10) FAST Authentication methodBy reading a plain text log file, a local user may obtain important information. Cisco CSSC and CTA products are prone to an information-disclosure issue and multiple privilege-escalation vulnerabilities because of design flaws in the software.
Exploiting these issues allows local attackers to access sensitive information and to elevate their privileges on affected computers. Cisco Secure Services Client is a tool for deploying a single 802.1X-based authentication framework across multiple Cisco devices.
----------------------------------------------------------------------
Secunia is proud to announce the availability of the Secunia Software
Inspector.
The Secunia Software Inspector is a free service that detects insecure
versions of software that you may have installed in your system. When
insecure versions are detected, the Secunia Software Inspector also
provides thorough guidelines for updating the software to the latest
secure version from the vendor.
1) Various design errors can be exploited to gain escalated
privileges via e.g. the help functionality, when launching programs,
by injecting threads, and when parsing commands.
2) When using various authentication methods, the user's password is
stored in cleartext in the application log files.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
Cisco Systems:
http://www.cisco.com/warp/public/707/cisco-sa-20070221-supplicant.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------