VARIoT IoT vulnerabilities database
| VAR-200807-0659 | CVE-2008-5133 | Multiple DNS implementations vulnerable to cache poisoning |
CVSS V2: 5.8 CVSS V3: - Severity: MEDIUM |
ipnat in IP Filter in Sun Solaris 10 and OpenSolaris before snv_96, when running on a DNS server with Network Address Translation (NAT) configured, improperly changes the source port of a packet when the destination port is the DNS port, which allows remote attackers to bypass an intended CVE-2008-1447 protection mechanism and spoof the responses to DNS queries sent by named. Deficiencies in the DNS protocol and common DNS implementations facilitate DNS cache poisoning attacks. Multiple vendors' implementations of the DNS protocol are prone to a DNS-spoofing vulnerability because the software fails to securely implement random values when performing DNS queries.
Successfully exploiting this issue allows remote attackers to spoof DNS replies, allowing them to redirect network traffic and to launch man-in-the-middle attacks.
This issue affects Microsoft Windows DNS Clients and Servers, ISC BIND 8 and 9, and multiple Cisco IOS releases; other DNS implementations may also be vulnerable. ----------------------------------------------------------------------
Want a new job?
http://secunia.com/secunia_security_specialist/
http://secunia.com/hardcore_disassembler_and_reverse_engineer/
International Partner Manager - Project Sales in the IT-Security
Industry:
http://corporate.secunia.com/about_secunia/64/
----------------------------------------------------------------------
TITLE:
F5 Products DNS Cache Poisoning Vulnerability
SECUNIA ADVISORY ID:
SA31093
VERIFY ADVISORY:
http://secunia.com/advisories/31093/
CRITICAL:
Moderately critical
IMPACT:
Spoofing
WHERE:
>From remote
OPERATING SYSTEM:
FirePass 6.x
http://secunia.com/product/13146/
FirePass 5.x
http://secunia.com/product/4695/
BIG-IP Application Security Manager 9.x
http://secunia.com/product/17352/
BIG-IP 9.x
http://secunia.com/product/3158/
BIG-IP 4.x
http://secunia.com/product/3157/
3-DNS Controller 4.x
http://secunia.com/product/4960/
WANJet 5.x
http://secunia.com/product/19318/
F5 Enterprise Manager 1.x
http://secunia.com/product/19317/
DESCRIPTION:
A vulnerability has been reported in various F5 products, which can
be exploited by malicious people to poison the DNS cache.
The vulnerability is caused due to the products not sufficiently
randomising the DNS transaction ID and the source port number, which
can be exploited to poison the DNS cache.
The vulnerability affects the following products and versions:
* 3-DNS versions 4.5 - 4.5.14, 4.6 - 4.6.1, and 4.6.2 - 4.6.4
* BIG-IP versions 4.5 - 4.5.14, 4.6 - 4.6.1, and 4.6.2 - 4.6.4
* BIG-IP LTM versions 9.3 - 9.3.1, 9.4 - 9.4.5, and 9.6 - 9.6.1
* BIG-IP GTM versions 9.3 - 9.3.1 and 9.4 - 9.4.5
* BIG-IP ASM versions 9.3 - 9.3.1 and 9.4 - 9.4.5
* BIG-IP Link Controller versions 9.3 - 9.3.1 and 9.4 - 9.4.5
* BIG-IP WebAccelerator versions 9.4 - 9.4.5
* BIG-IP PSM version 9.4.5
* BIG-IP SAM version 8.0
* FirePass versions 5.5 - 5.5.2 and 6.0 - 6.0.2
* Enterprise Manager versions 1.2 - 1.4.1 and 1.6
* WANJet versions 5.0 - 5.0.2
NOTE: The vulnerability only affects products for which recursion is
enabled. Reportedly only the BIG-IP LTM MSM module configured for
local bind has recursion enabled by default.
SOLUTION:
The vendor recommends disabling DNS recursion. Please see vendor's
advisory for more details.
PROVIDED AND/OR DISCOVERED BY:
Dan Kaminsky, IOActive
ORIGINAL ADVISORY:
https://support.f5.com/kb/en-us/solutions/public/8000/900/sol8938.html
OTHER REFERENCES:
US-CERT VU#800113:
http://www.kb.cert.org/vuls/id/800113
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200807-0291 | CVE-2008-3149 | F5 FirePass SSL VPN SNMP Daemon Remote Denial of Service Vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The SNMP daemon in the F5 FirePass 1200 6.0.2 hotfix 3 allows remote attackers to cause a denial of service (daemon crash) by walking the hrSWInstalled OID branch in HOST-RESOURCES-MIB. FirePass is prone to a denial-of-service vulnerability in the SNMP daemon.
An attacker can exploit this issue to cause the affected application to crash, resulting in a denial-of-service condition. F5 FirePass SSL VPN devices allow users to securely connect to critical business applications. ----------------------------------------------------------------------
Want a new job?
http://secunia.com/secunia_security_specialist/
http://secunia.com/hardcore_disassembler_and_reverse_engineer/
International Partner Manager - Project Sales in the IT-Security
Industry:
http://corporate.secunia.com/about_secunia/64/
----------------------------------------------------------------------
TITLE:
F5 FirePass 1200 SSL VPN SNMP Denial of Service
SECUNIA ADVISORY ID:
SA30965
VERIFY ADVISORY:
http://secunia.com/advisories/30965/
CRITICAL:
Less critical
IMPACT:
DoS
WHERE:
>From local network
OPERATING SYSTEM:
FirePass 5.x
http://secunia.com/product/4695/
FirePass 6.x
http://secunia.com/product/13146/
DESCRIPTION:
nnposter has reported a vulnerability in F5 FirePass 1200 SSL VPN,
which can be exploited by malicious people to cause a DoS (Denial of
Service).
The vulnerability is caused due to an error when traversing certain
OID branches (e.g. hrSWInstalled in HOST-RESOURCES-MIB / OID
1.3.6.1.2.1.25.6) and can be exploited to crash the daemon.
The vulnerability is reported in version 6.0.2 hotfix 3. Other
versions may also be affected.
PROVIDED AND/OR DISCOVERED BY:
nnposter
ORIGINAL ADVISORY:
http://archives.neohapsis.com/archives/bugtraq/2008-07/0037.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200807-0286 | CVE-2008-2309 | Apple Mac OS X of CoreTypes Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Incomplete blacklist vulnerability in CoreTypes in Apple Mac OS X before 10.5.4 allows user-assisted remote attackers to execute arbitrary code via a (1) .xht or (2) .xhtm file, which does not trigger a "potentially unsafe" warning message in (a) the Download Validation feature in Mac OS X 10.4 or (b) the Quarantine feature in Mac OS X 10.5.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. This update adds .xht and .xhtm files to the system's list of content types that are marked as unsafe under certain circumstances, such as when downloaded from a web page. Although these content types are not automatically loaded, manually opening them can lead to malicious payloads being executed. ----------------------------------------------------------------------
Want a new job?
http://secunia.com/secunia_security_specialist/
http://secunia.com/hardcore_disassembler_and_reverse_engineer/
International Partner Manager - Project Sales in the IT-Security
Industry:
http://corporate.secunia.com/about_secunia/64/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Security Update Fixes Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA30802
VERIFY ADVISORY:
http://secunia.com/advisories/30802/
CRITICAL:
Highly critical
IMPACT:
Security Bypass, Cross Site Scripting, Spoofing, Exposure of
sensitive information, Privilege escalation, DoS, System access
WHERE:
>From remote
OPERATING SYSTEM:
Apple Macintosh OS X
http://secunia.com/product/96/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities and a weakness.
1) An unspecified error in the Alias Manager when handling AFP volume
mount information in an alias data structure can be exploited to cause
a memory corruption and potentially execute arbitrary code.
2) A weakness is caused due to users not being warned before opening
certain potentially unsafe content types, e.g. .xht and .xhtm files.
3) A format string error in c++filt can be exploited to exploited to
execute arbitrary code when a specially crafted string is passed to
the application.
4) An vulnerability in Dock can be exploited by malicious people with
physical access to a system to bypass the screen lock when Expos\xe9 hot
corners are set.
5) A race condition error exists in Launch Services in the download
validation of symbolic links. This can be exploited to execute
arbitrary code when a user visits a malicious web site.
Successful exploitation requires that the "Open 'safe' files" option
is enabled in Safari.
6) A vulnerability in Net-SNMP can be exploited by malicious people
to spoof authenticated SNMPv3 packets.
For more information:
SA30574
7) Some vulnerabilities in Ruby can be exploited by malicious people
to disclose sensitive information, cause a DoS (Denial of Service),
or potentially compromise a vulnerable system.
For more information:
SA29232
SA29794
NOTE: Reportedly, the directory traversal issue does not affect Mac
OS X.
8) A vulnerability in SMB File Server can be exploited by malicious
people to compromise a vulnerable system.
For more information:
SA30228
9) It is possible to store malicious files within the User Template
directory. This can be exploited to execute arbitrary code with
permissions of a new user when his home directory is created using
the User Template directory.
10) Some vulnerabilities in Tomcat can be exploited by malicious
users to disclose sensitive information and by malicious people to
disclose sensitive information or to conduct cross-site scripting
attacks.
For more information:
SA25678
SA26466
SA27398
SA28878
11) A vulnerability in WebKit can be exploited by malicious people to
compromise a user's system. or apply Security Update 2008-004.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200807-0285 | CVE-2008-2308 | Apple Mac OS X of Alias Manager Elevation of privilege vulnerability |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
Unspecified vulnerability in Alias Manager in Apple Mac OS X 10.5.1 and earlier on Intel platforms allows local users to gain privileges or cause a denial of service (memory corruption and application crash) by resolving an alias that contains crafted AFP volume mount information. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2008-004 and Mac OS X/Mac OS X Server 10.5.4.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. ----------------------------------------------------------------------
Want a new job?
http://secunia.com/secunia_security_specialist/
http://secunia.com/hardcore_disassembler_and_reverse_engineer/
International Partner Manager - Project Sales in the IT-Security
Industry:
http://corporate.secunia.com/about_secunia/64/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Security Update Fixes Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA30802
VERIFY ADVISORY:
http://secunia.com/advisories/30802/
CRITICAL:
Highly critical
IMPACT:
Security Bypass, Cross Site Scripting, Spoofing, Exposure of
sensitive information, Privilege escalation, DoS, System access
WHERE:
>From remote
OPERATING SYSTEM:
Apple Macintosh OS X
http://secunia.com/product/96/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities and a weakness.
2) A weakness is caused due to users not being warned before opening
certain potentially unsafe content types, e.g. .xht and .xhtm files.
3) A format string error in c++filt can be exploited to exploited to
execute arbitrary code when a specially crafted string is passed to
the application.
4) An vulnerability in Dock can be exploited by malicious people with
physical access to a system to bypass the screen lock when Expos\xe9 hot
corners are set.
5) A race condition error exists in Launch Services in the download
validation of symbolic links. This can be exploited to execute
arbitrary code when a user visits a malicious web site.
Successful exploitation requires that the "Open 'safe' files" option
is enabled in Safari.
6) A vulnerability in Net-SNMP can be exploited by malicious people
to spoof authenticated SNMPv3 packets.
For more information:
SA30574
7) Some vulnerabilities in Ruby can be exploited by malicious people
to disclose sensitive information, cause a DoS (Denial of Service),
or potentially compromise a vulnerable system.
For more information:
SA29232
SA29794
NOTE: Reportedly, the directory traversal issue does not affect Mac
OS X.
8) A vulnerability in SMB File Server can be exploited by malicious
people to compromise a vulnerable system.
For more information:
SA30228
9) It is possible to store malicious files within the User Template
directory. This can be exploited to execute arbitrary code with
permissions of a new user when his home directory is created using
the User Template directory.
10) Some vulnerabilities in Tomcat can be exploited by malicious
users to disclose sensitive information and by malicious people to
disclose sensitive information or to conduct cross-site scripting
attacks.
For more information:
SA25678
SA26466
SA27398
SA28878
11) A vulnerability in WebKit can be exploited by malicious people to
compromise a user's system. or apply Security Update 2008-004.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200807-0011 | CVE-2008-2314 | Apple Mac OS X of Dock Vulnerable to unlocking sleep mode and screensaver |
CVSS V2: 4.4 CVSS V3: - Severity: MEDIUM |
Dock in Apple Mac OS X 10.5 before 10.5.4, when Exposé hot corners is enabled, allows physically proximate attackers to gain access to a locked session in (1) sleep mode or (2) screen saver mode via unspecified vectors. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2008-004 and Mac OS X/Mac OS X Server 10.5.4.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. Permissions license and access control issues exist in the Dock component of Apple Mac OS X prior to 10.5.4. ----------------------------------------------------------------------
Want a new job?
http://secunia.com/secunia_security_specialist/
http://secunia.com/hardcore_disassembler_and_reverse_engineer/
International Partner Manager - Project Sales in the IT-Security
Industry:
http://corporate.secunia.com/about_secunia/64/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Security Update Fixes Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA30802
VERIFY ADVISORY:
http://secunia.com/advisories/30802/
CRITICAL:
Highly critical
IMPACT:
Security Bypass, Cross Site Scripting, Spoofing, Exposure of
sensitive information, Privilege escalation, DoS, System access
WHERE:
>From remote
OPERATING SYSTEM:
Apple Macintosh OS X
http://secunia.com/product/96/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities and a weakness.
1) An unspecified error in the Alias Manager when handling AFP volume
mount information in an alias data structure can be exploited to cause
a memory corruption and potentially execute arbitrary code.
2) A weakness is caused due to users not being warned before opening
certain potentially unsafe content types, e.g. .xht and .xhtm files.
3) A format string error in c++filt can be exploited to exploited to
execute arbitrary code when a specially crafted string is passed to
the application.
4) An vulnerability in Dock can be exploited by malicious people with
physical access to a system to bypass the screen lock when Expos\xe9 hot
corners are set.
5) A race condition error exists in Launch Services in the download
validation of symbolic links. This can be exploited to execute
arbitrary code when a user visits a malicious web site.
Successful exploitation requires that the "Open 'safe' files" option
is enabled in Safari.
6) A vulnerability in Net-SNMP can be exploited by malicious people
to spoof authenticated SNMPv3 packets.
For more information:
SA30574
7) Some vulnerabilities in Ruby can be exploited by malicious people
to disclose sensitive information, cause a DoS (Denial of Service),
or potentially compromise a vulnerable system.
For more information:
SA29232
SA29794
NOTE: Reportedly, the directory traversal issue does not affect Mac
OS X.
8) A vulnerability in SMB File Server can be exploited by malicious
people to compromise a vulnerable system.
For more information:
SA30228
9) It is possible to store malicious files within the User Template
directory. This can be exploited to execute arbitrary code with
permissions of a new user when his home directory is created using
the User Template directory.
10) Some vulnerabilities in Tomcat can be exploited by malicious
users to disclose sensitive information and by malicious people to
disclose sensitive information or to conduct cross-site scripting
attacks.
For more information:
SA25678
SA26466
SA27398
SA28878
11) A vulnerability in WebKit can be exploited by malicious people to
compromise a user's system. or apply Security Update 2008-004.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200807-0010 | CVE-2008-2313 | Apple Mac OS X Elevation of privilege vulnerability in user temporary directory |
CVSS V2: 4.6 CVSS V3: - Severity: MEDIUM |
Apple Mac OS X before 10.5 uses weak permissions for the User Template directory, which allows local users to gain privileges by inserting a Trojan horse file into this directory. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2008-004 and Mac OS X/Mac OS X Server 10.5.4.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. ----------------------------------------------------------------------
Want a new job?
http://secunia.com/secunia_security_specialist/
http://secunia.com/hardcore_disassembler_and_reverse_engineer/
International Partner Manager - Project Sales in the IT-Security
Industry:
http://corporate.secunia.com/about_secunia/64/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Security Update Fixes Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA30802
VERIFY ADVISORY:
http://secunia.com/advisories/30802/
CRITICAL:
Highly critical
IMPACT:
Security Bypass, Cross Site Scripting, Spoofing, Exposure of
sensitive information, Privilege escalation, DoS, System access
WHERE:
>From remote
OPERATING SYSTEM:
Apple Macintosh OS X
http://secunia.com/product/96/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities and a weakness.
1) An unspecified error in the Alias Manager when handling AFP volume
mount information in an alias data structure can be exploited to cause
a memory corruption and potentially execute arbitrary code.
2) A weakness is caused due to users not being warned before opening
certain potentially unsafe content types, e.g. .xht and .xhtm files.
3) A format string error in c++filt can be exploited to exploited to
execute arbitrary code when a specially crafted string is passed to
the application.
4) An vulnerability in Dock can be exploited by malicious people with
physical access to a system to bypass the screen lock when Expos\xe9 hot
corners are set.
5) A race condition error exists in Launch Services in the download
validation of symbolic links. This can be exploited to execute
arbitrary code when a user visits a malicious web site.
Successful exploitation requires that the "Open 'safe' files" option
is enabled in Safari.
6) A vulnerability in Net-SNMP can be exploited by malicious people
to spoof authenticated SNMPv3 packets.
For more information:
SA30574
7) Some vulnerabilities in Ruby can be exploited by malicious people
to disclose sensitive information, cause a DoS (Denial of Service),
or potentially compromise a vulnerable system.
For more information:
SA29232
SA29794
NOTE: Reportedly, the directory traversal issue does not affect Mac
OS X.
8) A vulnerability in SMB File Server can be exploited by malicious
people to compromise a vulnerable system.
For more information:
SA30228
9) It is possible to store malicious files within the User Template
directory. This can be exploited to execute arbitrary code with
permissions of a new user when his home directory is created using
the User Template directory.
10) Some vulnerabilities in Tomcat can be exploited by malicious
users to disclose sensitive information and by malicious people to
disclose sensitive information or to conduct cross-site scripting
attacks.
For more information:
SA25678
SA26466
SA27398
SA28878
11) A vulnerability in WebKit can be exploited by malicious people to
compromise a user's system. or apply Security Update 2008-004.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200807-0009 | CVE-2008-2311 | Apple Mac OS X of Launch Services Vulnerable to symbolic link attacks |
CVSS V2: 7.6 CVSS V3: - Severity: HIGH |
Launch Services in Apple Mac OS X before 10.5, when Open Safe Files is enabled, allows remote attackers to execute arbitrary code via a symlink attack, probably related to a race condition and automatic execution of a downloaded file. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2008-004 and Mac OS X/Mac OS X Server 10.5.4.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. ----------------------------------------------------------------------
Want a new job?
http://secunia.com/secunia_security_specialist/
http://secunia.com/hardcore_disassembler_and_reverse_engineer/
International Partner Manager - Project Sales in the IT-Security
Industry:
http://corporate.secunia.com/about_secunia/64/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Security Update Fixes Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA30802
VERIFY ADVISORY:
http://secunia.com/advisories/30802/
CRITICAL:
Highly critical
IMPACT:
Security Bypass, Cross Site Scripting, Spoofing, Exposure of
sensitive information, Privilege escalation, DoS, System access
WHERE:
>From remote
OPERATING SYSTEM:
Apple Macintosh OS X
http://secunia.com/product/96/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities and a weakness.
1) An unspecified error in the Alias Manager when handling AFP volume
mount information in an alias data structure can be exploited to cause
a memory corruption and potentially execute arbitrary code.
2) A weakness is caused due to users not being warned before opening
certain potentially unsafe content types, e.g. .xht and .xhtm files.
3) A format string error in c++filt can be exploited to exploited to
execute arbitrary code when a specially crafted string is passed to
the application.
4) An vulnerability in Dock can be exploited by malicious people with
physical access to a system to bypass the screen lock when Expos\xe9 hot
corners are set.
5) A race condition error exists in Launch Services in the download
validation of symbolic links. This can be exploited to execute
arbitrary code when a user visits a malicious web site.
Successful exploitation requires that the "Open 'safe' files" option
is enabled in Safari.
6) A vulnerability in Net-SNMP can be exploited by malicious people
to spoof authenticated SNMPv3 packets.
For more information:
SA30574
7) Some vulnerabilities in Ruby can be exploited by malicious people
to disclose sensitive information, cause a DoS (Denial of Service),
or potentially compromise a vulnerable system.
For more information:
SA29232
SA29794
NOTE: Reportedly, the directory traversal issue does not affect Mac
OS X.
8) A vulnerability in SMB File Server can be exploited by malicious
people to compromise a vulnerable system.
For more information:
SA30228
9) It is possible to store malicious files within the User Template
directory. This can be exploited to execute arbitrary code with
permissions of a new user when his home directory is created using
the User Template directory.
10) Some vulnerabilities in Tomcat can be exploited by malicious
users to disclose sensitive information and by malicious people to
disclose sensitive information or to conduct cross-site scripting
attacks.
For more information:
SA25678
SA26466
SA27398
SA28878
11) A vulnerability in WebKit can be exploited by malicious people to
compromise a user's system. or apply Security Update 2008-004.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200807-0008 | CVE-2008-2310 | Apple Mac OS X of c++filt Vulnerable to arbitrary code execution |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Format string vulnerability in c++filt in Apple Mac OS X 10.5 before 10.5.4 allows user-assisted attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted string in (1) C++ or (2) Java source code. Apple Mac OS X is prone to multiple security vulnerabilities that have been addressed in Security Update 2008-004 and Mac OS X/Mac OS X Server 10.5.4.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers. ----------------------------------------------------------------------
Want a new job?
http://secunia.com/secunia_security_specialist/
http://secunia.com/hardcore_disassembler_and_reverse_engineer/
International Partner Manager - Project Sales in the IT-Security
Industry:
http://corporate.secunia.com/about_secunia/64/
----------------------------------------------------------------------
TITLE:
Apple Mac OS X Security Update Fixes Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA30802
VERIFY ADVISORY:
http://secunia.com/advisories/30802/
CRITICAL:
Highly critical
IMPACT:
Security Bypass, Cross Site Scripting, Spoofing, Exposure of
sensitive information, Privilege escalation, DoS, System access
WHERE:
>From remote
OPERATING SYSTEM:
Apple Macintosh OS X
http://secunia.com/product/96/
DESCRIPTION:
Apple has issued a security update for Mac OS X, which fixes multiple
vulnerabilities and a weakness.
1) An unspecified error in the Alias Manager when handling AFP volume
mount information in an alias data structure can be exploited to cause
a memory corruption and potentially execute arbitrary code.
2) A weakness is caused due to users not being warned before opening
certain potentially unsafe content types, e.g. .xht and .xhtm files.
4) An vulnerability in Dock can be exploited by malicious people with
physical access to a system to bypass the screen lock when Expos\xe9 hot
corners are set.
5) A race condition error exists in Launch Services in the download
validation of symbolic links. This can be exploited to execute
arbitrary code when a user visits a malicious web site.
Successful exploitation requires that the "Open 'safe' files" option
is enabled in Safari.
6) A vulnerability in Net-SNMP can be exploited by malicious people
to spoof authenticated SNMPv3 packets.
For more information:
SA30574
7) Some vulnerabilities in Ruby can be exploited by malicious people
to disclose sensitive information, cause a DoS (Denial of Service),
or potentially compromise a vulnerable system.
For more information:
SA29232
SA29794
NOTE: Reportedly, the directory traversal issue does not affect Mac
OS X.
8) A vulnerability in SMB File Server can be exploited by malicious
people to compromise a vulnerable system.
For more information:
SA30228
9) It is possible to store malicious files within the User Template
directory. This can be exploited to execute arbitrary code with
permissions of a new user when his home directory is created using
the User Template directory.
10) Some vulnerabilities in Tomcat can be exploited by malicious
users to disclose sensitive information and by malicious people to
disclose sensitive information or to conduct cross-site scripting
attacks.
For more information:
SA25678
SA26466
SA27398
SA28878
11) A vulnerability in WebKit can be exploited by malicious people to
compromise a user's system. or apply Security Update 2008-004.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200806-0438 | No CVE | ServerView Web Interface Stack Overflow Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
ServerView is an asset management tool for automated analysis and version maintenance.
There are multiple stack overflow vulnerabilities in some components of the ServerView Web interface (such as SnmpGetMibValues.exe). If a remote attacker sends a malicious URL request to the Web interface, these overflows can be triggered, causing arbitrary instructions to be executed.
| VAR-200807-0340 | CVE-2008-3082 | Commtouch Enterprise Anti-Spam Gateway of UPM/English/login/login.asp Vulnerable to cross-site scripting |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in UPM/English/login/login.asp in Commtouch Enterprise Anti-Spam Gateway 4 and 5 allows remote attackers to inject arbitrary web script or HTML via the PARAMS parameter.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Commtouch Anti-Spam Enterprise Gateway 4 and 5 are vulnerable; other versions may also be affected. Commtouch Anti-Spam is an enterprise-level anti-spam protection platform developed by Israel Commtouch Company. The Commtouch Anti-Spam product regularly sends email reports to users, listing the blocked suspicious spam emails, and then users can click related links in the emails to confirm whether suspicious emails should be released. If an attacker sends an email message containing a malicious link, the user is tricked into clicking the link in the message, which can lead to a cross-site scripting attack.
Input passed to the "PARAMS" parameter in
AntiSpamGateway/UPM/English/login/login.asp is not properly sanitised
before being returned to a user.
The vulnerability is reported in version 4 and 5.
SOLUTION:
Filter malicious characters and character sequences using a web
proxy.
PROVIDED AND/OR DISCOVERED BY:
Erez Metula
ORIGINAL ADVISORY:
http://lists.grok.org.uk/pipermail/full-disclosure/2008-June/062955.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200806-0343 | CVE-2008-2730 | Cisco Unified Communications Manager of RIS Data Collector Authentication bypass vulnerability in services |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Real-Time Information Server (RIS) Data Collector service in Cisco Unified Communications Manager (CUCM) 5.x before 5.1(3) and 6.x before 6.1(1) allows remote attackers to bypass authentication, and obtain cluster configuration information and statistics, via a direct TCP connection to the service port, aka Bug ID CSCsj90843. The problem is Bug ID : CSCsj90843 It is a problem.Please refer to the “Overview” for the impact of this vulnerability.
Attackers can exploit this issue to gain read-only access to potentially sensitive information about a CUCM cluster. Information harvested can aid in further attacks.
The following versions of CUCM are affected:
4.2 prior to 4.2(3)SR4
4.3 prior to 4.3(2)SR1
5.0 prior to 5.1(3c)
6.0 prior to 6.1(2)
Unified CallManager 4.1 versions are also affected. In normal operation, Real-Time Monitoring Tool (RTMT) clients collect CUCM cluster statistics by authenticating to the Simple Object Access Protocol (SOAP)-based web interface, which proxies the authenticated connection to the RIS data collector process.
1) An unspecified error in the Computer Telephony Integration (CTI)
Manager service can be exploited to cause a DoS by sending a
specially crafted packet to port 2748/TCP. information about performance
statistics, user names, and configured IP phones.
PROVIDED AND/OR DISCOVERED BY:
VoIPshield
CHANGELOG:
2008-06-26: Added links to VoIPshield.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20080625-cucm.shtml
VoIPshield:
http://www.voipshield.com/research-details.php?id=64
http://www.voipshield.com/research-details.php?id=65
http://www.voipshield.com/research-details.php?id=66
http://www.voipshield.com/research-details.php?id=67
http://www.voipshield.com/research-details.php?id=68
http://www.voipshield.com/research-details.php?id=69
http://www.voipshield.com/research-details.php?id=70
http://www.voipshield.com/research-details.php?id=71
http://www.voipshield.com/research-details.php?id=72
http://www.voipshield.com/research-details.php?id=73
http://www.voipshield.com/research-details.php?id=74
http://www.voipshield.com/research-details.php?id=75
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200806-0201 | CVE-2008-2061 | Cisco Unified Communications Manager CTI Service Denial of Service Vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
The Computer Telephony Integration (CTI) Manager service in Cisco Unified Communications Manager (CUCM) 5.x before 5.1(3c) and 6.x before 6.1(2) allows remote attackers to cause a denial of service (TSP crash) via malformed network traffic to TCP port 2748. By a remote attacker, TCP port 2748 Service disruption through unauthorized network traffic to (DoS) There is a possibility of being put into a state.Please refer to the “Overview” for the impact of this vulnerability. Cisco Unified Communications Manager is prone to a denial-of-service vulnerability because it fails to handle malformed input.
An attacker can exploit this issue to cause an interruption in voice services.
This issue is documented by Cisco Bug ID CSCso75027.
Cisco has released free software updates that address these
vulnerabilities. There are no workarounds for these vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080625-cucm.shtml.
Administrators of systems that are running CUCM versions 5.x and 6.x
can determine the software version by viewing the main page of the
CUCM administration interface. The software version can also be
determined by running the command show version active via the command
line interface (CLI). No other Cisco products are currently known to be
affected by these vulnerabilities.
Details
=======
Cisco Unified Communications Manager (CUCM) is the call processing
component of the Cisco IP Telephony solution that extends enterprise
telephony features and functions to packet telephony network devices,
such as IP phones, media processing devices, VoIP gateways, and
multimedia applications. The CTI Manager service
listens by default on TCP port 2748 and is not user-configurable.
There is no workaround for this vulnerability. This vulnerability is
fixed in CUCM versions 5.1(3c) and 6.1(2).
Real-Time Information Server Data Collector Related Vulnerability
The Real-Time Information Server (RIS) Data Collector service of CUCM
versions 4.x, 5.x, and 6.x contains an authentication bypass
vulnerability that may result in the unauthorized disclosure of
certain CUCM cluster information. In normal operation, Real-Time
Monitoring Tool (RTMT) clients gather CUCM cluster statistics by
authenticating to a Simple Object Access Protocol (SOAP) based web
interface. The SOAP interface proxies authenticated connections to
the RIS Data Collector process. The RIS Data Collector service
listens on TCP port 2556 by default and is user configurable. By
connecting directly to the port that the RIS Data Collector process
listens on, it may be possible to bypass authentication checks and
gain read-only access to information about a CUCM cluster. The
information available includes performance statistics, user names,
and configured IP phones. This information may be used to mount
further attacks. No passwords or other sensitive CUCM configuration
may be obtained via this vulnerability. No CUCM configuration changes
can be made.
There is no workaround for this vulnerability. This vulnerability is
fixed in CUCM versions 4.2(3)SR4, 4.3(2)SR1, 5.1(3), and 6.1(1).
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
CSCso75027 - CTI Manager TSP Crash
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
CSCsq35151 - RISDC Authentication Bypass
CVSS Base Score - 5
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 4.1
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
CSCsj90843 - RISDC Authentication Bypass
CVSS Base Score - 5
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 4.1
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerabilities in this advisory may
result in the interruption of voice services or disclosure of
information useful for reconnaissance.
Software Versions and Fixes
===========================
When considering software upgrades, also consult http://www.cisco.com/go/psirt
and any subsequent advisories to determine exposure and a
complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance. Cisco Unified CallManager 4.1 version
administrators are encouraged to upgrade to CUCM version 4.2(3)SR4 in
order to obtain fixed software. Version 4.2(3)SR4 can be downloaded
at the following link:
http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Unified%20Communications%20Manager%20Updates&mdfid=280264388&treeName=Voice%20and%20Unified%20Communications&mdfLevel=Software%20Version/Option&url=null&modelName=Cisco%20Unified%20CallManager%20Version%204.2&isPlatform=N&treeMdfId=278875240&modifmdid=null&imname=null&hybrid=Y&imst=N
CUCM version 4.3(2)SR1 contains fixes for all vulnerabilities
affecting CUCM version 4.3 listed in this advisory and is scheduled
to be released in mid-July, 2008. Version 4.3(2)SR1 will be available
for download at the following link:
http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Unified%20Communications%20Manager%20Updates&mdfid=280771554&treeName=Voice%20and%20Unified%20Communications&mdfLevel=Software%20Version/Option&url=null&modelName=Cisco%20Unified%20Communications%20Manager%20Version%204.3&isPlatform=N&treeMdfId=278875240&modifmdfid=null&imname=null&hybrid=Y&imst=N
CUCM version 5.1(3c) contains fixes for all vulnerabilities affecting
CUCM version 5.x listed in this advisory. Version 5.1(3c) can
downloaded at the following link:
http://tools.cisco.com/support/downloads/go/ReleaseType.x?optPlat=null&isPlatform=Y&mdfid=280735907&sftType=Unified%20Communications%20Manager%20Updates&treeName=Voice%20and%20Unified%20Communications&modelName=Cisco%20Unified%20Communications%20Manager%20Version%205.1&mdfLevel=Software%20Version/Option&treeMdfId=278875240&modifmdfid=null&imname=null&hybrid=Y&imst=N
CUCM version 6.1(2) contains fixes for all vulnerabilities affecting
CUCM version 6.x listed in this advisory. Version 6.1(2) can be
downloaded at the following link:
http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=Unified%20Communications%20Manager%20Updates&mdfid=281023410&treeName=Voice%20and%20Unified%20Communications&mdfLevel=Software%20Version/Option&url=null&modelName=Cisco%20Unified%20Communications%20Manager%20Version%206.1&isPlatform=N&treeMdfId=278875240&modifmdfid=null&imname=null&hybrid=Y&imst=N
Workarounds
===========
CTI Manager Related Vulnerability
It is possible to mitigate the CTI Manager vulnerability (CSCso75027)
by implementing filtering on screening devices. Administrators are
advised to permit access to TCP port 2748 only from networks that
contain systems running CTI-enabled applications.
RIS Data Collector Related Vulnerability
It is possible to mitigate the RIS Data Collector vulnerability
(CSCsq35151 and CSCsj90843) by implementing filtering on screening
devices. Administrators are advised to permit access to TCP port 2556
only from other CUCM cluster systems.
It is possible to change the default port (TCP 2556) of the RIS Data
Collector service. If changed, filtering should be based on the
values used.
Additional mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied
Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20080625-cucm.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
Cisco PSIRT greatly appreciates the opportunity to work with
researchers on security vulnerabilities and welcomes the opportunity
to review and assist in product reports. We would like to thank
VoIPshield for working with us towards the goal of keeping Cisco
networks and the Internet, as a whole, secure.
Status of this Notice: FINAL
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20080625-cucm.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-teams@first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-June-25 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at http://www.cisco.com/en/US/products/
products_security_vulnerability_policy.html. This includes
instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at http://www.cisco.com/
go/psirt.
-----BEGIN PGP SIGNATURE-----
iD8DBQFIYmPu86n/Gc8U/uARAnjvAJ9P4Ph/Lcj8OcF1ptXKm75OHJeNuQCfdcS2
N0WGH2mNx0asIo4pzmCb4VE=
=/vU7
-----END PGP SIGNATURE-----
.
PROVIDED AND/OR DISCOVERED BY:
VoIPshield
CHANGELOG:
2008-06-26: Added links to VoIPshield.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20080625-cucm.shtml
VoIPshield:
http://www.voipshield.com/research-details.php?id=64
http://www.voipshield.com/research-details.php?id=65
http://www.voipshield.com/research-details.php?id=66
http://www.voipshield.com/research-details.php?id=67
http://www.voipshield.com/research-details.php?id=68
http://www.voipshield.com/research-details.php?id=69
http://www.voipshield.com/research-details.php?id=70
http://www.voipshield.com/research-details.php?id=71
http://www.voipshield.com/research-details.php?id=72
http://www.voipshield.com/research-details.php?id=73
http://www.voipshield.com/research-details.php?id=74
http://www.voipshield.com/research-details.php?id=75
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor
| VAR-200806-0202 | CVE-2008-2062 | Cisco Unified Communications Manager of RIS Data Collector Authentication bypass vulnerability in services |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The Real-Time Information Server (RIS) Data Collector service in Cisco Unified Communications Manager (CUCM) before 4.2(3)SR4, and 4.3 before 4.3(2)SR1, allows remote attackers to bypass authentication, and obtain cluster configuration information and statistics, via a direct TCP connection to the service port, aka Bug ID CSCsq35151. The problem is Bug ID : CSCsq35151 It is a problem.Please refer to the “Overview” for the impact of this vulnerability.
Attackers can exploit this issue to gain read-only access to potentially sensitive information about a CUCM cluster. Information harvested can aid in further attacks.
The following versions of CUCM are affected:
4.2 prior to 4.2(3)SR4
4.3 prior to 4.3(2)SR1
5.0 prior to 5.1(3c)
6.0 prior to 6.1(2)
Unified CallManager 4.1 versions are also affected. In normal operation, Real-Time Monitoring Tool (RTMT) clients collect CUCM cluster statistics by authenticating to the Simple Object Access Protocol (SOAP)-based web interface, which proxies the authenticated connection to the RIS data collector process.
1) An unspecified error in the Computer Telephony Integration (CTI)
Manager service can be exploited to cause a DoS by sending a
specially crafted packet to port 2748/TCP. information about performance
statistics, user names, and configured IP phones.
PROVIDED AND/OR DISCOVERED BY:
VoIPshield
CHANGELOG:
2008-06-26: Added links to VoIPshield.
ORIGINAL ADVISORY:
Cisco:
http://www.cisco.com/warp/public/707/cisco-sa-20080625-cucm.shtml
VoIPshield:
http://www.voipshield.com/research-details.php?id=64
http://www.voipshield.com/research-details.php?id=65
http://www.voipshield.com/research-details.php?id=66
http://www.voipshield.com/research-details.php?id=67
http://www.voipshield.com/research-details.php?id=68
http://www.voipshield.com/research-details.php?id=69
http://www.voipshield.com/research-details.php?id=70
http://www.voipshield.com/research-details.php?id=71
http://www.voipshield.com/research-details.php?id=72
http://www.voipshield.com/research-details.php?id=73
http://www.voipshield.com/research-details.php?id=74
http://www.voipshield.com/research-details.php?id=75
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200806-0424 | CVE-2008-2306 | Apple Safari automatically executes downloaded files based on Internet Explorer zone settings |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Apple Safari before 3.1.2 on Windows does not properly interpret the URLACTION_SHELL_EXECUTE_HIGHRISK Internet Explorer zone setting, which allows remote attackers to bypass intended access restrictions, and force a client system to download and execute arbitrary files. Windows Edition Safari Is Internet Explorer There is a problem of automatically executing the downloaded file depending on the setting contents. As a result, a remote attacker may execute arbitrary code. Apple Safari is prone to a remote code-execution vulnerability.
Successfully exploiting this issue will allow attackers to run arbitrary code with the privileges of the user running the affected application.
This issue affects versions prior to Apple Safari 3.1.2 running on Microsoft Windows XP and Windows Vista. Safari is the web browser bundled by default in the Apple family operating system. ----------------------------------------------------------------------
Want a new job?
http://secunia.com/secunia_security_specialist/
http://secunia.com/hardcore_disassembler_and_reverse_engineer/
International Partner Manager - Project Sales in the IT-Security
Industry:
http://corporate.secunia.com/about_secunia/64/
----------------------------------------------------------------------
TITLE:
Apple Safari for Windows Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA30775
VERIFY ADVISORY:
http://secunia.com/advisories/30775/
CRITICAL:
Highly critical
IMPACT:
Exposure of sensitive information, System access
WHERE:
>From remote
REVISION:
1.1 originally posted 2008-06-20
SOFTWARE:
Safari for Windows 3.x
http://secunia.com/product/17978/
DESCRIPTION:
Some vulnerabilities and a security issue have been reported in Apple
Safari, which can be exploited by malicious people to disclose
sensitive information or to compromise a user's system.
1) A boundary error within the handling of BMP and GIF images can be
exploited to trigger an out-of-bounds read and disclose content in
memory.
3) An unspecified error in the handling of Javascript arrays can be
exploited to cause a memory corruption when a user visits a specially
crafted web page.
SOLUTION:
Update to version 3.1.2.
http://www.apple.com/support/downloads/safari312forwindows.html
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Gynvael Coldwind, Hispasec
2) Will Dormann, CERT/CC
3) James Urquhart
CHANGELOG:
2008-06-20: Added link to US-CERT.
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT2092
US-CERT VU#127185:
http://www.kb.cert.org/vuls/id/127185
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200806-0321 | CVE-2008-2830 | Apple Mac OS X of ARDAgent Elevation of privilege vulnerability |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
Open Scripting Architecture in Apple Mac OS X 10.4.11 and 10.5.4, and some other 10.4 and 10.5 versions, does not properly restrict the loading of scripting addition plugins, which allows local users to gain privileges via scripting addition commands to a privileged application, as originally demonstrated by an osascript tell command to ARDAgent.
Successful exploits allow local attackers to execute arbitrary code with superuser privileges, completely compromising the affected computer.
This issue is confirmed to affect Mac OS X 10.5 versions; earlier versions may also be vulnerable. A local attacker can invoke Mac OS X's ARDAgent via AppleScript (such as osascript). This vulnerability is currently being actively exploited by a Trojan named AppleScript.THT. Once the user is tricked into installing a malicious file with a Trojan horse, the Trojan horse will open file sharing, Web sharing, and remote login. The default file name of the Trojan is AStht_06.app, and the installation location is /Library/Caches.
The problem is that "ARDAgent", which is owned by "root" and has the
setuid bit set, can be invoked to execute shell commands via
AppleScript (e.g. through "osascript"). This can be exploited to
execute arbitrary commands with root privileges.
SOLUTION:
Grant only trusted users access to affected systems.
PROVIDED AND/OR DISCOVERED BY:
Reported in the Macshadows.com forums and via Slashdot.
ORIGINAL ADVISORY:
http://www.macshadows.com/forums/index.php?showtopic=8640
http://it.slashdot.org/article.pl?sid=08/06/18/1919224
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200806-0200 | CVE-2008-2060 | Cisco Intrustion Prevention System (IPS) Platforms Service disruption in inline mode (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in Cisco Intrusion Prevention System (IPS) 5.x before 5.1(8)E2 and 6.x before 6.0(5)E2, when inline mode and jumbo Ethernet support are enabled, allows remote attackers to cause a denial of service (panic), and possibly bypass intended restrictions on network traffic, via a "specific series of jumbo Ethernet frames.". Cisco Intrusion Prevention System (IPS) There is a service disruption (DoS) An unknown vulnerability exists.
An attacker can exploit this issue to cause a kernel panic and deny service for legitimate users.
Versions prior to Cisco Intrustion Prevention System 5.1(8)E2 and 6.0(5)E2 are vulnerable.
NOTE: This issue affects only platforms that contain gigabit network interfaces and are deployed in inline mode. Successful exploitation of the vulnerabilities described in this article could result in a denial of service over the network, requiring a power outage to resume operation.
SOLUTION:
Reportedly, fixed versions 5.1(8)E2 and 6.0(5)E2 will be available
soon.
ORIGINAL ADVISORY:
http://www.cisco.com/warp/public/707/cisco-sa-20080618-ips.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. This vulnerability may lead to a kernel panic that requires a
power cycle to recover platform operation.
Cisco has released free software updates that address this
vulnerability. There is a workaround for this vulnerability.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080618-ips.shtml.
To determine the version of software that is running on a Cisco IPS
platform, log into the platform using the console or Secure Shell
(SSH) and issue the show version command.
sensor# show version
Application Partition:
Cisco Intrusion Prevention System, Version 6.0(4a)E1
To determine whether a Cisco IPS platform has interfaces configured
for inline mode, log into the platform using the console or SSH and
issue the show interfaces command. Look for paired interfaces in the
Inline Mode statement of the command output.
sensor# show interfaces
...
MAC statistics from interface GigabitEthernet0/1
Interface function = Sensing interface
Description =
Media Type = TX
Missed Packet Percentage = 0
Inline Mode = Paired with interface GigabitEthernet0/0
...
MAC statistics from interface GigabitEthernet0/0
Interface function = Sensing interface
Description =
Media Type = TX
Missed Packet Percentage = 0
Inline Mode = Paired with interface GigabitEthernet0/1
Products Confirmed Not Vulnerable
+--------------------------------
The following Cisco IPS platforms are not vulnerable:
* 4210
* 4215
* SSM-AIP10
* SSM-AIP20
* SSM-AIP40
* AIM-IPS
* NM-CIDS
* IDSM2
Cisco IPS version 6.1(1) is not vulnerable. No other Cisco
products are currently known to be affected by this vulnerability.
Jumbo Ethernet support is usually deployed in data center
environments to increase inter-server communication performance and
is not a default configuration for Cisco routers and switches.
If they are configured to use bypass mode to allow traffic to pass in
the event of a system failure, all Cisco IPS platforms will fail to
forward traffic except for the 4260 and 4270 platforms. The Cisco IPS
4260 and 4270 platforms contain a hardware bypass feature that allows
them to pass network traffic in the event of a kernel panic or power
outage. They will pass traffic by default if the hardware bypass
feature is engaged.
This vulnerability is documented in Cisco Bug ID CSCso64762 and has
been assigned Common Vulnerabilities and Exposures (CVE) ID
CVE-2008-2060.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
CSCso64762 - IPS Jumbo frame not processed properly
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
Impact
======
Successful exploitation of the vulnerability may result in a network
denial of service condition. A power cycle is required to recover
operation. An attacker may be able to evade access controls and
detection of malicious activity in the case of Cisco IPS 4260/4270
platforms that have hardware bypass configured to pass traffic in the
event of a kernel panic.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
This vulnerability is fixed in Cisco IPS versions 5.1(8)E2 and 6.0(5)
E2 that are expected to be available for download by June 20, 2008.
Fixed software Cisco IPS version 5.1(8)E2 will be available at the
following link:
http://www.cisco.com/pcgi-bin/tablebuild.pl/ips5?psrtdcat20e2
Fixed software Cisco IPS version 6.0(5)E2 will be available at the
following link:
http://www.cisco.com/pcgi-bin/tablebuild.pl/ips6?psrtdcat20e2
Workarounds
===========
To workaround this vulnerability, administrators can disable jumbo
Ethernet support on routers and switches directly that are connected
to vulnerable Cisco IPS platforms. This workaround may produce a
negative performance impact in certain environments. Administrators
are encouraged to upgrade to fixed software.
For more information about configuring Jumbo frames on Cisco
switches, please reference the following link:
http://www.cisco.com/en/US/products/hw/switches/ps700/products_configuration_example09186a008010edab.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows:
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was reported to Cisco by HD Moore of BreakingPoint
Systems.
Status of this Notice: FINAL
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20080618-ips.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients:
* cust-security-announce@cisco.com
* first-teams@first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2008-June-18 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
-----BEGIN PGP SIGNATURE-----
iD8DBQFIWTYs86n/Gc8U/uARAn3FAKCIkVy8TfwwoKE3pFjMfRMyZN4+SACghKEB
Vb2Ngh4ALQrSRsWdWiy/2u4=
=IvlU
-----END PGP SIGNATURE-----
| VAR-200811-0235 | CVE-2008-5121 | Deterministic Network Enhancer privilege escalation vulnerability |
CVSS V2: 7.2 CVSS V3: - Severity: HIGH |
dne2000.sys in Citrix Deterministic Network Enhancer (DNE) 2.21.7.233 through 3.21.7.17464, as used in (1) Cisco VPN Client, (2) Blue Coat WinProxy, and (3) SafeNet SoftRemote and HighAssurance Remote, allows local users to gain privileges via a crafted DNE_IOCTL DeviceIoControl request to the \\.\DNE device interface. Deterministic Network Enhancer (DNE) Contains an elevation of privilege vulnerability. As a result, local users Windows Arbitrary code may be executed with kernel privileges. Deterministic Networks Provided by Deterministic Network Enhancer (DNE) Is Microsoft Windows This product is an extension of the network stack. DNE Is Cisco VPN Client It is used by multiple products. DNE Driver dne2000.sys Contains an elevation of privilege vulnerability. For details, refer to the information provided by each vendor.Local users Windows Arbitrary code may be executed with kernel privileges. Successful attacks will completely compromise affected computers.
DNE 'dne2000.sys' 2.21.7.233 to 3.21.8 are vulnerable; other versions may also be affected. There is a loophole in the implementation of the DNE driver.
The vulnerability is reported in dne2000.sys versions 2.21.7.233 to
3.21.7.17464.
SOLUTION:
Grant only trusted users access to affected systems.
PROVIDED AND/OR DISCOVERED BY:
mu-b
ORIGINAL ADVISORY:
http://www.digit-labs.org/files/exploits/dne2000-call.c
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200806-0162 | CVE-2008-2707 | Sun Solaris of e1000g Service disruption in drivers (DoS) Vulnerabilities |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in the e1000g driver in Sun Solaris 10 and OpenSolaris before snv_93 allows remote attackers to cause a denial of service (network connectivity loss) via unknown vectors. Sun Solaris of e1000g The driver has a service disruption (DoS) Vulnerabilities exist.Service disruption by a malicious local user (DoS) There is a possibility of being put into a state.
An attacker can exploit this issue to block all inbound network packets on the affected system, resulting in a denial-of-service condition.
This issue affects Solaris 10 and OpenSolaris for SPARC and x86 platforms. This can be exploited to block all incoming
traffic to the system.
SOLUTION:
Apply patches.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-238250-1
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200806-0345 | CVE-2008-2743 | Xerox 4110 Such as Copier/Printers Embedding Web Server cross-site scripting vulnerability |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Cross-site scripting (XSS) vulnerability in the embedded web server in Xerox 4110, 4590, and 4595 Copier/Printers allows remote attackers to inject arbitrary web script or HTML via unknown attack vectors. The webserver in multiple Xerox copier/printer models is prone to an unspecified HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
Attacker-supplied HTML and script code would execute in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.
The following Xerox copier/printer models are affected:
Xerox 4110
Xerox 4590
Xerox 4595. ----------------------------------------------------------------------
Want a new job?
http://secunia.com/secunia_security_specialist/
http://secunia.com/hardcore_disassembler_and_reverse_engineer/
International Partner Manager - Project Sales in the IT-Security
Industry:
http://corporate.secunia.com/about_secunia/64/
----------------------------------------------------------------------
TITLE:
Xerox Copier/Printer Products Web Server Unspecified Script Insertion
SECUNIA ADVISORY ID:
SA30639
VERIFY ADVISORY:
http://secunia.com/advisories/30639/
CRITICAL:
Less critical
IMPACT:
Cross Site Scripting
WHERE:
>From local network
OPERATING SYSTEM:
Xerox 4110 Copier/Printer
http://secunia.com/product/19057/
Xerox 4590 Copier/Printer
http://secunia.com/product/19056/
Xerox 4595 Copier/Printer
http://secunia.com/product/19058/
DESCRIPTION:
A vulnerability has been reported in some Xerox Copier/Printer
products, which can be exploited by malicious people to conduct
script insertion attacks.
Certain unspecified input in the Web Server is not properly sanitised
before being used.
The vulnerability affects the following products:
* Xerox 4110 Copier/Printer
* Xerox 4590 Copier/Printer
* Xerox 4595 Copier/Printer
SOLUTION:
Apply updates (see vendor's advisory for details).
PROVIDED AND/OR DISCOVERED BY:
The vendor credits Louhi Networks.
ORIGINAL ADVISORY:
XRX08-007:
http://www.xerox.com/downloads/usa/en/c/cert_XRX08_007.pdf
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200806-0031 | CVE-2008-2639 |
Citect SCADA ODBC Server Remote Stack Overflow Vulnerability
Related entries in the VARIoT exploits database: VAR-E-200806-0107, VAR-E-200806-0108 |
CVSS V2: 7.6 CVSS V3: - Severity: HIGH |
Stack-based buffer overflow in the ODBC server service in Citect CitectSCADA 6 and 7, and CitectFacilities 7, allows remote attackers to execute arbitrary code via a long string in the second application packet in a TCP session on port 20222. Citect Made by company CitectSCADA Contains a buffer overflow vulnerability. Citect CitectSCADA Is SCADA (Supervisory Control And Data Acquisition) Software used for monitoring and control in the system. CitectSCADA Contains a buffer overflow vulnerability because it cannot properly handle crafted requests from clients.Arbitrary code is executed by a remote party or service operation is interrupted (DoS) There is a possibility of being attacked.
Citect SCADA and CitectFacilities include ODBC server functionality to provide remote SQL access to relational databases. The ODBC server component listens to client requests from the network on the port 20222 / tcp by default. The application layer protocol on TCP reads the 4-byte initial message to specify the length of the data in the next message, and then sockets from the same TCP. Word reads the next message of this length, where the first 5 bytes are a fixed header. After the second message in the network is read into the buffer, the data is copied to a fixed-size internal buffer on the stack.
Due to the lack of a correct length check of the data read, memory copy operations using fixed-size target buffers allocated on the stack may overflow, allowing unauthenticated remote attackers to execute arbitrary instructions on the vulnerable system . CitectSCADA is prone to a remote stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
Attackers can exploit this issue to execute arbitrary code in the context of the application. Failed attacks will likely cause denial-of-service conditions. ----------------------------------------------------------------------
Want a new job?
http://secunia.com/secunia_security_specialist/
http://secunia.com/hardcore_disassembler_and_reverse_engineer/
International Partner Manager - Project Sales in the IT-Security
Industry:
http://corporate.secunia.com/about_secunia/64/
----------------------------------------------------------------------
TITLE:
Citect Products ODBC Server Component Buffer Overflow
SECUNIA ADVISORY ID:
SA30638
VERIFY ADVISORY:
http://secunia.com/advisories/30638/
CRITICAL:
Moderately critical
IMPACT:
DoS, System access
WHERE:
>From local network
SOFTWARE:
CitectFacilities 7.x
http://secunia.com/product/19043/
CitectSCADA 6.x
http://secunia.com/product/19041/
CitectSCADA 7.x
http://secunia.com/product/19042/
DESCRIPTION:
Core Security Technologies has reported a vulnerability in
CitectSCADA and CitectFacilities, which can be exploited by malicious
people to cause a DoS (Denial of Service) or compromise a vulnerable
system.
The vulnerability is reported in the following versions:
* CitectSCADA v6
* CitectSCADA v7
* CitectFacilities v7
SOLUTION:
Contact the vendor for patches.
PROVIDED AND/OR DISCOVERED BY:
Sebasti\xe1n Mu\xf1iz, Core Security Technologies
ORIGINAL ADVISORY:
CORE-2008-0125:
http://www.coresecurity.com/index.php5?module=ContentMod&action=item&id=2186
OTHER REFERENCES:
US-CERT VU#476345:
http://www.kb.cert.org/vuls/id/476345
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
~ Core Security Technologies - CoreLabs Advisory
~ http://www.coresecurity.com/corelabs/
~ CitectSCADA ODBC service vulnerability
*Advisory Information*
Title: CitectSCADA ODBC service vulnerability
Advisory ID: CORE-2008-0125
Advisory URL: http://www.coresecurity.com/?action=item&id=2186
Date published: 2008-06-11
Date of last update: 2008-06-10
Vendors contacted: Citect
Release mode: Coordinated release
*Vulnerability Information*
Class: Buffer overflow
Remotely Exploitable: Yes
Locally Exploitable: Yes
Bugtraq ID: 29634
CVE Name: CVE-2008-2639
*Vulnerability Description*
Citect is a supplier of industrial automation software with headquarters
in Australia and over 20 offices in Oceania, South East Asia, China,
Japan, the Americas, Europe, Africa and the Middle East. Citect's
products are distributed in over 80 countries through a network of more
than 500 partners. According to Citect's website [1] the company, a
fully owned subsidiary of Schneider Electric, has more than 150,000
licenses of its software sold to date. Citect's products are used by
organizations worldwide in numerous industries including Aerospace &
Defense, Oil & Gas, Power/Utilities, Chemical, Pharmaceutical,
Manufacturing and others. with an integrated Human Machine Interface
(HMI) / SCADA solution to deliver a scalable and reliable control and
monitoring system. The system is composed by software installed on
standard computer equipment running on commercial-of-the-shelf Microsoft
Windows operating systems. To
accomplish such goal the would-be attacker must be able to connect to
the vulnerable service on a TCP high-port.
*Vulnerable Packages*
. CitectSCADA v6
. CitectSCADA v7
. CitectFacilities v7
*Non-vulnerable Packages*
. Contact the vendor for fixed versions of the product.
*Vendor Information, Solutions and Workarounds*
In general process control networks should be physically isolated from
corporate or other publicly accessible data networks as such an isolated
network will limit the exposure of systems with network facing
vulnerabilities only to accidental disruption or potentially malicious
users or systems within the process control network itself.
However, if physical isolation of the process control network is not
feasible it is strongly recommended to enforce and monitor strict
network access control mechanisms to verify that only the absolute
minimal required set of systems from both within and outside the process
control network are allowed to connect to any systems within the process
control network. In this particular case, access control mechanisms on
both end-systems and network boundary devices such as firewalls and
IPSes must ensure that only hardened and trusted systems from that
minimal set can connect to systems in the process control network
running potentially vulnerable software. Nonetheless systems on that
minimal set must still be considered potential attack vectors into the
process control network and should they become compromised, providers of
transitive trust from the process control network to external untrusted
systems.
Besides the recommendation of a secure network architecture with strict
network access control measures, OS hardening and other sound system
administration practices a specific workaround for the vulnerability
reported in this advisory is provided below.
The vulnerability is located in the ODBC server service, vulnerable
organizations that do not require ODBC connectivity may disable the
service with no adverse effects to the CitectSCADA software.
Installations that require ODBC connectivity to SQL databases,
spreadsheets, etc. will suffer loss of connection with ODBC data sources
if this workaround is applied. Vulnerable organizations should obtain
positive verification that ODBC connectivity is not necessary in their
installation and prepare appropriate contingency procedures before the
workaround is applied.
Vendor statement:
CitectSCADA is not designed to be accessible on public networks and
recommends that the SCADA and control networks be protected by firewall
or similar on live sites.
The system must be network hardened regardless of the corrupt packet
software change to ensure a secure system given the likelihood that on
the same network are open industry standard protocol devices perhaps
communicating via ethernet.
Please follow this link on Citect website under "Industries and
Solutions" for security, that provides some information for customers
interested in securing their SCADA systems:
http://www.citect.com/index.php?option=com_content&task=view&id=186&Itemid=322
*Credits*
This vulnerability was discovered and researched by Sebastian Mu\xf1iz from
the Core IMPACT Exploit Writers Team (EWT) at Core Security
Technologies. Exploitation was further investigated by Nicolas Economou
also from the Core IMPACT Exploit Writers Team (EWT).
Core would also like to thank Paul Fahey of AusCERT, Gaston Franco and
Patricia Prandini of ArCERT and Art Manion and Chris Taschner of CERT/CC
for their assistance during the vulnerability reporting process.
This bug is a textbook example of a classic stack-based buffer overflow
that can be exploited by overwriting the return address of the currently
running thread. The following binary excerpt shows the nature of the
problem:
/-----------
~ .text:0051BC33 loc_51BC33:
~ .text:0051BC33 lea ecx, [ebp+pDestBuffer]
~ .text:0051BC39 push ecx ; stack based buffer
~ .text:0051BC3A mov edx, [ebp+arg_0]
~ .text:0051BC3D push edx ; class that contains packet
~ .text:0051BC3E call sub_52125A ; memcpy
- -----------/
*Report Timeline*
. 2008-01-30:
Initial contact mail sent by Core to Citect's support team. 2008-01-30:
Additional mail sent to Citect support team asking for a software
security contact at Citect. 2008-01-30:
Email from Citect's support team acknowledging notification and
requesting information in plaintext. 2008-02-06:
Core sends the draft advisory, including proof of concept code to
demonstrate the vulnerability. 2008-02-28:
Core requests a response from the vendor and asks for the vendor's plan
to release fixes to vulnerable products. 2008-03-06:
Email from the vendor's technical architect confirms reception of the
report and indicating that there are not concerns around publication of
a security advisory disclosing the vulnerability. The vendor asks for a
phone conference to ensure that both Core and Citect have a common
understanding of the issue and expresses the possibility of adding
additional information to the advisory. The vendor also states that it
will formulate a plan for handling this issue. 2008-03-12:
Core asks to continue the discussion concerning the vulnerability by
mail so as to have all the involved parties informed simultaneously and
all communications documented. Core requests confirmation that the
vendor has been able to reproduce the vulnerability and requests details
concerning the plan to release fixes and asks for the additional
information that the vendor would like to include in the advisory (in
the "vendor information" section). Core reminds the vendor that the
original publication date of the advisory was February 25th and states
that the publication of the advisory is now re-scheduled to March 24th
because fixed versions were not available at the date initially scheduled. 2008-03-25:
Vendor confirms that it reproduced and identified the vulnerability and
indicates that the official stance is that CitectSCADA is not designed
to be accessible on public networks and recommends that SCADA and
control networks are protected by firewalls and other security measures
on live sites. The vendor also states that it has no immediate plans to
support CitectSCADA on public networks but is investigating the
possibility of having a security audit of the product. 2008-03-25:
Core notifies the vendor the intention to release the advisory on March
26th given that the vendor has no immediate plans for fixing the
vulnerability. 2008-03-26:
Core consults under NDA with a process control security expert to obtain
a better understanding of the scope and impact of the vulnerability. The
specific technical details about the vulnerability are not disclosed,
only the general type of bug and the specific TCP port on which the
vulnerable service listens are discussed. 2008-04-02:
Core revisits its current plan to disclose the vulnerability and decides
to get Computer Emergency Response Teams (CERTs) involved in the
process. Core notifies the vendor that it will postpone the publication
of the advisory, and that it will contact the Computer Emergency
Response Teams (CERTs) of countries were Core has physical offices
(Argentina and USA) and the country were Citect has its headquarters
(Australia). Core will then determine the contents and date of
publication for the security advisory based on further communication
with the vendor and CERTs and more precise details that the vendor may
provide regarding availability of fixes. 2008-04-02:
Core notifies the vendor that it will contact the CERTs of Australia,
USA and Argentina. Core reminds the vendor that the vulnerability
reported is a classic example of a stack-based buffer overflow bug
trivial to exploit in present times and that although the previous email
from the vendor provided a vague statement indicating that "the scenario
is under consideration for the next release", to date there has not been
any concrete details about development and release of fixes or a firm
commitment to any specific date to release them. 2008-04-08:
Core sends an initial notification to AusCERT, CERT/CC and ArCert
including a draft advisory describing the bug and the vendor's contact
information, requesting an acknowledgement within 2 working days. 2008-04-08:
AusCERT acknowledges reception of the advisory
. 2008-04-09:
ArCERT acknowledges reception of the advisory
. 2008-04-10:
CERT/CC acknowledges reception of the advisory on a phone call
. 2008-04-10:
AusCERT notifies Core that so far it has not been able to contact the
vendor and asks for approval to disseminate the information to the
Australian government and other national and international entities
overlooking national infrastructure security. AusCERT also asks if CORE
intends to publish the advisory and if so requests some time to be able
to notify affected organizations. Meanwhile AusCERT indicates that it
will continue to try to work with the vendor. 2008-04-10:
Core responds that it has no problems with AusCERT notifying other
parties that may be able to better prepare risk mitigation procedures
and/or work more closely with the vendor towards development and release
of a fix. However, Core asks to keep the dissemination of the
information to a minimum in order to avoid a potential leak. Core
indicates that it has asked the vendor to provide concrete details about
how and when it plans to address the issue and that based on the
response to that question it will determine a publication date for the
security advisory. Lacking a response from the vendor, Core will
determine the publication date based on the feedback received from the
CERTs and the progress of their preparations to address the report. 2008-04-10:
AusCERT asks if it is ok to contact other CERTs and international
government communities to make them aware of the issue and to ensure
everyone is prepared when the report is published. 2008-04-10:
Core response indicating that it is ok to contact any organization that
AusCERT deems relevant for the stated purpose
. 2008-04-10:
ArCert reports that it will start gathering information about
appropriate organizations in Argentina to report the problem and start
contacting them. 2008-04-11:
CERT/CC reports that US-CERT has been made aware of the issue and will
be kept updated going forward. If AusCERT is already in contact with the
vendor CERT/CC will standby and follow AusCERT's lead. 2008-04-14:
AusCERT reports that after several communication attempts the vendor
said that it will address the issue in the next release of the product
(by mid-year) and release a patch in a couple of months. However, the
information is not to be considered an official statement and there is
no official indication of a plan to provide immediate resolution. 2008-04-14:
CERT/CC asks if Core will publish the advisory before mid-year and
states concerns about the potential time elapsed between advisory
publication and release of the fix. CERT/CC will likely put out
information soon after Core does and expresses its interest to receive
more information from the vendor regarding their response plan. 2008-04-14:
AusCERT notes that Core has given the CERTs the time to notify possibly
affected organizations before the report is published and requests any
specific questions to be asked to the vendor. 2008-04-14:
Core states that it is entirely possible to re-visit the publication
date of the report (which has been done twice so far) but to do so Core
requires concrete details and a committed date for the release of a fix
noting that it wasn't until AusCERT's email from April 14th that the
possibility that the vendor would release of a patch seemed realistic.
Core is willing to postpone publication of the report provided that the
vendor commits to release a fix no later than June 30th (the upper bound
to the promised mid-year deadline indicated by the vendor). Core also
reminds the CERTs that its intent in notifying them of the bug was to
help to coordinate a way to address the bug should an official patch or
fix is not made available by the vendor. 2008-04-24:
Core sends an email to the 3 CERTs requesting a status update and any
further details about the availability of fixes. Core would like to set
a final date for the publication of its report. 2008-04-28:
AusCERT indicates that after several calls and messages, the vendor has
stated that it does not publish specific release schedules for updates
and does not indicate what will or will not be their contents and that
once a release is finalized all relevant materials are updated to
reflect that fact. AusCERT asks about Core's plans regarding the issue. 2008-04-28:
CERT/CC suggests that in light of the vendor statement one last effort
should be attempted, setting a date for publication one or two weeks
into the future and presenting the final drafts of the report to the vendor. 2008-04-28:
Core sets the advisory publication date to May 12th and indicates to the
three CERTs that the date is considered final unless concrete details
about a patch release schedule are communicated no later than May 8th.
The vendor has already been sent drafts of the advisory, the last one
sent on March 25th, and Core has little confidence that the current
status process will change in a positive manner. Core will consider the
time up to May 12th as a period to finalize the preparation of guidance
documents about how to deal with the issue without an official fix
available. Should such a document be provided, Core is willing and open
to include its recommendations in the security advisory. 2008-05-06:
Core informs the CERTs that it is still editing its security advisory
and that once the final draft is ready it will be sent for review to the
vendor and the CERTs before it is published. Core informs that it will
also issue a press release disclosing the issue and invites spokesmen
from any of the CERTs to participate with a quote should they want to do so. 2008-05-08:
CERT/CC acknowledges Core's email and thanks for the update indicating
that it will not participate in a press release. 2008-05-14:
Core sends its final draft of the security advisory to Citect and the 3
CERTs indicating that the publication date is set to May 19th, 2008 at
approximately 3pm UTC. Should the vendor or the CERTS have any official
comments or statements or workarounds that they would like to be
included in Core's advisory they must be provided them by email no later
than Friday May 16th 2008 at 9pm (UTC). 2008-05-15:
Email from the vendor indicating the Citect has allocated resources to
address the issue and is pleased to advise that a patch will be
available by the end of May. The vendor assumes that publication of the
advisory will be postponed given Core's previous email from April 14th
stating that it is willing to review the publication date if the vendor
commits to releasing a fix no later than June 30th. 2008-05-16:
Email from CERT/CC asking about Core's plan to publish the advisory and
stating that CERT/CC is inclined to hold off publication for a couple of
weeks provided that Core does the same. JPCERT has been informed of the
vulnerability to prepare for the upcoming disclosure. 2008-05-16:
Core sends email to Citect and the three CERTs stating that publication
of the advisory has been re-scheduled to June 2nd 2008 and reiterating
that should the vendor want to include additional information or
specific pointers to the patch it should be provided at least a day in
advance. 2008-05-28:
Core sends a follow up to the email sent on May 16th requesting
confirmation that Citect is on track to release fixes for the
vulnerability. Core had re-scheduled publication of the security
advisory to June 2nd, 2008 (next Monday) and wants to confirm that
software fixes will be ready to roll out and to provide the opportunity
to include in the advisory any official guidelines on how to obtain them
and/or any alternative workarounds to the problem. Specific questions
about the potential workaround of disabling the vulnerable service are
sent to the vendor as well as a request to provide a list of both
vulnerable and not vulnerable packages. This information should be
received no later than Friday June 30th, 2008 at 1pm UTC. 2008-06-01:
Email received from the vendor stating: "The fix is on track and is
currently in code review and testing stage. We will advise when and how
the patch will be released". 2008-06-01:
Core asks if the vendor has a concrete estimated date for the patch
release. It is noted that publication of the security advisory was
re-scheduled to June 2nd, 2008 on the basis of the vendor's commitment
to release fixes "by the end of May" as indicated in the vendor's email
from May 15th 2008. May is already past and Core still has no concrete
details about when and how the fixes will be available. Core also notes
that the previous email from May 28th 2008 had specific questions that
may help craft guidance and recommendations for vulnerable organizations
to mitigate risk due to the vendor's software security exposure and asks
if the vendor is able to provide answers to those specific inquires.
Core also states that it would like to discuss with the CERTs any
specific details and information about their plans to address this issue
in the upcoming week. In the absence of concrete fix details and
workarounds from the vendor Core would like to coordinate with CERTs the
dissemination of information to help reduce risk to vulnerable
organizations worldwide. 2008-06-01:
AusCERT indicates that it's ready for the publication and that it will
publish its own report after Core has done so. 2008-06-04:
Email from CERT/CC asking for a status update from Core and noting that
neither the vendor patches nor Core's advisory have been published by
June 2nd as planned. CERT/CC is ready to publish information about the
issue and is willing to do so on Core's timetable. 2008-06-04:
Citect informs that the patch for the reported issue has been completed
at the code level and is being QA tested. The timing of software
releases is a company commercial decision, and no guarantee of delivery
dates is given. However, the vendor anticipates the patch will be
published on its website in the next day or so, assuming QA approval is
given. The vendor informs that the suggested workaround of disabling
the ODBC server is viable for users that do not need this functionality
(most users of CitectSCADA) and would not affect the operation of the
software in any other way.
The vendor states that "Although this patch will be made available to
our supported customers, Citect maintains the stated stance that under
NO circumstances should any SCADA/PLC/DCS/RTU/Process Control network
should ever be exposed unprotected to the internet. The network should
either be securely firewalled or better still isolated, or otherwise
protected using approved IT security methodology. Citect has previously
published security recommendations in a whitepaper located on our
website at
http://www.citect.com/documents/whitepapers/SCADA%20Security%20Whitepaper.pdf
"SECURING AN INTEGRATED SCADA SYSTEM - Network Security & SCADA Systems
Whitepaper". The vendor also indicates that "copies of the security
alert report appear to have been circulated before the advised date of
publication, contrary to the undertaking given to Citect."
. 2008-06-04:
Core's email to Citect, AusCERT, CERT/CC and ArCert informing them that
publication of the security advisory has now been re-scheduled to June
11th 2008. The date is final. The advisory will include references to
the vendor's security recommendations and white paper as well as the
proposed workaround. Core also indicates that to date the company has
not published any report about the issue and has no indication of any
such reports circulating "in the wild" but cannot discard that as a
possibility given that the vendor's lack of proper secure communications
procedures forced all the involved parties to communicate without any
form of email encryption and that those communications have occurred
over a public network such as the Internet for a period of over 4 months. 2008-06-04:
Email from CERT/CC indicating that it will too publish a report on June
11th also noting the importance of sound system administration practices
such as disabling unneeded features and a secure network architecture.
CERT/CC agrees on the need of isolated or otherwise secured process
control networks but indicates that in practice that is not always the
case. Further information about any potential information leak is requested. 2008-06-10:
Final draft of the advisory sent to Citect and CERTs, asking for
confirmation that patches are now available. 2008-06-10:
Citect confirms that patches are available to customers upon request and
reiterates that the vendor's official stance is that the control network
must be secured, and customers requesting the patch will be offered
advice and links on how to do this. 2008-06-10:
CERT/CC asks for any official guidance or wording that could be used in
documents to direct readers appropriately. For example, an URL to a
support/contact web site, or a case number. 2008-06-11:
Security advisory CORE-2008-0125 published.
*References*
[1] Citect Corporate Profile
http://www.citect.com/index.php?option=com_content&task=view&id=94&Itemid=151
*About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs/.
*About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core augments its
leading technology solution with world-class security consulting
services, including penetration testing and software security auditing.
Based in Boston, MA and Buenos Aires, Argentina, Core Security
Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.
*Disclaimer*
The contents of this advisory are copyright (c) 2008 Core Security
Technologies and (c) 2008 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.
*GPG/PGP Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkhP2lEACgkQyNibggitWa29yQCdHfYtgLzOvys9Msi95eqF8H/X
ADEAoKB9r52U9KXlEvBn5GgCaqXqC8OG
=5qtX
-----END PGP SIGNATURE-----