VARIoT IoT vulnerabilities database

The management interface in the phion airlock Web Application Firewall (WAF) 4.1-10.41 does not properly handle CGI requests that specify large width and height parameters for an image, which allows remote attackers to execute arbitrary commands or cause a denial of service (resource consumption) via a crafted request. Airlock Web Application Firewall is prone to a denial-of-service vulnerability. CGI requests specify large width and height parameters for images. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: phion airlock Web Application Firewall Command Injection Vulnerability SECUNIA ADVISORY ID: SA35641 VERIFY ADVISORY: http://secunia.com/advisories/35641/ DESCRIPTION: A vulnerability has been reported in phion airlock Web Application Firewall, which can be exploited by malicious people to compromise a vulnerable system. Input passed via certain unspecified parameters is not properly sanitised before being used. This can be exploited to inject and execute arbitrary commands by sending specially crafted requests to the management interface. The vulnerability is reported in version 4.1-10.41. Other versions may also be affected. SOLUTION: Apply the hotfix: https://techzone.phion.com/hotfix_HF4112 PROVIDED AND/OR DISCOVERED BY: Michael Kirchner, Wolfgang Neudorfer, and Lukas Nothdurfter. ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2009-July/069470.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The radware AppWall Web Application Firewall (WAF) 1.0.2.6, with Gateway 4.6.0.2, allows remote attackers to read source code via a direct request to (1) funcs.inc, (2) defines.inc, or (3) msg.inc in Management/. Gateway is prone to a remote security vulnerability. Radware AppWall is a hardware Web Application Firewall (WAF). The radware AppWall firewall operates as a reverse proxy between the client and the protected web server. All HTTP requests are inspected before being forwarded to the web server. The device can be managed through a separate management page that is normally inaccessible to external users. This web page is implemented using the PHP programming language. Some functions are stored in include files and embedded when needed. Because web servers do not interpret files with the extension *.inc, users with access to the management interface can access portions of the product source code by directly requesting the included files

The web-based management interfaces in Sourcefire Defense Center (DC) and 3D Sensor before 4.8.2 allow remote authenticated users to gain privileges via a $admin value for the admin parameter in an edit action to admin/user/user.cgi and unspecified other components. Sourcefire 3D Sensor and Defense Center are prone to multiple security-bypass vulnerabilities. An attacker may exploit these issues to gain administrative access to the vulnerable device, which may aid in further attacks. Versions prior to the following are vulnerable: Sourcefire 3D Sensor 4.8.2 Sourcefire Defense Center 4.8.2. Although the user.cgi PERL script correctly verifies that the incoming request belongs to an authenticated session, in this case it is blindly granted read and write access without regard to the role of the originator of the request, so even users with the lowest access levels (such as Users who have not configured any roles) can also promote them to administrators and change other roles or account parameters at will. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Sourcefire 3D Sensor and Defense Center "user.cgi" Security Bypass SECUNIA ADVISORY ID: SA35658 VERIFY ADVISORY: http://secunia.com/advisories/35658/ DESCRIPTION: Gregory Duchemin has reported a vulnerability in Sourcefire 3D Sensor and Sourcefire Defense Center, which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to improper access restrictions while processing requests sent to the admin/user/user.cgi script. This can be exploited to e.g. gain administrative access to the appliance by sending a specially crafted POST request to the affected script. NOTE: Other scripts are reportedly affected by similar errors. SOLUTION: Update to firmware version 4.8.2. PROVIDED AND/OR DISCOVERED BY: Gregory Duchemin ORIGINAL ADVISORY: http://milw0rm.com/exploits/9074 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in the CoreTelephony component in Apple iPhone OS before 3.0.1 allows remote attackers to execute arbitrary code, obtain GPS coordinates, or enable the microphone via an SMS message that triggers memory corruption, as demonstrated by Charlie Miller at SyScan '09 Singapore. The Apple iPhone SMS application is prone to a remote code-execution vulnerability. Failed attacks will result in denial-of-service conditions. Very few details are available regarding this issue. We will update this BID as more information emerges. UPDATE (July 30, 2009): This BID was originally titled "Apple iPhone SMS Application Denial of Service Vulnerability"; it has been updated to reflect newly released information. Versions prior to iPhone OS 3.0.1 are vulnerable. Apple iPhone is a smart phone of Apple (Apple). ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Apple iPhone SMS Message Decoding Vulnerability SECUNIA ADVISORY ID: SA36070 VERIFY ADVISORY: http://secunia.com/advisories/36070/ DESCRIPTION: A vulnerability has been reported in Apple iPhone, which can be exploited by malicious people to compromise a user's system. SOLUTION: Update to version 3.0.1. PROVIDED AND/OR DISCOVERED BY: The vendor credits Charlie Miller of Independent Security Evaluators, and Collin Mulliner of Technical University Berlin. CHANGELOG: 2009-08-03: Added link to "Original Advisory" section. ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT3754 Charlie Miller and Collin Mulliner: http://www.blackhat.com/presentations/bh-usa-09/MILLER/BHUSA09-Miller-FuzzingPhone-PAPER.pdf ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Use-after-free vulnerability in the servePendingRequests function in WebCore in WebKit in Apple Safari 4.0 and 4.0.1 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted HTML document that references a zero-length .js file and the JavaScript reload function. NOTE: some of these details are obtained from third party information. Apple Safari is prone to a denial-of-service vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this issue to crash the affected application, denying service to legitimate users. Given the nature of this issue, the attacker may also be able to run arbitrary code, but this has not been confirmed. Safari 4.0 and 4.0.1 are vulnerable; other versions may also be affected. Safari is the web browser bundled by default in the Apple family machine operating system. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Apple Safari WebKit "servePendingRequests()" Use-After-Free Weakness SECUNIA ADVISORY ID: SA33495 VERIFY ADVISORY: http://secunia.com/advisories/33495/ DESCRIPTION: A weakness has been discovered in Apple Safari, which can be exploited by malicious people to cause a DoS (Denial of Service). The weakness is caused due to a use-after-free error while calling the "servePendingRequests()" function in WebKit. This can be exploited to dereference invalid memory and cause a crash when a user visits a specially crafted web page. Successful exploitation crashes the browser. However, even though code execution has not been proven, it cannot be completely ruled out. NOTE: Secunia normally does not classify a browser crash as a vulnerability nor issue an advisory about it. However, the potential impact of this issue may be more severe than currently believed. The weakness is confirmed in Apple Safari version 4.0 (530.17) for Windows. SOLUTION: Fixed in the WebKit development repository. http://trac.webkit.org/changeset/44519 Do not browse untrusted websites or follow untrusted links. PROVIDED AND/OR DISCOVERED BY: Marcell 'SkyOut' Dietl and Achim Hoffmann ORIGINAL ADVISORY: http://marcell-dietl.de/index/adv_safari_4_x_js_reload_dos.php ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: SUSE update for Multiple Packages SECUNIA ADVISORY ID: SA43068 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43068/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43068 RELEASE DATE: 2011-01-25 DISCUSS ADVISORY: http://secunia.com/advisories/43068/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43068/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43068 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: SUSE has issued an update for multiple packages, which fixes multiple vulnerabilities. For more information: SA32349 SA33495 SA35095 SA35379 SA35411 SA35449 SA35758 SA36269 SA36677 SA37273 SA37346 SA37769 SA38061 SA38545 SA38932 SA39029 SA39091 SA39384 SA39661 SA39937 SA40002 SA40072 SA40105 SA40112 SA40148 SA40196 SA40257 SA40664 SA40783 SA41014 SA41085 SA41242 SA41328 SA41390 SA41443 SA41535 SA41841 SA41888 SA41968 SA42151 SA42264 SA42290 SA42312 SA42443 SA42461 SA42658 SA42769 SA42886 SA42956 SA43053 SOLUTION: Apply updated packages via YaST Online Update or the SUSE FTP server

The ARD-9808 DVR card security camera allows remote attackers to cause a denial of service via a long URI composed of //.\ (slash slash dot backslash) sequences. Armassa ARD-9808 is prone to an information-disclosure vulnerability and a buffer-overflow vulnerability. Successful exploits can allow attackers to obtain sensitive information or to execute arbitrary code in the context of the affected device's webserver. Failed attempts may lead to a denial-of-service condition. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: ARD-9808 DVR Card Software Web Server Two Vulnerabilities SECUNIA ADVISORY ID: SA35671 VERIFY ADVISORY: http://secunia.com/advisories/35671/ DESCRIPTION: Two vulnerabilities have been reported in ARD-9808 DVR Card, which can be exploited by malicious people to disclose sensitive information or potentially compromise a vulnerable system. 1) A boundary error in included web server can be exploited to cause a heap-based buffer overflow via an overly long HTTP request. 2) The included web server does not properly restrict access to the dvr.ini file. This can be exploited to disclose e.g. the username and password used to access the camera by downloading the file. SOLUTION: Restrict web access to trusted users only. PROVIDED AND/OR DISCOVERED BY: 1) Stack 2) Septemb0x ORIGINAL ADVISORY: 1) http://milw0rm.com/exploits/9067 2) http://milw0rm.com/exploits/9066 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Huawei D100 stores the administrator's account name and password in cleartext in a cookie, which allows context-dependent attackers to obtain sensitive information by (1) reading a cookie file, by (2) sniffing the network for HTTP headers, and possibly by using unspecified other vectors. D100 Router is prone to a information disclosure vulnerability. D100 is the world's first WiFi adapter that connects mobile phones, game consoles, PCs and laptops together via a WiFi link. Multiple security vulnerabilities exist in the D100 firmware and its default configuration, which may allow LAN users to gain unauthorized access to the device. #1 The web interface does not support HTTPS, an attacker can sniff the communication of the web interface. #2 The administrator's login username and password are stored in the cookie in clear text

The Huawei D100 allows remote attackers to obtain sensitive information via a direct request to (1) lan_status_adv.asp, (2) wlan_basic_cfg.asp, or (3) lancfg.asp in en/, related to use of JavaScript to protect against reading file contents. Huawei D100 is prone to a security-bypass vulnerability and an information-disclosure vulnerability. Attackers can exploit theses issues to obtain sensitive information or gain unauthorized access and execute arbitrary commands with root privileges. D100 is the world's first WiFi adapter that connects mobile phones, game consoles, PCs and laptops together via a WiFi link. Multiple security vulnerabilities exist in the D100 firmware and its default configuration, which may allow LAN users to gain unauthorized access to the device. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Huawei D100 Information Disclosure and Undocumented Telnet Account SECUNIA ADVISORY ID: SA35638 VERIFY ADVISORY: http://secunia.com/advisories/35638/ DESCRIPTION: Filip Palian has reported a vulnerability and a security issue in Huawei D100, which can be exploited by malicious people to disclose sensitive information or compromise a vulnerable device. 1) Access to the "en/lan_status_adv.asp", "en/wlan_basic_cfg.asp", and "en/lancfg.asp" scripts is not properly restricted. This can be exploited to disclose sensitive information by accessing the scripts directly. 2) The device contains an undocumented telnet account ("admin") with a default password ("admin"). SOLUTION: Restrict internal network access to trusted users only. PROVIDED AND/OR DISCOVERED BY: Filip Palian ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Huawei D100 has (1) a certain default administrator password for the web interface, and does not force a password change; and has (2) a default password of admin for the admin account in the telnet interface; which makes it easier for remote attackers to obtain access. Huawei D100 Contains the following flaws, which may result in a vulnerability in which access rights can be obtained. Huawei D100 is prone to a security-bypass vulnerability and an information-disclosure vulnerability. Attackers can exploit theses issues to obtain sensitive information or gain unauthorized access and execute arbitrary commands with root privileges. D100 is the world's first WiFi adapter that connects mobile phones, game consoles, PCs and laptops together via a WiFi link. Multiple security vulnerabilities exist in the D100 firmware and its default configuration, which may allow LAN users to gain unauthorized access to the device. #2 The Telnet service is enabled by default, and users in the LAN can use the default admin:admin account to log in with root user authority. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Huawei D100 Information Disclosure and Undocumented Telnet Account SECUNIA ADVISORY ID: SA35638 VERIFY ADVISORY: http://secunia.com/advisories/35638/ DESCRIPTION: Filip Palian has reported a vulnerability and a security issue in Huawei D100, which can be exploited by malicious people to disclose sensitive information or compromise a vulnerable device. 1) Access to the "en/lan_status_adv.asp", "en/wlan_basic_cfg.asp", and "en/lancfg.asp" scripts is not properly restricted. This can be exploited to disclose sensitive information by accessing the scripts directly. SOLUTION: Restrict internal network access to trusted users only. PROVIDED AND/OR DISCOVERED BY: Filip Palian ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Eval injection vulnerability in the csco_wrap_js function in /+CSCOL+/cte.js in WebVPN on the Cisco Adaptive Security Appliances (ASA) device with software 8.0(4), 8.1.2, and 8.2.1 allows remote attackers to bypass a DOM wrapper and conduct cross-site scripting (XSS) attacks by setting CSCO_WebVPN['process'] to the name of a crafted function, aka Bug ID CSCsy80694. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials. This issue is documented by Cisco Bug ID CSCsy80694. Cisco ASA 8.0.(4), 8.1.2, and 8.2.1 are vulnerable. (http://www.cisco.com) Versions affected: 8.0(4), 8.1.2, and 8.2.1 Description: Cisco's Adaptive Security Appliance (ASA) provides a number of security related features, including "Web VPN" functionality that allows authenticated users to access a variety of content through a web interface. This includes other web content, FTP servers, and CIFS file servers. The web content is proxied by the ASA and rewritten so that any URLs in the web content are passed as query parameters sent to the ASA web interface. Where scripting content is present, the ASA places a JavaScript wrapper around the original webpage's Document Object Model (DOM), to prevent the webpage from accessing the ASA's DOM. Credit: David Byrne of Trustwave's SpiderLabs Finding 1: Post-Authentication Cross-Site Scripting CVE: CVE-2009-1201 The ASA's DOM wrapper can be rewritten in a manner to allow Cross-Site Scripting (XSS) attacks. For example, the "csco_wrap_js" JavaScript function in /+CSCOL+/cte.js makes a call to a function referenced by "CSCO_WebVPN['process']". The result of this call is then used in an "eval" statement. function csco_wrap_js(str) { var ret="<script id=CSCO_GHOST src="+CSCO_Gateway+ "/+CSCOL+/cte.js></scr"+ "ipt><script id=CSCO_GHOST src="+ CSCO_Gateway+"/+CSCOE+/apcf></sc"+"ript>"; var js_mangled=CSCO_WebVPN['process']('js',str); ret+=CSCO_WebVPN['process']('html',eval(js_mangled)); return ret; }; To exploit this behavior, a malicious page can rewrite "CSCO_WebVPN['process']" with an attacker-defined function that will return an arbitrary value. The next time the "csco_wrap_js" function is called, the malicious code will be executed. Below is a proof of concept. <html><script> function a(b, c) { return "alert('Your VPN location:\\n\\n'+" + "document.location+'\\n\\n\\n\\n\\n" + "Your VPN cookie:\\n\\n'+document.cookie);"; } CSCO_WebVPN['process'] = a; csco_wrap_js(''); </script></html> Vendor Response: This vulnerability has been corrected in versions 8.0.4.34, and 8.1.2.25. CVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C Base: 4.3 Temporal: 3.9 Finding 2: HTML Rewriting Bypass CVE: CVE-2009-1202 When a webpage is requested through the ASA's Web VPN, the targeted scheme and hostname is Rot13-encoded, then hex-encoded and placed in the ASA's URL. For example, "http://www.trustwave.com" is accessed by requesting the following ASA path: /+CSCO+0075676763663A2F2F6A6A6A2E67656866676A6E69722E70627A+ +/ The HTML content of this request is obviously reformatted by the ASA, starting at the very beginning: <script id='CSCO_GHOST' src="/+webvpn+/toolbar.js"> However, if the request URL is modified to change the initial hex value of "00" to "01", the HTML document is returned without any rewriting. This allows the pages scriptable content to run in the ASA's DOM, making Cross-Site Scripting trivial. Vendor Response: This vulnerability has been corrected in versions 8.0.4.34, and 8.1.2.25. CVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C Base: 4.3 Temporal: 3.9 Finding 3: Authentication Credential Theft CVE: CVE-2009-1203 When a user accesses an FTP or CIFS destination using the Web VPN, the resulting URL is formatted in a similar manner as the web requests described above. The following URL attempts to connect to ftp.example.com; normally, it would be in an HTML frame within the Web VPN website. /+CSCOE+/files/browse.html?code=init&path=ftp%3A%2F%2F736763 2e726b6e7a6379722e70627a The ASA first attempts to connect to the FTP server or CIFS share using anonymous credentials. If those fail, the user is prompted for login credentials. When viewed on its own (outside of a frame), the submission form gives no indication what it is for and is very similar in appearance to the Web VPN's primary login page. If the URL was sent to a user by an attacker, it is very possible that a user would assume that he needs to resubmit credentials to the Web VPN. The ASA would then forward the credentials to the attacker's FTP or CIFS server. Vendor Response: This vulnerability has been corrected in versions 8.0.4.34, and 8.1.2.25. CVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C Base: 4.3 Temporal: 3.9 Vendor Communication Timeline: 03/31/09 - Cisco notified of vulnerabilities 06/24/09 - Cisco software updates released; Advisory released Remediation Steps: Install updated software from Cisco. Revision History: 1.0 Initial publication About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave's SpiderLabs: SpiderLabs is the advance security team at Trustwave responsible for incident response and forensics, ethical hacking and application security tests for Trustwave's clients. SpiderLabs has responded to hundreds of security incidents, performed thousands of ethical hacking exercises and tested the security of hundreds of business applications for Fortune 500 organizations. For more information visit https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Cisco ASA WebVPN Multiple Vulnerabilities SECUNIA ADVISORY ID: SA35511 VERIFY ADVISORY: http://secunia.com/advisories/35511/ DESCRIPTION: Some vulnerabilities and a security issue have been reported in Cisco Adaptive Security Appliance (ASA), which can be exploited by malicious people to conduct cross-site scripting and spoofing attacks. 1) Input passed within web pages is not properly sanitised before being used in a call to eval() in context of the VPN web portal. 3) A security issue exists in the handling of Common Internet File System (CIFS) and FTP shares in the SSL VPN feature. This can be exploited to conduct spoofing attacks and potentially disclose the user's credentials if a user follows a specially crafted link. The vulnerabilities are reported in versions prior to 8.0.4(34), 8.1.2(25), and 8.2.1(3) that are configured to accept Clientless SSL VPN connections. SOLUTION: Update to version 8.0.4(34), 8.1.2(25), or 8.2.1(3). http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT PROVIDED AND/OR DISCOVERED BY: David Byrne, Trustwave's SpiderLabs ORIGINAL ADVISORY: Cisco: http://tools.cisco.com/security/center/viewAlert.x?alertId=18373 http://tools.cisco.com/security/center/viewAlert.x?alertId=18442 http://tools.cisco.com/security/center/viewAlert.x?alertId=18536 Trustwave: https://www.trustwave.com/spiderlabs/advisories/TWSL2009-002.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

WebVPN on the Cisco Adaptive Security Appliances (ASA) device with software 8.0(4), 8.1.2, and 8.2.1 allows remote attackers to bypass certain protection mechanisms involving URL rewriting and HTML rewriting, and conduct cross-site scripting (XSS) attacks, by modifying the first hex-encoded character in a /+CSCO+ URI, aka Bug ID CSCsy80705. Cisco ASA is prone to a security-bypass vulnerability. An attacker can exploit this issue to bypass HTML rewrite rules. Successfully exploiting this issue will aid in cross-site scripting attacks. This issue is documented by Cisco Bug ID CSCsy80705. Cisco ASA 8.0.(4), 8.1.2, and 8.2.1 are vulnerable. Trustwave's SpiderLabs Security Advisory TWSL2009-002: Cisco ASA Web VPN Multiple Vulnerabilities Published: 2009-06-24 Version: 1.0 Vendor: Cisco Systems, Inc. (http://www.cisco.com) Versions affected: 8.0(4), 8.1.2, and 8.2.1 Description: Cisco's Adaptive Security Appliance (ASA) provides a number of security related features, including "Web VPN" functionality that allows authenticated users to access a variety of content through a web interface. This includes other web content, FTP servers, and CIFS file servers. The web content is proxied by the ASA and rewritten so that any URLs in the web content are passed as query parameters sent to the ASA web interface. Where scripting content is present, the ASA places a JavaScript wrapper around the original webpage's Document Object Model (DOM), to prevent the webpage from accessing the ASA's DOM. For example, the "csco_wrap_js" JavaScript function in /+CSCOL+/cte.js makes a call to a function referenced by "CSCO_WebVPN['process']". The result of this call is then used in an "eval" statement. function csco_wrap_js(str) { var ret="<script id=CSCO_GHOST src="+CSCO_Gateway+ "/+CSCOL+/cte.js></scr"+ "ipt><script id=CSCO_GHOST src="+ CSCO_Gateway+"/+CSCOE+/apcf></sc"+"ript>"; var js_mangled=CSCO_WebVPN['process']('js',str); ret+=CSCO_WebVPN['process']('html',eval(js_mangled)); return ret; }; To exploit this behavior, a malicious page can rewrite "CSCO_WebVPN['process']" with an attacker-defined function that will return an arbitrary value. The next time the "csco_wrap_js" function is called, the malicious code will be executed. Below is a proof of concept. <html><script> function a(b, c) { return "alert('Your VPN location:\\n\\n'+" + "document.location+'\\n\\n\\n\\n\\n" + "Your VPN cookie:\\n\\n'+document.cookie);"; } CSCO_WebVPN['process'] = a; csco_wrap_js(''); </script></html> Vendor Response: This vulnerability has been corrected in versions 8.0.4.34, and 8.1.2.25. CVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C Base: 4.3 Temporal: 3.9 Finding 2: HTML Rewriting Bypass CVE: CVE-2009-1202 When a webpage is requested through the ASA's Web VPN, the targeted scheme and hostname is Rot13-encoded, then hex-encoded and placed in the ASA's URL. For example, "http://www.trustwave.com" is accessed by requesting the following ASA path: /+CSCO+0075676763663A2F2F6A6A6A2E67656866676A6E69722E70627A+ +/ The HTML content of this request is obviously reformatted by the ASA, starting at the very beginning: <script id='CSCO_GHOST' src="/+webvpn+/toolbar.js"> However, if the request URL is modified to change the initial hex value of "00" to "01", the HTML document is returned without any rewriting. This allows the pages scriptable content to run in the ASA's DOM, making Cross-Site Scripting trivial. Vendor Response: This vulnerability has been corrected in versions 8.0.4.34, and 8.1.2.25. CVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C Base: 4.3 Temporal: 3.9 Finding 3: Authentication Credential Theft CVE: CVE-2009-1203 When a user accesses an FTP or CIFS destination using the Web VPN, the resulting URL is formatted in a similar manner as the web requests described above. The following URL attempts to connect to ftp.example.com; normally, it would be in an HTML frame within the Web VPN website. /+CSCOE+/files/browse.html?code=init&path=ftp%3A%2F%2F736763 2e726b6e7a6379722e70627a The ASA first attempts to connect to the FTP server or CIFS share using anonymous credentials. If those fail, the user is prompted for login credentials. When viewed on its own (outside of a frame), the submission form gives no indication what it is for and is very similar in appearance to the Web VPN's primary login page. If the URL was sent to a user by an attacker, it is very possible that a user would assume that he needs to resubmit credentials to the Web VPN. The ASA would then forward the credentials to the attacker's FTP or CIFS server. Vendor Response: This vulnerability has been corrected in versions 8.0.4.34, and 8.1.2.25. CVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C Base: 4.3 Temporal: 3.9 Vendor Communication Timeline: 03/31/09 - Cisco notified of vulnerabilities 06/24/09 - Cisco software updates released; Advisory released Remediation Steps: Install updated software from Cisco. Revision History: 1.0 Initial publication About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave's SpiderLabs: SpiderLabs is the advance security team at Trustwave responsible for incident response and forensics, ethical hacking and application security tests for Trustwave's clients. SpiderLabs has responded to hundreds of security incidents, performed thousands of ethical hacking exercises and tested the security of hundreds of business applications for Fortune 500 organizations. For more information visit https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Cisco ASA WebVPN Multiple Vulnerabilities SECUNIA ADVISORY ID: SA35511 VERIFY ADVISORY: http://secunia.com/advisories/35511/ DESCRIPTION: Some vulnerabilities and a security issue have been reported in Cisco Adaptive Security Appliance (ASA), which can be exploited by malicious people to conduct cross-site scripting and spoofing attacks. 1) Input passed within web pages is not properly sanitised before being used in a call to eval() in context of the VPN web portal. This can be exploited to execute arbitrary HTML and script code in user's browser session in context of the WebVPN. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of the VPN web portal. 3) A security issue exists in the handling of Common Internet File System (CIFS) and FTP shares in the SSL VPN feature. This can be exploited to conduct spoofing attacks and potentially disclose the user's credentials if a user follows a specially crafted link. The vulnerabilities are reported in versions prior to 8.0.4(34), 8.1.2(25), and 8.2.1(3) that are configured to accept Clientless SSL VPN connections. SOLUTION: Update to version 8.0.4(34), 8.1.2(25), or 8.2.1(3). http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT PROVIDED AND/OR DISCOVERED BY: David Byrne, Trustwave's SpiderLabs ORIGINAL ADVISORY: Cisco: http://tools.cisco.com/security/center/viewAlert.x?alertId=18373 http://tools.cisco.com/security/center/viewAlert.x?alertId=18442 http://tools.cisco.com/security/center/viewAlert.x?alertId=18536 Trustwave: https://www.trustwave.com/spiderlabs/advisories/TWSL2009-002.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

WebVPN on the Cisco Adaptive Security Appliances (ASA) device with software 8.0(4), 8.1.2, and 8.2.1 does not properly distinguish its own login screen from the login screens it produces for third-party (1) FTP and (2) CIFS servers, which makes it easier for remote attackers to trick a user into sending WebVPN credentials to an arbitrary server via a URL associated with that server, aka Bug ID CSCsy80709. Cisco Adaptive Security Appliance (ASA) is prone to a vulnerability that can aid in phishing attacks. An attacker can exploit this issue to display a fake login window that's visually similar to the device's login window, which may mislead users. This issue is tracked by Cisco Bug ID CSCsy80709. The attacker can exploit this issue to set up phishing attacks. Successful exploits could aid in further attacks. Versions prior to ASA 8.0.4.34 and 8.1.2.25 are vulnerable. Trustwave's SpiderLabs Security Advisory TWSL2009-002: Cisco ASA Web VPN Multiple Vulnerabilities Published: 2009-06-24 Version: 1.0 Vendor: Cisco Systems, Inc. (http://www.cisco.com) Versions affected: 8.0(4), 8.1.2, and 8.2.1 Description: Cisco's Adaptive Security Appliance (ASA) provides a number of security related features, including "Web VPN" functionality that allows authenticated users to access a variety of content through a web interface. This includes other web content, FTP servers, and CIFS file servers. The web content is proxied by the ASA and rewritten so that any URLs in the web content are passed as query parameters sent to the ASA web interface. Where scripting content is present, the ASA places a JavaScript wrapper around the original webpage's Document Object Model (DOM), to prevent the webpage from accessing the ASA's DOM. Credit: David Byrne of Trustwave's SpiderLabs Finding 1: Post-Authentication Cross-Site Scripting CVE: CVE-2009-1201 The ASA's DOM wrapper can be rewritten in a manner to allow Cross-Site Scripting (XSS) attacks. For example, the "csco_wrap_js" JavaScript function in /+CSCOL+/cte.js makes a call to a function referenced by "CSCO_WebVPN['process']". The result of this call is then used in an "eval" statement. function csco_wrap_js(str) { var ret="<script id=CSCO_GHOST src="+CSCO_Gateway+ "/+CSCOL+/cte.js></scr"+ "ipt><script id=CSCO_GHOST src="+ CSCO_Gateway+"/+CSCOE+/apcf></sc"+"ript>"; var js_mangled=CSCO_WebVPN['process']('js',str); ret+=CSCO_WebVPN['process']('html',eval(js_mangled)); return ret; }; To exploit this behavior, a malicious page can rewrite "CSCO_WebVPN['process']" with an attacker-defined function that will return an arbitrary value. The next time the "csco_wrap_js" function is called, the malicious code will be executed. Below is a proof of concept. <html><script> function a(b, c) { return "alert('Your VPN location:\\n\\n'+" + "document.location+'\\n\\n\\n\\n\\n" + "Your VPN cookie:\\n\\n'+document.cookie);"; } CSCO_WebVPN['process'] = a; csco_wrap_js(''); </script></html> Vendor Response: This vulnerability has been corrected in versions 8.0.4.34, and 8.1.2.25. Updated Cisco ASA software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT A vendor response will be posted at http://www.cisco.com/security This vulnerability is documented in Cisco Bug ID: CSCsy80694. CVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C Base: 4.3 Temporal: 3.9 Finding 2: HTML Rewriting Bypass CVE: CVE-2009-1202 When a webpage is requested through the ASA's Web VPN, the targeted scheme and hostname is Rot13-encoded, then hex-encoded and placed in the ASA's URL. For example, "http://www.trustwave.com" is accessed by requesting the following ASA path: /+CSCO+0075676763663A2F2F6A6A6A2E67656866676A6E69722E70627A+ +/ The HTML content of this request is obviously reformatted by the ASA, starting at the very beginning: <script id='CSCO_GHOST' src="/+webvpn+/toolbar.js"> However, if the request URL is modified to change the initial hex value of "00" to "01", the HTML document is returned without any rewriting. This allows the pages scriptable content to run in the ASA's DOM, making Cross-Site Scripting trivial. Vendor Response: This vulnerability has been corrected in versions 8.0.4.34, and 8.1.2.25. Updated Cisco ASA software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT A vendor response will be posted at http://www.cisco.com/security This vulnerability is documented in Cisco Bug ID: CSCsy80705. CVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C Base: 4.3 Temporal: 3.9 Finding 3: Authentication Credential Theft CVE: CVE-2009-1203 When a user accesses an FTP or CIFS destination using the Web VPN, the resulting URL is formatted in a similar manner as the web requests described above. The following URL attempts to connect to ftp.example.com; normally, it would be in an HTML frame within the Web VPN website. /+CSCOE+/files/browse.html?code=init&path=ftp%3A%2F%2F736763 2e726b6e7a6379722e70627a The ASA first attempts to connect to the FTP server or CIFS share using anonymous credentials. If those fail, the user is prompted for login credentials. When viewed on its own (outside of a frame), the submission form gives no indication what it is for and is very similar in appearance to the Web VPN's primary login page. If the URL was sent to a user by an attacker, it is very possible that a user would assume that he needs to resubmit credentials to the Web VPN. The ASA would then forward the credentials to the attacker's FTP or CIFS server. Vendor Response: This vulnerability has been corrected in versions 8.0.4.34, and 8.1.2.25. Updated Cisco ASA software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT A vendor response will be posted at http://www.cisco.com/security This vulnerability is documented in Cisco Bug ID: CSCsy80709. CVSS Score: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:U/RC:C Base: 4.3 Temporal: 3.9 Vendor Communication Timeline: 03/31/09 - Cisco notified of vulnerabilities 06/24/09 - Cisco software updates released; Advisory released Remediation Steps: Install updated software from Cisco. Revision History: 1.0 Initial publication About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave's SpiderLabs: SpiderLabs is the advance security team at Trustwave responsible for incident response and forensics, ethical hacking and application security tests for Trustwave's clients. SpiderLabs has responded to hundreds of security incidents, performed thousands of ethical hacking exercises and tested the security of hundreds of business applications for Fortune 500 organizations. For more information visit https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Cisco ASA WebVPN Multiple Vulnerabilities SECUNIA ADVISORY ID: SA35511 VERIFY ADVISORY: http://secunia.com/advisories/35511/ DESCRIPTION: Some vulnerabilities and a security issue have been reported in Cisco Adaptive Security Appliance (ASA), which can be exploited by malicious people to conduct cross-site scripting and spoofing attacks. 1) Input passed within web pages is not properly sanitised before being used in a call to eval() in context of the VPN web portal. This can be exploited to execute arbitrary HTML and script code in user's browser session in context of the WebVPN. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of the VPN web portal. 3) A security issue exists in the handling of Common Internet File System (CIFS) and FTP shares in the SSL VPN feature. This can be exploited to conduct spoofing attacks and potentially disclose the user's credentials if a user follows a specially crafted link. The vulnerabilities are reported in versions prior to 8.0.4(34), 8.1.2(25), and 8.2.1(3) that are configured to accept Clientless SSL VPN connections. SOLUTION: Update to version 8.0.4(34), 8.1.2(25), or 8.2.1(3). http://www.cisco.com/pcgi-bin/tablebuild.pl/ASAPSIRT PROVIDED AND/OR DISCOVERED BY: David Byrne, Trustwave's SpiderLabs ORIGINAL ADVISORY: Cisco: http://tools.cisco.com/security/center/viewAlert.x?alertId=18373 http://tools.cisco.com/security/center/viewAlert.x?alertId=18442 http://tools.cisco.com/security/center/viewAlert.x?alertId=18536 Trustwave: https://www.trustwave.com/spiderlabs/advisories/TWSL2009-002.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Memory leak on the Cisco Physical Access Gateway with software before 1.1 allows remote attackers to cause a denial of service (memory consumption) via unspecified TCP packets. An attacker can exploit this issue to cause a memory leak, denying service to legitimate users. This issue is documented by Cisco Bug ID CSCsu95864. There are no workarounds available to mitigate the vulnerability. Cisco has released free software updates that address this vulnerability. This advisory is posted at: http://www.cisco.com/warp/public/707/cisco-sa-20090624-gateway.shtml Affected Products ================= Vulnerable Products +------------------ Cisco Physical Access Gateway running software versions prior to 1.1 are vulnerable. No other Cisco products are currently known to be affected by this vulnerability. A TCP three-way handshake is needed to exploit this vulnerability. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCsu95864 - Memory leak with certain IP packets CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability described in this document may result in a memory leak. The issue could be repeatedly exploited to cause an extended DoS condition. Connected door hardware, such as card readers, locks, and other input/output devices will function intermittently during extended DoS exploitation. Doors will remain open or locked depending on the gateway's configuration. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. This vulnerability has been corrected in Cisco Physical Access Gateway software version 1.1 and can be downloaded from the following link: http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=280588231 Workarounds =========== No workarounds are available; however, mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20090624-gateway.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http:/ www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was found during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20090624-gateway.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2009-June-24 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFKQkn886n/Gc8U/uARArPGAJ9nfApuGoc+vhDOdoMMsmJCQCYlewCgmNk3 Fumou3/8V80HhnX9X+i8HUw= =8C2N -----END PGP SIGNATURE-----

The Cisco Video Surveillance Stream Manager firmware before 5.3, as used on Cisco Video Surveillance Services Platforms and Video Surveillance Integrated Services Platforms, allows remote attackers to cause a denial of service (reboot) via a malformed payload in a UDP packet to port 37000, related to the xvcrman process, aka Bug ID CSCsj47924. The problem is Bug ID : CSCsj47924 It is a problem.Port by third party 37000 To UDP Denial of service via malformed payload in packet (DoS) There is a possibility of being put into a state. An attacker can exploit this issue to trigger an affected device to reboot, causing denial-of-service conditions. This issue is documented by Cisco Bug ID CSCsj47924. Cisco Video Surveillance 2500 Series IP Cameras contain an information disclosure vulnerability that could allow an authenticated user to view any file on a vulnerable camera. Cisco has released free software updates that address these vulnerabilities. There are no workarounds that mitigate these vulnerabilities. An attacker could exploit this vulnerability by sending a crafted packet to UDP port 37000, which could cause the crash of a critical process and result in a system reboot. An authenticated user may be able to access a vulnerable camera and view any file through the embedded web server on TCP ports 80 (HTTP) and/or 443 (HTTPS), depending on the camera configuration. This vulnerability is documented in Cisco Bug IDs CSCsu05515 and CSCsr96497 (Wireless Cameras) and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-2046. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCsj47924 - Malformed payload to xvcrman process causes reboot CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsu05515 - SD Camera Web Server Will Display any File on System CVSS Base Score - 6.8 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 5.6 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsr96497 - Wireless Camera HTTP Server Will Display any File on System CVSS Base Score - 6.8 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 5.6 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the Cisco Video Surveillance Stream Manager firmware vulnerability could cause a system reboot. Repeated exploitation may result in an extended DoS condition, which could prevent administrators from viewing video surveillance feeds. Successful exploitation of the Cisco Video Surveillance 2500 Series IP Cameras vulnerability could allow an authenticated user to view any file on a vulnerable camera. This vulnerability could allow a non-privileged user to obtain privileged access. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. On Cisco Video Surveillance 2500 Series IP Cameras, administrators are advised to restrict access to TCP ports 80 and 443 to trusted hosts. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20090624-video.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. These vulnerabilities were discovered by Cisco. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20090624-video.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2009-June-24 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFKQkGx86n/Gc8U/uARAv9aAJ98pru089mBxS+23qKumIpdlUdl9QCeMtnx K6USkfYe27MzZyC0XLW4U5s= =CjER -----END PGP SIGNATURE-----

The embedded web server on the Cisco Video Surveillance 2500 Series IP Camera with firmware before 2.1 allows remote attackers to read arbitrary files via a (1) http or (2) https request, related to the (a) SD Camera Web Server and the (b) Wireless Camera HTTP Server, aka Bug IDs CSCsu05515 and CSCsr96497. The problem is Bug ID : CSCsu05515 and CSCsr96497 It is a problem.By a third party http Or https An arbitrary file may be read through the request. Cisco Video Surveillance 2500 Series IP Cameras are prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may lead to further attacks. This issue is tracked by Cisco Bug IDs CSCsu05515 and CSCsr96497. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Vulnerabilities in Cisco Video Surveillance Products Advisory ID: cisco-sa-20090624-video Revision 1.0 For Public Release 2009 June 24 1600 UTC (GMT) +--------------------------------------------------------------------- Summary ======= Cisco Video Surveillance Stream Manager firmware for the Cisco Video Surveillance Services Platforms and Cisco Video Surveillance Integrated Services Platforms contain a denial of service (DoS) vulnerability that could result in a reboot on systems that receive a crafted packet. Cisco has released free software updates that address these vulnerabilities. There are no workarounds that mitigate these vulnerabilities. An attacker could exploit this vulnerability by sending a crafted packet to UDP port 37000, which could cause the crash of a critical process and result in a system reboot. This vulnerability is documented in Cisco Bug ID CSCsj47924 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-2045. This vulnerability is documented in Cisco Bug IDs CSCsu05515 and CSCsr96497 (Wireless Cameras) and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2009-2046. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss CSCsj47924 - Malformed payload to xvcrman process causes reboot CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsu05515 - SD Camera Web Server Will Display any File on System CVSS Base Score - 6.8 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 5.6 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsr96497 - Wireless Camera HTTP Server Will Display any File on System CVSS Base Score - 6.8 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 5.6 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the Cisco Video Surveillance Stream Manager firmware vulnerability could cause a system reboot. Repeated exploitation may result in an extended DoS condition, which could prevent administrators from viewing video surveillance feeds. This vulnerability could allow a non-privileged user to obtain privileged access. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Administrators are advised to restrict access to UDP port 37000 on vulnerable Cisco Video Surveillance Services Platform and Integrated Services Platform systems to trusted hosts. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory, which is available at the following link: http://www.cisco.com/warp/public/707/cisco-amb-20090624-video.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html or as otherwise set forth at Cisco.com Downloads at: http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to: http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. These vulnerabilities were discovered by Cisco. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20090624-video.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-bulletins@lists.first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2009-June-24 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at: http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at: http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- iD8DBQFKQkGx86n/Gc8U/uARAv9aAJ98pru089mBxS+23qKumIpdlUdl9QCeMtnx K6USkfYe27MzZyC0XLW4U5s= =CjER -----END PGP SIGNATURE-----

The CFCharacterSetInitInlineBuffer method in CoreFoundation.dll in Apple Safari 3.2.3 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly execute arbitrary code via a "high-bit character" in a URL fragment for an unspecified protocol. Apple Safari is prone to a denial-of-service vulnerability that stems from a NULL-pointer dereference. Attackers can exploit this issue to crash the affected application, denying service to legitimate users. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed. Versions prior to Apple Safari 4 are vulnerable

Apple Safari 3.2.3 does not properly implement the file: protocol handler, which allows remote attackers to read arbitrary files or cause a denial of service (launch of multiple Windows Explorer instances) via vectors involving an unspecified HTML tag, possibly a related issue to CVE-2009-1703. ( plural Windows Explorer Launch an instance ) There is a vulnerability that becomes a condition. Apple Safari is prone to an information-disclosure and denial-of-service vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this issue to access local files. On Microsoft Windows platforms, the attacker may launch rogue instances of Windows Explorer, which may affect the computer's overall stability, leading to a denial of service. This issue affects versions prior to Safari 4.0 running on Apple Mac OS X 10.5.6 and on Microsoft Windows XP and Vista

Cross-site scripting (XSS) vulnerability in WebKit in Apple Safari before 4.0.2, as used on iPhone OS before 3.1, iPhone OS before 3.1.1 for iPod touch, and other platforms, allows remote attackers to inject arbitrary web script or HTML via vectors related to parent and top objects. WebKit is prone to a cross-domain scripting vulnerability. A remote attacker can exploit this vulnerability to bypass the same-origin policy and obtain potentially sensitive information or launch spoofing attacks against other sites. Other attacks are also possible. Safari is the web browser bundled by default in the Apple family machine operating system. A remote attacker can use this vulnerability to define some content in domain A and then use top and parent to call it in domain B. 2) An error in the WebKit component when handling numeric character references can be exploited to corrupt memory via a specially crafted web page. SOLUTION: Update to version 4.0.2. PROVIDED AND/OR DISCOVERED BY: 1) Reported by the vendor. 2) The vendor credits Chris Evans. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. For more information visit: http://secunia.com/advisories/business_solutions/ Alternatively request a call from a Secunia representative today to discuss how we can help you with our capabilities contact us at: sales@secunia.com ---------------------------------------------------------------------- TITLE: Apple iPhone / iPod touch Multiple Vulnerabilities SECUNIA ADVISORY ID: SA36677 VERIFY ADVISORY: http://secunia.com/advisories/36677/ DESCRIPTION: Some vulnerabilities, security issues, and weaknesses have been reported in Apple iPhone and iPod touch, which can be exploited by malicious people with physical access to the device to bypass certain security restrictions or disclose sensitive information, and by malicious people to disclose sensitive information, conduct cross-site scripting and spoofing attacks, cause a DoS (Denial of Service), or to compromise a user's system. 1) An error in CoreAudio when processing sample size table entries of AAC and MP3 files can be exploited to cause a heap-based buffer overflow and potentially execute arbitrary code. 2) An error in Exchange Support exists due to the "Require Passcode" setting not being affected by the "Maximum inactivity time lock" setting. This may lead to a time window, regardless of the Maximum inactivity time lock" setting, in which a person with physical access to the device is able to use the Exchange services. 3) A security issue exists in MobileMail due to deleted mails being accessible via Spotlight search. This can be exploited by malicious people with physical access to the device to disclose potentially sensitive information. 4) An unspecified error exists in the Recovery Mode command parsing. This can be exploited by a person with physical access to a device to cause a heap-based buffer overflow and e.g. gain access to a locked device. 5) A NULL pointer dereference error within the handling of SMS arrival notifications can be exploited to cause a service interruption. 6) An error in the handling of passwords in UIKit can be exploited by a person with physical access to a device to disclose a password. 7) Safari includes the user name and password in the "Referer" header, which can lead to the exposure of sensitive information. 8) Two vulnerabilities in WebKit can be exploited by malicious people to conduct cross-site scripting attacks or potentially compromise a user's system. For more information see vulnerability #6 in: SA36269 SOLUTION: Update to iPhone OS 3.1 or iPhone OS for iPod touch 3.1.1 (downloadable and installable via iTunes). PROVIDED AND/OR DISCOVERED BY: 1) Tobias Klein, trapkit.de The vendor credits: 2) Allan Steven, Robert Duran, Jeff Beckham of PepsiCo, Joshua Levitsky, Michael Breton of Intel Corporation, Mike Karban of Edward Jones, and Steve Moriarty of Agilent Technologies 3) Clickwise Software and Tony Kavadias 5) Charlie Miller of Independent Security Evaluators and Collin Mulliner of Technical University Berlin 6) Abraham Vegh 7) James A. T. Rice of Jump Networks Ltd ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT3860 Tobias Klein: http://trapkit.de/advisories/TKADV2009-007.txt OTHER REFERENCES: SA35758: http://secunia.com/advisories/35758/ SA36269: http://secunia.com/advisories/36269/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ---------------------------------------------------------------------- Secure your corporate defenses and reduce complexity in handling vulnerability threats with the new Secunia Vulnerability Intelligence Manager (VIM). Request a free trial: http://secunia.com/products/corporate/vim/ ---------------------------------------------------------------------- TITLE: SUSE update for Multiple Packages SECUNIA ADVISORY ID: SA43068 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43068/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43068 RELEASE DATE: 2011-01-25 DISCUSS ADVISORY: http://secunia.com/advisories/43068/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/43068/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=43068 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: SUSE has issued an update for multiple packages, which fixes multiple vulnerabilities. For more information: SA32349 SA33495 SA35095 SA35379 SA35411 SA35449 SA35758 SA36269 SA36677 SA37273 SA37346 SA37769 SA38061 SA38545 SA38932 SA39029 SA39091 SA39384 SA39661 SA39937 SA40002 SA40072 SA40105 SA40112 SA40148 SA40196 SA40257 SA40664 SA40783 SA41014 SA41085 SA41242 SA41328 SA41390 SA41443 SA41535 SA41841 SA41888 SA41968 SA42151 SA42264 SA42290 SA42312 SA42443 SA42461 SA42658 SA42769 SA42886 SA42956 SA43053 SOLUTION: Apply updated packages via YaST Online Update or the SUSE FTP server

GoAhead WebServer allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris. GoAhead WebServer is prone to a denial-of-service vulnerability. An attacker can exploit this issue to consume all available sockets, resulting in a denial-of-service condition. GoAhead WebServer is a small and exquisite embedded Web server of American Embedthis Company, which supports embedding in various devices and applications. This vulnerability has been confirmed in Slowloris

Netscape 6 and 8 allows remote attackers to cause a denial of service (memory consumption) via a large integer value for the length property of a Select object, a related issue to CVE-2009-1692. Netscape There is a service disruption ( Memory consumption ) There is a vulnerability that becomes a condition. Browsers from multiple vendors are prone to a denial-of-service vulnerability. Successfully exploiting this issue may allow attackers to crash an affected application. NOTE: This issue was previously covered in BID 35414 (Apple iPhone and iPod touch Prior to Version 3.0 Multiple Vulnerabilities), but has been assigned its own record to better document it