VARIoT IoT vulnerabilities database
| VAR-200901-0250 | CVE-2009-0005 | Apple QuickTime Service disruption in (DoS) And arbitrary code execution vulnerabilities |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Unspecified vulnerability in Apple QuickTime before 7.6 allows remote attackers to cause a denial of service (application termination) and possibly execute arbitrary code via a crafted H.263 encoded movie file that triggers memory corruption. Apple QuickTime is prone to a memory-corruption issue because it fails to perform adequate boundary checks on user-supplied data.
An attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted movie file. Failed exploit attempts likely result in denial-of-service conditions.
This issue affects Apple QuickTime running on Microsoft Windows Vista, Windows XP SP2 and SP3, and Mac OS X. Apple QuickTime is a very popular multimedia player.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA09-022A
Apple QuickTime Updates for Multiple Vulnerabilities
Original release date: January 22, 2009
Last revised: --
Source: US-CERT
Systems Affected
* Apple QuickTime 7.5 for Windows and Mac OS X
Overview
Apple has released QuickTime 7.6 to correct multiple
vulnerabilities affecting QuickTime for Mac OS X and Windows.
I. Description
Apple QuickTime 7.6 addresses a number of vulnerabilities affecting
QuickTime. This file could be hosted on a web page or sent via email.
II. Impact
The impacts of these vulnerabilities vary.
III. This and other updates are available via
Software Update or via Apple Downloads.
IV. References
* About the security content of QuickTime 7.6 -
<http://support.apple.com/kb/HT3403>
* Apple Support Downloads - <http://support.apple.com/downloads/>
* Mac OS X - updating your software -
<http://support.apple.com/kb/HT1338?viewlocale=en_US>
* Securing Your Web Browser -
<https://www.us-cert.gov/reading_room/securing_browser/>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA09-022A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA09-022A Feedback VU#703068" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
January 22, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSXj25HIHljM+H4irAQKNIgf+LSBKBzHWdjxmJgYw3vYmAXtwpUxAVThs
Ma4vIB1vSjv8Us83S2XrKIGcKrdPgQgeS7Vji9WRMmlzEv/AYlFJseqq17ufGely
5YosATUh+C0SjY6OAYeJNYMws7fgGcGJagtfQp0gJTRLruknEoB/iqlASBQ7MtNg
7viHKIR8r2BxCNB1A4ir1kzPELIHFF/pmmuaD+E2PnxH1XtYLM9b9t6xbkjie2PG
vEwv7JCGH/RrJtst480ZMIHOghsZ0ONoMkTjZB7o5S0ww3guktGOMB+/QiZI8eFB
KbU6nB6JGscZ8Fb1E4K3yOU9MvpzEfurIvYmyMcAdxFCiq5CSUjOug==
=B5D3
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Did you know that a change in our assessment rating, exploit code
availability, or if an updated patch is released by the vendor, is
not part of this mailing-list?
Click here to learn more:
http://secunia.com/advisories/business_solutions/
----------------------------------------------------------------------
TITLE:
Apple QuickTime Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA33632
VERIFY ADVISORY:
http://secunia.com/advisories/33632/
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
>From remote
SOFTWARE:
Apple QuickTime 7.x
http://secunia.com/advisories/product/5090/
DESCRIPTION:
Some vulnerabilities have been reported in Apple QuickTime, which can
be exploited by malicious people to compromise a user's system.
1) A boundary error exists in the processing of RTSP URLs. This can
be exploited to cause a heap-based buffer overflow when a specially
crafted RTSP URL is accessed.
2) An error due to improper validation of transform matrix data
exists when processing Track Header (THKD) atoms in QuickTime Virtual
Reality (QTVR) movie files. This can be exploited to cause a
heap-based buffer overflow via a specially crafted QTVR file.
3) An error in the processing of "nBlockAlign" values in the
"_WAVEFORMATEX" structure of AVI headers can be exploited to cause a
heap-based buffer overflow when a specially crafted AVI file is
accessed.
4) A boundary error exists in the processing of MPEG-2 video files
containing MP3 audio content, which can be exploited to cause a
buffer overflow via a specially crafted movie file.
6) A signedness error exists within the processing of the MDAT atom
when handling Cinepak encoded movie files.
7) An error exists within the function JPEG_DComponentDispatch() when
processing the image width data in JPEG atoms embedded in STSD atoms.
Successful exploitation of these vulnerabilities may allow execution
of arbitrary code.
SOLUTION:
Update to version 7.6.
QuickTime 7.6 for Windows:
http://support.apple.com/downloads/QuickTime_7_6_for_Windows
QuickTime 7.6 for Leopard:
http://support.apple.com/downloads/QuickTime_7_6_for_Leopard
QuickTime 7.6 for Tiger:
http://support.apple.com/downloads/QuickTime_7_6_for_Tiger
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Attila Suszter
4) Chad Dougherty, CERT Coordination Center
5) Dave Soldera, NGS Software
2, 3, 6, 7) An anonymous person, reported via ZDI
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT3403
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-09-005/
http://www.zerodayinitiative.com/advisories/ZDI-09-006/
http://www.zerodayinitiative.com/advisories/ZDI-09-007/
http://www.zerodayinitiative.com/advisories/ZDI-09-008/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200901-0246 | CVE-2009-0001 | Apple QuickTime Heap overflow vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in Apple QuickTime before 7.6 allows remote attackers to cause a denial of service (application termination) and possibly execute arbitrary code via a crafted RTSP URL. Apple QuickTime is prone to a remote heap-based buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. Failed exploit attempts will result in a denial-of-service condition.
Versions prior to Apple QuickTime 7.6 are vulnerable. Apple QuickTime is a multimedia framework of Apple (Apple), which can process digital video, pictures, sound and panoramic images in various formats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA09-022A
Apple QuickTime Updates for Multiple Vulnerabilities
Original release date: January 22, 2009
Last revised: --
Source: US-CERT
Systems Affected
* Apple QuickTime 7.5 for Windows and Mac OS X
Overview
Apple has released QuickTime 7.6 to correct multiple
vulnerabilities affecting QuickTime for Mac OS X and Windows.
I. This file could be hosted on a web page or sent via email.
II. Impact
The impacts of these vulnerabilities vary.
III. This and other updates are available via
Software Update or via Apple Downloads.
IV. References
* About the security content of QuickTime 7.6 -
<http://support.apple.com/kb/HT3403>
* Apple Support Downloads - <http://support.apple.com/downloads/>
* Mac OS X - updating your software -
<http://support.apple.com/kb/HT1338?viewlocale=en_US>
* Securing Your Web Browser -
<https://www.us-cert.gov/reading_room/securing_browser/>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA09-022A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA09-022A Feedback VU#703068" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
January 22, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSXj25HIHljM+H4irAQKNIgf+LSBKBzHWdjxmJgYw3vYmAXtwpUxAVThs
Ma4vIB1vSjv8Us83S2XrKIGcKrdPgQgeS7Vji9WRMmlzEv/AYlFJseqq17ufGely
5YosATUh+C0SjY6OAYeJNYMws7fgGcGJagtfQp0gJTRLruknEoB/iqlASBQ7MtNg
7viHKIR8r2BxCNB1A4ir1kzPELIHFF/pmmuaD+E2PnxH1XtYLM9b9t6xbkjie2PG
vEwv7JCGH/RrJtst480ZMIHOghsZ0ONoMkTjZB7o5S0ww3guktGOMB+/QiZI8eFB
KbU6nB6JGscZ8Fb1E4K3yOU9MvpzEfurIvYmyMcAdxFCiq5CSUjOug==
=B5D3
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Did you know that a change in our assessment rating, exploit code
availability, or if an updated patch is released by the vendor, is
not part of this mailing-list?
Click here to learn more:
http://secunia.com/advisories/business_solutions/
----------------------------------------------------------------------
TITLE:
Apple QuickTime Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA33632
VERIFY ADVISORY:
http://secunia.com/advisories/33632/
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
>From remote
SOFTWARE:
Apple QuickTime 7.x
http://secunia.com/advisories/product/5090/
DESCRIPTION:
Some vulnerabilities have been reported in Apple QuickTime, which can
be exploited by malicious people to compromise a user's system.
1) A boundary error exists in the processing of RTSP URLs.
2) An error due to improper validation of transform matrix data
exists when processing Track Header (THKD) atoms in QuickTime Virtual
Reality (QTVR) movie files. This can be exploited to cause a
heap-based buffer overflow via a specially crafted QTVR file.
3) An error in the processing of "nBlockAlign" values in the
"_WAVEFORMATEX" structure of AVI headers can be exploited to cause a
heap-based buffer overflow when a specially crafted AVI file is
accessed.
4) A boundary error exists in the processing of MPEG-2 video files
containing MP3 audio content, which can be exploited to cause a
buffer overflow via a specially crafted movie file.
5) An unspecified error exists in the processing of H.263 encoded
movie files, which can be exploited to cause a memory corruption when
a specially crafted movie file is viewed.
6) A signedness error exists within the processing of the MDAT atom
when handling Cinepak encoded movie files. This can be exploited to
cause a heap-based buffer overflow when a specially crafted movie
file is viewed.
7) An error exists within the function JPEG_DComponentDispatch() when
processing the image width data in JPEG atoms embedded in STSD atoms.
This can be exploited to cause a memory corruption when a specially
crafted movie file is viewed.
Successful exploitation of these vulnerabilities may allow execution
of arbitrary code.
SOLUTION:
Update to version 7.6.
QuickTime 7.6 for Windows:
http://support.apple.com/downloads/QuickTime_7_6_for_Windows
QuickTime 7.6 for Leopard:
http://support.apple.com/downloads/QuickTime_7_6_for_Leopard
QuickTime 7.6 for Tiger:
http://support.apple.com/downloads/QuickTime_7_6_for_Tiger
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Attila Suszter
4) Chad Dougherty, CERT Coordination Center
5) Dave Soldera, NGS Software
2, 3, 6, 7) An anonymous person, reported via ZDI
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT3403
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-09-005/
http://www.zerodayinitiative.com/advisories/ZDI-09-006/
http://www.zerodayinitiative.com/advisories/ZDI-09-007/
http://www.zerodayinitiative.com/advisories/ZDI-09-008/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200901-0252 | CVE-2009-0007 | Apple QuickTime Heap overflow vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in Apple QuickTime before 7.6 allows remote attackers to cause a denial of service (application termination) and possibly execute arbitrary code via a QuickTime movie file containing invalid image width data in JPEG atoms within STSD atoms. User interaction is required to exploit this vulnerability in that the target must open a malicious file.The specific flaw exists in the handling of JPEG atoms embedded in STSD atoms within the function JPEG_DComponentDispatch(). Apple QuickTime is prone to a heap-based buffer-overflow issue because it fails to perform adequate boundary checks on user-supplied data.
An attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted movie file. Failed exploit attempts likely result in denial-of-service conditions.
This issue affects Apple QuickTime running on Microsoft Windows Vista, Windows XP SP2 and SP3, and Mac OS X. Apple QuickTime is a very popular multimedia player.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA09-022A
Apple QuickTime Updates for Multiple Vulnerabilities
Original release date: January 22, 2009
Last revised: --
Source: US-CERT
Systems Affected
* Apple QuickTime 7.5 for Windows and Mac OS X
Overview
Apple has released QuickTime 7.6 to correct multiple
vulnerabilities affecting QuickTime for Mac OS X and Windows.
I. Description
Apple QuickTime 7.6 addresses a number of vulnerabilities affecting
QuickTime. This file could be hosted on a web page or sent via email.
II. Impact
The impacts of these vulnerabilities vary.
III. This and other updates are available via
Software Update or via Apple Downloads.
IV. References
* About the security content of QuickTime 7.6 -
<http://support.apple.com/kb/HT3403>
* Apple Support Downloads - <http://support.apple.com/downloads/>
* Mac OS X - updating your software -
<http://support.apple.com/kb/HT1338?viewlocale=en_US>
* Securing Your Web Browser -
<https://www.us-cert.gov/reading_room/securing_browser/>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA09-022A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA09-022A Feedback VU#703068" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
January 22, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSXj25HIHljM+H4irAQKNIgf+LSBKBzHWdjxmJgYw3vYmAXtwpUxAVThs
Ma4vIB1vSjv8Us83S2XrKIGcKrdPgQgeS7Vji9WRMmlzEv/AYlFJseqq17ufGely
5YosATUh+C0SjY6OAYeJNYMws7fgGcGJagtfQp0gJTRLruknEoB/iqlASBQ7MtNg
7viHKIR8r2BxCNB1A4ir1kzPELIHFF/pmmuaD+E2PnxH1XtYLM9b9t6xbkjie2PG
vEwv7JCGH/RrJtst480ZMIHOghsZ0ONoMkTjZB7o5S0ww3guktGOMB+/QiZI8eFB
KbU6nB6JGscZ8Fb1E4K3yOU9MvpzEfurIvYmyMcAdxFCiq5CSUjOug==
=B5D3
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Did you know that a change in our assessment rating, exploit code
availability, or if an updated patch is released by the vendor, is
not part of this mailing-list?
Click here to learn more:
http://secunia.com/advisories/business_solutions/
----------------------------------------------------------------------
TITLE:
Apple QuickTime Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA33632
VERIFY ADVISORY:
http://secunia.com/advisories/33632/
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
>From remote
SOFTWARE:
Apple QuickTime 7.x
http://secunia.com/advisories/product/5090/
DESCRIPTION:
Some vulnerabilities have been reported in Apple QuickTime, which can
be exploited by malicious people to compromise a user's system.
1) A boundary error exists in the processing of RTSP URLs. This can
be exploited to cause a heap-based buffer overflow when a specially
crafted RTSP URL is accessed.
2) An error due to improper validation of transform matrix data
exists when processing Track Header (THKD) atoms in QuickTime Virtual
Reality (QTVR) movie files. This can be exploited to cause a
heap-based buffer overflow via a specially crafted QTVR file.
3) An error in the processing of "nBlockAlign" values in the
"_WAVEFORMATEX" structure of AVI headers can be exploited to cause a
heap-based buffer overflow when a specially crafted AVI file is
accessed.
4) A boundary error exists in the processing of MPEG-2 video files
containing MP3 audio content, which can be exploited to cause a
buffer overflow via a specially crafted movie file.
6) A signedness error exists within the processing of the MDAT atom
when handling Cinepak encoded movie files.
Successful exploitation of these vulnerabilities may allow execution
of arbitrary code.
SOLUTION:
Update to version 7.6.
QuickTime 7.6 for Windows:
http://support.apple.com/downloads/QuickTime_7_6_for_Windows
QuickTime 7.6 for Leopard:
http://support.apple.com/downloads/QuickTime_7_6_for_Leopard
QuickTime 7.6 for Tiger:
http://support.apple.com/downloads/QuickTime_7_6_for_Tiger
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Attila Suszter
4) Chad Dougherty, CERT Coordination Center
5) Dave Soldera, NGS Software
2, 3, 6, 7) An anonymous person, reported via ZDI
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT3403
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-09-005/
http://www.zerodayinitiative.com/advisories/ZDI-09-006/
http://www.zerodayinitiative.com/advisories/ZDI-09-007/
http://www.zerodayinitiative.com/advisories/ZDI-09-008/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. ZDI-09-008: Apple QuickTime STSD JPEG Atom Heap Corruption Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-008
January 21, 2009
-- CVE ID:
CVE-2009-0007
-- Affected Vendors:
Apple
-- Affected Products:
Apple Quicktime
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 6254. More
details can be found at:
http://support.apple.com/kb/HT3403
-- Disclosure Timeline:
2008-06-25 - Vulnerability reported to vendor
2009-01-21 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is being sent by 3Com for the sole use of the intended recipient(s) and
may contain confidential, proprietary and/or privileged information.
Any unauthorized review, use, disclosure and/or distribution by any
recipient is prohibited. If you are not the intended recipient, please
delete and/or destroy all copies of this message regardless of form and
any included attachments and notify 3Com immediately by contacting the
sender via reply e-mail or forwarding to 3Com at postmaster@3com.com.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-200901-0247 | CVE-2009-0002 | Apple QuickTime Heap overflow vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in Apple QuickTime before 7.6 allows remote attackers to cause a denial of service (application termination) and possibly execute arbitrary code via a QTVR movie file with crafted THKD atoms. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of 'tkhd' atoms found inside QuickTimeVR files. Improper validation of the transform matrix data results in a heap chunk header overwrite leading to arbitrary code execution under the context of the currently logged in user. Apple QuickTime is prone to a heap-based buffer-overflow issue because it fails to perform adequate boundary checks on user-supplied data.
An attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted movie file. Failed exploit attempts likely result in denial-of-service conditions.
This issue affects Apple QuickTime running on Microsoft Windows Vista, Windows XP SP2 and SP3, and Mac OS X. Apple QuickTime is a very popular multimedia player.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA09-022A
Apple QuickTime Updates for Multiple Vulnerabilities
Original release date: January 22, 2009
Last revised: --
Source: US-CERT
Systems Affected
* Apple QuickTime 7.5 for Windows and Mac OS X
Overview
Apple has released QuickTime 7.6 to correct multiple
vulnerabilities affecting QuickTime for Mac OS X and Windows.
I. Description
Apple QuickTime 7.6 addresses a number of vulnerabilities affecting
QuickTime. This file could be hosted on a web page or sent via email.
II. Impact
The impacts of these vulnerabilities vary.
III. This and other updates are available via
Software Update or via Apple Downloads.
IV. References
* About the security content of QuickTime 7.6 -
<http://support.apple.com/kb/HT3403>
* Apple Support Downloads - <http://support.apple.com/downloads/>
* Mac OS X - updating your software -
<http://support.apple.com/kb/HT1338?viewlocale=en_US>
* Securing Your Web Browser -
<https://www.us-cert.gov/reading_room/securing_browser/>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA09-022A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA09-022A Feedback VU#703068" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
January 22, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSXj25HIHljM+H4irAQKNIgf+LSBKBzHWdjxmJgYw3vYmAXtwpUxAVThs
Ma4vIB1vSjv8Us83S2XrKIGcKrdPgQgeS7Vji9WRMmlzEv/AYlFJseqq17ufGely
5YosATUh+C0SjY6OAYeJNYMws7fgGcGJagtfQp0gJTRLruknEoB/iqlASBQ7MtNg
7viHKIR8r2BxCNB1A4ir1kzPELIHFF/pmmuaD+E2PnxH1XtYLM9b9t6xbkjie2PG
vEwv7JCGH/RrJtst480ZMIHOghsZ0ONoMkTjZB7o5S0ww3guktGOMB+/QiZI8eFB
KbU6nB6JGscZ8Fb1E4K3yOU9MvpzEfurIvYmyMcAdxFCiq5CSUjOug==
=B5D3
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Did you know that a change in our assessment rating, exploit code
availability, or if an updated patch is released by the vendor, is
not part of this mailing-list?
Click here to learn more:
http://secunia.com/advisories/business_solutions/
----------------------------------------------------------------------
TITLE:
Apple QuickTime Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA33632
VERIFY ADVISORY:
http://secunia.com/advisories/33632/
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
>From remote
SOFTWARE:
Apple QuickTime 7.x
http://secunia.com/advisories/product/5090/
DESCRIPTION:
Some vulnerabilities have been reported in Apple QuickTime, which can
be exploited by malicious people to compromise a user's system.
1) A boundary error exists in the processing of RTSP URLs. This can
be exploited to cause a heap-based buffer overflow when a specially
crafted RTSP URL is accessed. This can be exploited to cause a
heap-based buffer overflow via a specially crafted QTVR file.
6) A signedness error exists within the processing of the MDAT atom
when handling Cinepak encoded movie files.
7) An error exists within the function JPEG_DComponentDispatch() when
processing the image width data in JPEG atoms embedded in STSD atoms.
Successful exploitation of these vulnerabilities may allow execution
of arbitrary code.
SOLUTION:
Update to version 7.6.
QuickTime 7.6 for Windows:
http://support.apple.com/downloads/QuickTime_7_6_for_Windows
QuickTime 7.6 for Leopard:
http://support.apple.com/downloads/QuickTime_7_6_for_Leopard
QuickTime 7.6 for Tiger:
http://support.apple.com/downloads/QuickTime_7_6_for_Tiger
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Attila Suszter
4) Chad Dougherty, CERT Coordination Center
5) Dave Soldera, NGS Software
2, 3, 6, 7) An anonymous person, reported via ZDI
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT3403
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-09-005/
http://www.zerodayinitiative.com/advisories/ZDI-09-006/
http://www.zerodayinitiative.com/advisories/ZDI-09-007/
http://www.zerodayinitiative.com/advisories/ZDI-09-008/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. ZDI-09-005: Apple QuickTime VR Track Header Atom Heap Corruption
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-005
January 21, 2009
-- CVE ID:
CVE-2009-0002
-- Affected Vendors:
Apple
-- Affected Products:
Apple Quicktime
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 6449. More
details can be found at:
http://support.apple.com/kb/HT3403
-- Disclosure Timeline:
2008-09-16 - Vulnerability reported to vendor
2009-01-21 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is being sent by 3Com for the sole use of the intended recipient(s) and
may contain confidential, proprietary and/or privileged information.
Any unauthorized review, use, disclosure and/or distribution by any
recipient is prohibited. If you are not the intended recipient, please
delete and/or destroy all copies of this message regardless of form and
any included attachments and notify 3Com immediately by contacting the
sender via reply e-mail or forwarding to 3Com at postmaster@3com.com.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-200901-0251 | CVE-2009-0006 | Apple QuickTime Vulnerable to heap overflow |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Integer signedness error in Apple QuickTime before 7.6 allows remote attackers to cause a denial of service (application termination) and possibly execute arbitrary code via a Cinepak encoded movie file with a crafted MDAT atom that triggers a heap-based buffer overflow. User interaction is required to exploit this vulnerability in that the target must open a malicious file.The specific flaw exists in the handling of movie data encoded using the Cinepak Video Codec. When parsing the data in the MDAT atom, there exists a signedness error which leads to a heap overflow. When this occurs it can be further leveraged to execute arbitrary code under the context of the current user. Apple QuickTime is prone to a heap-based buffer-overflow issue because it fails to perform adequate boundary checks on user-supplied data.
An attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted movie file. Failed exploit attempts likely result in denial-of-service conditions.
This issue affects Apple QuickTime running on Microsoft Windows Vista, Windows XP SP2 and SP3, and Mac OS X. Apple QuickTime is a very popular multimedia player.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA09-022A
Apple QuickTime Updates for Multiple Vulnerabilities
Original release date: January 22, 2009
Last revised: --
Source: US-CERT
Systems Affected
* Apple QuickTime 7.5 for Windows and Mac OS X
Overview
Apple has released QuickTime 7.6 to correct multiple
vulnerabilities affecting QuickTime for Mac OS X and Windows.
I. Description
Apple QuickTime 7.6 addresses a number of vulnerabilities affecting
QuickTime. This file could be hosted on a web page or sent via email.
II. Impact
The impacts of these vulnerabilities vary.
III.
IV. References
* About the security content of QuickTime 7.6 -
<http://support.apple.com/kb/HT3403>
* Apple Support Downloads - <http://support.apple.com/downloads/>
* Mac OS X - updating your software -
<http://support.apple.com/kb/HT1338?viewlocale=en_US>
* Securing Your Web Browser -
<https://www.us-cert.gov/reading_room/securing_browser/>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA09-022A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA09-022A Feedback VU#703068" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
January 22, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSXj25HIHljM+H4irAQKNIgf+LSBKBzHWdjxmJgYw3vYmAXtwpUxAVThs
Ma4vIB1vSjv8Us83S2XrKIGcKrdPgQgeS7Vji9WRMmlzEv/AYlFJseqq17ufGely
5YosATUh+C0SjY6OAYeJNYMws7fgGcGJagtfQp0gJTRLruknEoB/iqlASBQ7MtNg
7viHKIR8r2BxCNB1A4ir1kzPELIHFF/pmmuaD+E2PnxH1XtYLM9b9t6xbkjie2PG
vEwv7JCGH/RrJtst480ZMIHOghsZ0ONoMkTjZB7o5S0ww3guktGOMB+/QiZI8eFB
KbU6nB6JGscZ8Fb1E4K3yOU9MvpzEfurIvYmyMcAdxFCiq5CSUjOug==
=B5D3
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Did you know that a change in our assessment rating, exploit code
availability, or if an updated patch is released by the vendor, is
not part of this mailing-list?
Click here to learn more:
http://secunia.com/advisories/business_solutions/
----------------------------------------------------------------------
TITLE:
Apple QuickTime Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA33632
VERIFY ADVISORY:
http://secunia.com/advisories/33632/
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
>From remote
SOFTWARE:
Apple QuickTime 7.x
http://secunia.com/advisories/product/5090/
DESCRIPTION:
Some vulnerabilities have been reported in Apple QuickTime, which can
be exploited by malicious people to compromise a user's system.
1) A boundary error exists in the processing of RTSP URLs. This can
be exploited to cause a heap-based buffer overflow when a specially
crafted RTSP URL is accessed.
2) An error due to improper validation of transform matrix data
exists when processing Track Header (THKD) atoms in QuickTime Virtual
Reality (QTVR) movie files. This can be exploited to cause a
heap-based buffer overflow via a specially crafted QTVR file.
3) An error in the processing of "nBlockAlign" values in the
"_WAVEFORMATEX" structure of AVI headers can be exploited to cause a
heap-based buffer overflow when a specially crafted AVI file is
accessed.
4) A boundary error exists in the processing of MPEG-2 video files
containing MP3 audio content, which can be exploited to cause a
buffer overflow via a specially crafted movie file.
Successful exploitation of these vulnerabilities may allow execution
of arbitrary code.
SOLUTION:
Update to version 7.6.
QuickTime 7.6 for Windows:
http://support.apple.com/downloads/QuickTime_7_6_for_Windows
QuickTime 7.6 for Leopard:
http://support.apple.com/downloads/QuickTime_7_6_for_Leopard
QuickTime 7.6 for Tiger:
http://support.apple.com/downloads/QuickTime_7_6_for_Tiger
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Attila Suszter
4) Chad Dougherty, CERT Coordination Center
5) Dave Soldera, NGS Software
2, 3, 6, 7) An anonymous person, reported via ZDI
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT3403
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-09-005/
http://www.zerodayinitiative.com/advisories/ZDI-09-006/
http://www.zerodayinitiative.com/advisories/ZDI-09-007/
http://www.zerodayinitiative.com/advisories/ZDI-09-008/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
. ZDI-09-007: Apple QuickTime Cinepak Codec MDAT Heap Corruption
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-007
January 21, 2009
-- CVE ID:
CVE-2009-2006
-- Affected Vendors:
Apple
-- Affected Products:
Apple Quicktime
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 6172.
-- Vendor Response:
Apple has issued an update to correct this vulnerability. More
details can be found at:
http://support.apple.com/kb/HT3403
-- Disclosure Timeline:
2008-06-23 - Vulnerability reported to vendor
2009-01-21 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is being sent by 3Com for the sole use of the intended recipient(s) and
may contain confidential, proprietary and/or privileged information.
Any unauthorized review, use, disclosure and/or distribution by any
recipient is prohibited. If you are not the intended recipient, please
delete and/or destroy all copies of this message regardless of form and
any included attachments and notify 3Com immediately by contacting the
sender via reply e-mail or forwarding to 3Com at postmaster@3com.com.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-200901-0248 | CVE-2009-0003 | Apple QuickTime Heap overflow vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in Apple QuickTime before 7.6 allows remote attackers to cause a denial of service (application termination) and execute arbitrary code via an AVI movie file with an invalid nBlockAlign value in the _WAVEFORMATEX structure. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of AVI files. Apple QuickTime is prone to a heap-based buffer-overflow issue because it fails to perform adequate boundary checks on user-supplied data.
An attacker can exploit this issue by enticing an unsuspecting user to open a specially crafted movie file. Failed exploit attempts likely result in denial-of-service conditions.
This issue affects Apple QuickTime running on Microsoft Windows Vista, Windows XP SP2, and Mac OS X. Apple QuickTime is a very popular multimedia player. ZDI-09-006: Apple QuickTime AVI Header nBlockAlign Heap Corruption
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-006
January 21, 2009
-- CVE ID:
CVE-2009-0003
-- Affected Vendors:
Apple
-- Affected Products:
Apple Quicktime
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 6642. More
details can be found at:
http://support.apple.com/kb/HT3403
-- Disclosure Timeline:
2008-10-15 - Vulnerability reported to vendor
2009-01-21 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Anonymous
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is being sent by 3Com for the sole use of the intended recipient(s) and
may contain confidential, proprietary and/or privileged information.
Any unauthorized review, use, disclosure and/or distribution by any
recipient is prohibited. If you are not the intended recipient, please
delete and/or destroy all copies of this message regardless of form and
any included attachments and notify 3Com immediately by contacting the
sender via reply e-mail or forwarding to 3Com at postmaster@3com.com.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA09-022A
Apple QuickTime Updates for Multiple Vulnerabilities
Original release date: January 22, 2009
Last revised: --
Source: US-CERT
Systems Affected
* Apple QuickTime 7.5 for Windows and Mac OS X
Overview
Apple has released QuickTime 7.6 to correct multiple
vulnerabilities affecting QuickTime for Mac OS X and Windows.
I. Description
Apple QuickTime 7.6 addresses a number of vulnerabilities affecting
QuickTime. This file could be hosted on a web page or sent via email.
II. Impact
The impacts of these vulnerabilities vary.
III. This and other updates are available via
Software Update or via Apple Downloads.
IV. References
* About the security content of QuickTime 7.6 -
<http://support.apple.com/kb/HT3403>
* Apple Support Downloads - <http://support.apple.com/downloads/>
* Mac OS X - updating your software -
<http://support.apple.com/kb/HT1338?viewlocale=en_US>
* Securing Your Web Browser -
<https://www.us-cert.gov/reading_room/securing_browser/>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA09-022A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA09-022A Feedback VU#703068" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2009 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
January 22, 2009: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBSXj25HIHljM+H4irAQKNIgf+LSBKBzHWdjxmJgYw3vYmAXtwpUxAVThs
Ma4vIB1vSjv8Us83S2XrKIGcKrdPgQgeS7Vji9WRMmlzEv/AYlFJseqq17ufGely
5YosATUh+C0SjY6OAYeJNYMws7fgGcGJagtfQp0gJTRLruknEoB/iqlASBQ7MtNg
7viHKIR8r2BxCNB1A4ir1kzPELIHFF/pmmuaD+E2PnxH1XtYLM9b9t6xbkjie2PG
vEwv7JCGH/RrJtst480ZMIHOghsZ0ONoMkTjZB7o5S0ww3guktGOMB+/QiZI8eFB
KbU6nB6JGscZ8Fb1E4K3yOU9MvpzEfurIvYmyMcAdxFCiq5CSUjOug==
=B5D3
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Did you know that a change in our assessment rating, exploit code
availability, or if an updated patch is released by the vendor, is
not part of this mailing-list?
Click here to learn more:
http://secunia.com/advisories/business_solutions/
----------------------------------------------------------------------
TITLE:
Apple QuickTime Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA33632
VERIFY ADVISORY:
http://secunia.com/advisories/33632/
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
>From remote
SOFTWARE:
Apple QuickTime 7.x
http://secunia.com/advisories/product/5090/
DESCRIPTION:
Some vulnerabilities have been reported in Apple QuickTime, which can
be exploited by malicious people to compromise a user's system.
1) A boundary error exists in the processing of RTSP URLs. This can
be exploited to cause a heap-based buffer overflow when a specially
crafted RTSP URL is accessed.
2) An error due to improper validation of transform matrix data
exists when processing Track Header (THKD) atoms in QuickTime Virtual
Reality (QTVR) movie files. This can be exploited to cause a
heap-based buffer overflow via a specially crafted QTVR file.
4) A boundary error exists in the processing of MPEG-2 video files
containing MP3 audio content, which can be exploited to cause a
buffer overflow via a specially crafted movie file.
6) A signedness error exists within the processing of the MDAT atom
when handling Cinepak encoded movie files.
7) An error exists within the function JPEG_DComponentDispatch() when
processing the image width data in JPEG atoms embedded in STSD atoms.
SOLUTION:
Update to version 7.6.
QuickTime 7.6 for Windows:
http://support.apple.com/downloads/QuickTime_7_6_for_Windows
QuickTime 7.6 for Leopard:
http://support.apple.com/downloads/QuickTime_7_6_for_Leopard
QuickTime 7.6 for Tiger:
http://support.apple.com/downloads/QuickTime_7_6_for_Tiger
PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
1) Attila Suszter
4) Chad Dougherty, CERT Coordination Center
5) Dave Soldera, NGS Software
2, 3, 6, 7) An anonymous person, reported via ZDI
ORIGINAL ADVISORY:
Apple:
http://support.apple.com/kb/HT3403
ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-09-005/
http://www.zerodayinitiative.com/advisories/ZDI-09-006/
http://www.zerodayinitiative.com/advisories/ZDI-09-007/
http://www.zerodayinitiative.com/advisories/ZDI-09-008/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200901-0445 | CVE-2008-3864 | Trend Micro NSC Service disruption in module firewall service (DoS) Vulnerabilities |
CVSS V2: 5.0 CVSS V3: - Severity: Medium |
The ApiThread function in the firewall service (aka TmPfw.exe) in Trend Micro Network Security Component (NSC) modules, as used in Trend Micro OfficeScan 8.0 SP1 Patch 1 and Internet Security 2007 and 2008 17.0.1224, allows remote attackers to cause a denial of service (service crash) via a packet with a large value in an unspecified size field.
Successful exploits may allow an attacker to crash an affected application, execute arbitrary code, or bypass security.
3) Missing authentication to the Trend Micro Personal Firewall
service (TmPfw.exe) listening on port 40000/TCP by default can be
exploited by any local user to manipulate the firewall configuration
via specially crafted packets regardless of whether password
restriction has been enabled for the configuration interface.
The vulnerabilities are confirmed in versions 16.10.1063 and
16.10.1079. Other versions may also be affected.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2008-42/
http://secunia.com/secunia_research/2008-43/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
======================================================================
2) Severity
Rating: Less critical
Impact: Denial of Service
Privilege Escalation
Where: Local system
======================================================================
3) Vendor's Description of Software
"Trend Micro Internet Security provides smart, up-to-date protection
for your home network against present and future threats without
slowing down your PC.".
These can be exploited by malicious, local users to cause a DoS
(Denial of Service) or potentially gain escalated privileges.
1) Input validation errors exist in the firewall service (TmPfw.exe)
within the "ApiThread()" function when processing packets sent to the
service (by default port 40000/TCP). These can be exploited to cause
heap-based buffer overflows via specially crafted packets containing a
small value in a size field.
2) Input validation errors exist in the firewall service (TmPfw.exe)
within the "ApiThread()" function when processing packets sent to the
service (by default port 40000/TCP). These can be exploited to crash
the service via specially crafted packets containing an overly large
value in a size field.
======================================================================
5) Solution
Apply patch for OfficeScan 8.0 SP1 Patch 1.
======================================================================
6) Time Table
17/10/2008 - Vendor notified.
18/10/2008 - Vendor response.
14/12/2008 - Vendor provides hotfix for testing.
19/12/2008 - Vendor informed that hotfix fixes vulnerabilities.
18/01/2009 - Vendor issues fix for OfficeScan 8.0 SP1 Patch 1.
20/01/2009 - Public disclosure.
======================================================================
7) Credits
Discovered by Carsten Eiram, Secunia Research.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
the following CVE identifiers:
* CVE-2008-3864 (DoS via large size value)
* CVE-2008-3865 (buffer overflow)
Trend Micro:
http://www.trendmicro.com/ftp/documentation/readme/
OSCE8.0_SP1_Patch1_CriticalPatch_3191_Readme.txt
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2008-42/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
| VAR-200901-0408 | CVE-2009-0244 |
Windows Mobile 6 Professional Run on  Microsoft Bluetooth stack of  OBEX FTP service,  Pocket PC and  Pocket PC Phone Edition 5.0 for  Windows Mobile 5.0 directory traversal vulnerability in
Related entries in the VARIoT exploits database: VAR-E-200901-1013 |
CVSS V2: 8.5 CVSS V3: 8.8 Severity: HIGH |
Directory traversal vulnerability in the OBEX FTP Service in the Microsoft Bluetooth stack in Windows Mobile 6 Professional, and probably Windows Mobile 5.0 for Pocket PC and 5.0 for Pocket PC Phone Edition, allows remote authenticated users to list arbitrary directories, and create or read arbitrary files, via a .. (dot dot) in a pathname. NOTE: this can be leveraged for code execution by writing to a Startup folder. ( dot dot ) Through strings, arbitrary directories may be enumerated and arbitrary files may be created or viewed. The HTC OBEX FTP service is prone to a directory-traversal vulnerability.
Exploiting this issue allows an attacker to write arbitrary files to locations outside the application's current directory, download arbitrary files, and obtain sensitive information. Other attacks may also be possible.
The issue affects HTC devices running the OBEX FTP service on Windows Mobile 6.0 and 6.1. ----------------------------------------------------------------------
Did you know that a change in our assessment rating, exploit code
availability, or if an updated patch is released by the vendor, is
not part of this mailing-list?
Click here to learn more:
http://secunia.com/advisories/business_solutions/
----------------------------------------------------------------------
TITLE:
Microsoft Windows Mobile Bluetooth Stack OBEX Directory Traversal
SECUNIA ADVISORY ID:
SA33598
VERIFY ADVISORY:
http://secunia.com/advisories/33598/
CRITICAL:
Less critical
IMPACT:
Security Bypass, Exposure of system information, Exposure of
sensitive information
WHERE:
>From remote
OPERATING SYSTEM:
Microsoft Windows Mobile 6.x
http://secunia.com/advisories/product/14717/
DESCRIPTION:
Alberto Moreno Tablado has reported a vulnerability in Microsoft
Windows Mobile, which can be exploited by malicious users to disclose
sensitive information and bypass certain security restrictions.
Successful exploitation requires OBEX read or write access.
SOLUTION:
Restrict access to trusted users only.
PROVIDED AND/OR DISCOVERED BY:
Alberto Moreno Tablado
ORIGINAL ADVISORY:
http://www.seguridadmobile.com/windows-mobile/windows-mobile-security/Microsoft-Bluetooth-Stack-Directory-Traversal.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200901-0447 | CVE-2008-3866 | Trend Micro NSC Module Trend Micro Personal Firewall Vulnerabilities that prevent access restrictions on services |
CVSS V2: 4.6 CVSS V3: - Severity: Medium |
The Trend Micro Personal Firewall service (aka TmPfw.exe) in Trend Micro Network Security Component (NSC) modules, as used in Trend Micro OfficeScan 8.0 SP1 Patch 1 and Internet Security 2007 and 2008 17.0.1224, relies on client-side password protection implemented in the configuration GUI, which allows local users to bypass intended access restrictions and change firewall settings by using a modified client to send crafted packets.
Successful exploits may allow an attacker to crash an affected application, execute arbitrary code, or bypass security.
These issues affect the following:
Trend Micro OfficeScan Corporate Edition 8.0 SP1 Patch 1
Trend Micro Internet Security 2008
Trend Micro Internet Security Pro 2008
Trend Micro PC-cillin Internet Security 2007. These can be
exploited to cause heap-based buffer overflows via specially crafted
packets containing a small value in a size field.
The vulnerabilities are confirmed in versions 16.10.1063 and
16.10.1079. Other versions may also be affected.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2008-42/
http://secunia.com/secunia_research/2008-43/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
======================================================================
2) Severity
Rating: Less critical
Impact: Security bypass
Where: Local system
======================================================================
3) Vendor's Description of Software
"Trend Micro Internet Security provides smart, up-to-date protection
for your home network against present and future threats without
slowing down your PC.".
This can be exploited by malicious, local users to manipulate firewall
settings regardless of configured security settings. the firewall settings. To prevent any user
from changing the settings, password restriction can be enabled.
This can be exploited to manipulate the firewall settings regardless
of whether password restriction is enabled by sending specially
crafted packets to the service listening on port 40000/TCP.
======================================================================
5) Solution
Apply patch for OfficeScan 8.0 SP1 Patch 1.
======================================================================
6) Time Table
22/10/2008 - Vendor notified.
22/10/2008 - Vendor response.
14/12/2008 - Vendor provides hotfix for testing.
19/12/2008 - Vendor informed that hotfix fixes vulnerabilities.
18/01/2009 - Vendor issues fix for OfficeScan 8.0 SP1 Patch 1.
20/01/2009 - Public disclosure.
======================================================================
7) Credits
Discovered by Carsten Eiram, Secunia Research.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2008-3866 for the vulnerability.
Trend Micro:
http://www.trendmicro.com/ftp/documentation/readme/
OSCE8.0_SP1_Patch1_CriticalPatch_3191_Readme.txt
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2008-43/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
| VAR-200901-0446 | CVE-2008-3865 | Trend Micro NSC Module firewall heap-based buffer overflow vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: High |
Multiple heap-based buffer overflows in the ApiThread function in the firewall service (aka TmPfw.exe) in Trend Micro Network Security Component (NSC) modules, as used in Trend Micro OfficeScan 8.0 SP1 Patch 1 and Internet Security 2007 and 2008 17.0.1224, allow remote attackers to execute arbitrary code via a packet with a small value in an unspecified size field.
Successful exploits may allow an attacker to crash an affected application, execute arbitrary code, or bypass security.
These issues affect the following:
Trend Micro OfficeScan Corporate Edition 8.0 SP1 Patch 1
Trend Micro Internet Security 2008
Trend Micro Internet Security Pro 2008
Trend Micro PC-cillin Internet Security 2007.
3) Missing authentication to the Trend Micro Personal Firewall
service (TmPfw.exe) listening on port 40000/TCP by default can be
exploited by any local user to manipulate the firewall configuration
via specially crafted packets regardless of whether password
restriction has been enabled for the configuration interface.
The vulnerabilities are confirmed in versions 16.10.1063 and
16.10.1079. Other versions may also be affected.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2008-42/
http://secunia.com/secunia_research/2008-43/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
======================================================================
2) Severity
Rating: Less critical
Impact: Denial of Service
Privilege Escalation
Where: Local system
======================================================================
3) Vendor's Description of Software
"Trend Micro Internet Security provides smart, up-to-date protection
for your home network against present and future threats without
slowing down your PC.".
These can be exploited by malicious, local users to cause a DoS
(Denial of Service) or potentially gain escalated privileges.
1) Input validation errors exist in the firewall service (TmPfw.exe)
within the "ApiThread()" function when processing packets sent to the
service (by default port 40000/TCP). These can be exploited to cause
heap-based buffer overflows via specially crafted packets containing a
small value in a size field.
2) Input validation errors exist in the firewall service (TmPfw.exe)
within the "ApiThread()" function when processing packets sent to the
service (by default port 40000/TCP). These can be exploited to crash
the service via specially crafted packets containing an overly large
value in a size field.
======================================================================
5) Solution
Apply patch for OfficeScan 8.0 SP1 Patch 1.
======================================================================
6) Time Table
17/10/2008 - Vendor notified.
18/10/2008 - Vendor response.
14/12/2008 - Vendor provides hotfix for testing.
19/12/2008 - Vendor informed that hotfix fixes vulnerabilities.
18/01/2009 - Vendor issues fix for OfficeScan 8.0 SP1 Patch 1.
20/01/2009 - Public disclosure.
======================================================================
7) Credits
Discovered by Carsten Eiram, Secunia Research.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
the following CVE identifiers:
* CVE-2008-3864 (DoS via large size value)
* CVE-2008-3865 (buffer overflow)
Trend Micro:
http://www.trendmicro.com/ftp/documentation/readme/
OSCE8.0_SP1_Patch1_CriticalPatch_3191_Readme.txt
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2008-42/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
| VAR-200901-0308 | CVE-2009-0270 | Fujitsu SystemcastWizard Lite of PXEService.exe Vulnerable to buffer overflow |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Stack-based buffer overflow in PXEService.exe in Fujitsu SystemcastWizard Lite 2.0A, 2.0, 1.9, and earlier allows remote attackers to execute arbitrary code via a large PXE protocol request in a UDP packet. Products that use the Preboot Execution Environment (PXE) SDK sample code provided by Intel contain multiple vulnerabilities. Products that use the PXE SDK sample code provided by Intel contain directory traversal and buffer overflow vulnerabilities. Nobuyuki Kanaya of Fujitsu Laboratories Ltd. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.Information stored by the product using the PXE SDK sample code may be viewed, or arbitrary code may be executed. Fujitsu Systemcast Wizard Lite is prone to a remote stack-based buffer-overflow vulnerability because the software fails to perform adequate boundary checks on user-supplied input.
Attackers can leverage this issue to execute arbitrary code with SYSTEM-level privileges. Successful exploits will compromise the application and the underlying computer. Failed attacks will cause denial-of-service conditions.
Systemcast Wizard Lite 2.0A and prior are vulnerable. ----------------------------------------------------------------------
Did you know that a change in our assessment rating, exploit code
availability, or if an updated patch is released by the vendor, is
not part of this mailing-list?
Click here to learn more:
http://secunia.com/advisories/business_solutions/
----------------------------------------------------------------------
TITLE:
Fujitsu SystemcastWizard Lite Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA33594
VERIFY ADVISORY:
http://secunia.com/advisories/33594/
CRITICAL:
Moderately critical
IMPACT:
Exposure of system information, Exposure of sensitive information,
DoS, System access
WHERE:
>From remote
SOFTWARE:
Fujitsu SystemcastWizard Lite 2.x
http://secunia.com/advisories/product/21065/
Fujitsu SystemcastWizard Lite 1.x
http://secunia.com/advisories/product/21064/
DESCRIPTION:
Some vulnerabilities have been reported in Fujitsu SystemcastWizard
Lite, which can be exploited by malicious people to disclose
sensitive information or to compromise a vulnerable system.
Successful exploitation allows execution of arbitrary code.
2) An input validation error in the TFTP service can be exploited to
download files from arbitrary locations via directory traversal
sequences.
The vulnerabilities are reported in versions 2.0, 2.0A, and prior 1.x
versions.
SOLUTION:
Apply vendor patch for versions after 1.6A.
Reportedly, a patch for previous versions will be available later.
PROVIDED AND/OR DISCOVERED BY:
1) Ruben Santamarta, Wintercore
2) Reported by the vendor.
ORIGINAL ADVISORY:
Fujitsu:
http://www.fujitsu.com/global/services/computing/server/primequest/products/os/windows-server-2008-2.html
Ruben Santamarta:
http://www.wintercore.com/advisories/advisory_W010109.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200901-0402 | CVE-2008-5260 | AXIS Camera Control of CamImage.CamImage.1 ActiveX Control heap-based buffer overflow vulnerability |
CVSS V2: 9.3 CVSS V3: - Severity: HIGH |
Heap-based buffer overflow in the CamImage.CamImage.1 ActiveX control in AxisCamControl.ocx in AXIS Camera Control 2.40.0.0 allows remote attackers to execute arbitrary code via a long image_pan_tilt property value. Failed attacks will likely cause denial-of-service conditions.
Axis Camera Control 2.40.0.0 is vulnerable; other versions may also be vulnerable.
The vulnerability is confirmed in version 2.40.0.0. Prior versions
may also be affected.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2008-58/
Axis Communications:
http://www.axis.com/techsup/software/acc/files/acc_security_update_090119.pdf
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
.
======================================================================
2) Severity
Rating: Highly critical
Impact: System compromise
Where: Remote
======================================================================
3) Vendor's Description of Software
"AXIS Camera Control (ActiveX component) makes it possible to view
Motion JPEG video streams from an Axis Network Video product directly
in Microsoft Development Tools and Microsoft Internet Explorer."
Product Link:
http://www.axis.com/techsup/software/acc/index.htm
======================================================================
4) Description of Vulnerability
Secunia Research has discovered a vulnerability in AXIS Camera
Control, which can be exploited by malicious people to compromise a
user's system.
Successful exploitation allows execution of arbitrary code, but
requires that the user is tricked into visiting and clicking a
malicious web page.
======================================================================
5) Solution
The vendor recommends removing the ActiveX control and using
AXIS Media Control as a replacement.
======================================================================
6) Time Table
09/01/2009 - Vendor notified.
09/01/2009 - Vendor response.
23/01/2009 - Public disclosure.
======================================================================
7) Credits
Discovered by Alin Rad Pop, Secunia Research.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2008-5260 for the vulnerability.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2008-58/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
| VAR-200901-0563 | No CVE | Multiple Sagem F@st Routers 'restoreinfo.cgi' Unauthorized Access Vulnerability |
CVSS V2: - CVSS V3: - Severity: - |
Multiple Sagem F@st routers are prone to an unauthorized-access vulnerability.
Attackers can exploit this issue to reset the router, possibly resulting in denial-of-service conditions. Other security implications that could aid in further attacks may also occur.
The following routers are affected:
Sagem F@st 1200
Sagem F@st 1240
Sagem F@st 1400
Sagem F@st 1400W
Sagem F@st 1500
Sagem F@st 1500-WG
Sagem F@st 2404
| VAR-200905-0213 | CVE-2009-0897 | IBM WebSphere Partner Gateway 'bcgarchive' Information Disclosure Vulnerability |
CVSS V2: 4.0 CVSS V3: - Severity: MEDIUM |
IBM WebSphere Partner Gateway (WPG) 6.1.0 before 6.1.0.1 and 6.1.1 before 6.1.1.1 allows remote authenticated users to obtain sensitive information via vectors related to the "schema DB2 instance id" and the bcgarchive (aka the archiver script). IBM WebSphere Partner Gateway (WPG) is prone to an information-disclosure vulnerability.
Exploiting this issue may allow an attacker to obtain sensitive information that may aid in further attacks.
WPG 6.1.0 and 6.1.1 are vulnerable. WebSphere Partner Gateway is a centralized, integrated B2B trading partner and transaction management tool
| VAR-200902-0034 | CVE-2009-0470 | Cisco IOS of HTTP Multiple cross-site scripting vulnerabilities in servers |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
Multiple cross-site scripting (XSS) vulnerabilities in the HTTP server in Cisco IOS 12.4(23) allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the default URI under (1) level/15/exec/-/ or (2) exec/, a different vulnerability than CVE-2008-3821. This vulnerability CVE-2008-3821 Is a different vulnerability. IOS is prone to a cross-site scripting vulnerability. Cisco IOS is an operating system developed by Cisco in the United States for its network equipment. This type of attack may result in replacing the target's management interface, or redirecting confidential information to an unauthorized third party, for example, the data returned by the /level/15/exec/-/show/run/CR URL can be modified through the XMLHttpRequest object. In addition, attackers can also perform administrative operations through cross-site request forgery attacks. For example, injecting an img tag pointing to /level/15/configure/-/enable/secret/newpass will change the enable password to newpass. ----------------------------------------------------------------------
Did you know that a change in our assessment rating, exploit code
availability, or if an updated patch is released by the vendor, is
not part of this mailing-list?
Click here to learn more:
http://secunia.com/advisories/business_solutions/
----------------------------------------------------------------------
TITLE:
Cisco IOS Cross-Site Scripting and Cross-Site Request Forgery
SECUNIA ADVISORY ID:
SA33844
VERIFY ADVISORY:
http://secunia.com/advisories/33844/
CRITICAL:
Less critical
IMPACT:
Cross Site Scripting
WHERE:
>From remote
OPERATING SYSTEM:
Cisco IOS 12.x
http://secunia.com/advisories/product/182/
Cisco IOS R12.x
http://secunia.com/advisories/product/50/
DESCRIPTION:
Zloss has reported some vulnerabilities in Cisco IOS, which can be
exploited by malicious people to conduct cross-site scripting and
cross-site request forgery attacks.
1) Input passed via the URL when executing commands is not properly
sanitised before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in
context of an affected site.
2) The device allows users to perform certain actions via HTTP
requests without performing any validity checks to verify the
requests. This can be exploited to potentially alter the
configuration of the device by tricking the user into visiting a
malicious web site.
The vulnerabilities are reported in Cisco IOS firmware version
12.4(23). Other versions may also be affected.
SOLUTION:
Filter malicious characters and character sequences in a proxy.
Do not visit untrusted websites while being logged in to the device.
PROVIDED AND/OR DISCOVERED BY:
Zloss
ORIGINAL ADVISORY:
http://packetstormsecurity.org/0902-exploits/cisco12423-xss.txt
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200901-0449 | CVE-2008-3818 | Cisco ONS Control Card Remote Denial of Service Vulnerability |
CVSS V2: 7.8 CVSS V3: - Severity: HIGH |
Cisco ONS 15310-CL, 15310-MA, 15327, 15454, 15454 SDH, and 15600 with software 7.0.2 through 7.0.6, 7.2.2, 8.0.x, 8.5.1, and 8.5.2 allows remote attackers to cause a denial of service (control-card reset) via a crafted TCP session. Cisco ONS is prone to a denial-of-service vulnerability when handling specially crafted TCP traffic.
An attacker can exploit this issue to cause the control cards in the affected devices to reload, denying service to legitimate users.
The following devices are affected:
Cisco ONS 15310-CL and 15310-MA
Cisco ONS 15327
Cisco ONS 15454 and 15454 SDH
Cisco ONS 15600
This issue is being tracked by Cisco BugID CSCsr41128. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco ONS Platform Crafted Packet
Vulnerability
Advisory ID: cisco-sa-20090114-ons
http://www.cisco.com/warp/public/707/cisco-sa-20090114-ons.shtml
Revision 1.0
For Public Release 2009 January 14 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
=======
The Cisco ONS 15300 series Edge Optical Transport Platform, the Cisco
ONS 15454 Optical Transport Platform, the Cisco ONS 15454 SDH
Multiservice Platform, and the Cisco ONS 15600 Multiservice Switching
Platform contains a vulnerability when processing TCP traffic streams
that may result in a reload of the device control card.
Cisco has released free software updates that address this
vulnerability.
There are no workarounds that mitigate this vulnerability. Several
mitigations exist that can limit the exposure of this vulnerability. To determine your software
version, view the Help > About window on the CTC management
software). These control cards are usually connected to a
Data Communications Network (DCN). In this context the term DCN is
used to denote the network that transports management information
between a management station and the network entity (NE). This
definition of DCN is sometimes referred to as Management
Communication Network (MCN). The DCN is usually physically or
logically separated from the optical data network and isolated from
the Internet. This limits the exposure to the exploitation of this
vulnerability from the Internet.
A crafted stream of TCP traffic to the control cards on a node will
result in a reset of the corresponding control cards on this node. A
complete 3-way handshake is required on any open TCP port to be able
to exploit this vulnerability.
The timing for the data channels traversing the switch is provided by
the control cards.
When an active and a standby Cisco ONS 15310-MA, ONS 15310-CL, ONS
15327, ONS 15454 or ONS 15454 SDH control card reloads at the same
time, the synchronous data channels traversing the switch drop
traffic until the card comes back online. Asynchronous data channels
traversing the switch are not impacted. Manageability functions
provided by the network element using the CTX, CTX2500, XTC or TCC/
TCC+/TCC2/TCC2P control cards are not available until the control
card comes back online.
On the Cisco ONS 15600 hardware, whenever both the active and standby
control cards are rebooting at the same time, there is no impact to
the data channels traversing the switch because the TSC performs a
software reset which does not impact the timing being provided by the
TSC for the data channels.
Manageability functions provided by the network element through the
TSC control cards are not available until the control card comes back
online.
This vulnerability is documented in Cisco bug ID CSCsr41128
and has been assigned Common Vulnerabilities and Exposures (CVE)
identifier CVE-2008-3818.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CVSS Base Score - 7.8
Access Vector : Network
Access Complexity : Low
Authentication : None
Confidentiality Impact: None
Integrity Impact : None
Availability Impact : Complete
CVSS Temporal Score - 6.4
Exploitability : Functional
Remediation Level : Official-Fix
Report Confidence : Confirmed
Impact
======
Successful exploitation of this vulnerability will result in a reset
of the node's control card. Repeated attempts to exploit this
vulnerability could result in a sustained DoS condition, dropping the
synchronous data channels traversing the switch (Cisco ONS 15310-MA,
ONS 15310-CL, ONS 15327, ONS 15454, ONS 15454 SDH) and preventing
manageability functions provided by the network element control cards
(all ONS switches) until the control card comes back online.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
+-------------------------------------------------------------------------+
| Affected Major Release | First Fixed Release |
|---------------------------------+---------------------------------------|
| 7.0 | Note: Releases prior to 7.0.2 are not |
| | vulnerable. First fixed in 7.0.7 |
|---------------------------------+---------------------------------------|
| 7.2 | Note: Releases prior to 7.2.2 are not |
| | vulnerable. First fixed in 7.2.3 |
|---------------------------------+---------------------------------------|
| 8.0 | Vulnerable; migrate to 8.5.3 or |
| | later. |
|---------------------------------+---------------------------------------|
| 8.5 | Note: Releases prior to 8.5.1 are not |
| | vulnerable. First fixed in 8.5.3 |
|---------------------------------+---------------------------------------|
| 9.0 | Not vulnerable. |
+-------------------------------------------------------------------------+
Note: Releases prior to 7.0 are not affected by this vulnerability.
Workarounds
===========
There are no workarounds for this vulnerability. The following
general mitigation actions help prevent remote exploitation:
* Isolate DCN:
Ensuring the DCN is physically or logically separated from the
customer network and isolated from the Internet will limit the
exposure to the exploitation of these vulnerabilities from the
Internet or customer networks.
* Apply Transit Access Control Lists:
Apply access control lists (ACLs) on routers / switches /
firewalls installed in front of the vulnerable network devices
such that TCP/IP traffic destined for the CTX, CTX2500, XTC, TCC2
/TCC2+/TCC2P, or TSC control cards on the ONS is allowed only
from the network management workstations.
For examples on how to apply ACLs on Cisco routers, refer to the
white paper "Transit Access Control Lists: Filtering at Your
Edge", which is available at the following link:
http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml
Additional mitigations that can be deployed on Cisco devices within
the network are available in the Cisco Applied Mitigation Bulletin
companion document for this advisory, which is available at the
following link:
http://www.cisco.com/warp/public/707/cisco-amb-20090114-ons.shtml
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized
telephone numbers, and instructions and e-mail addresses for use in
various languages.
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was found by reviewing Cisco TAC service requests.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20090114-ons.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-January-14 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkluC5MACgkQ86n/Gc8U/uCIiwCfb0TgaYDql8VEjtERKMaqgHOm
h0oAniEObgEKjHbo+CHnJxfFFKhCr17o
=7xLg
-----END PGP SIGNATURE-----
| VAR-200901-0290 | CVE-2009-0053 | Cisco IronPort Encryption Appliance and Cisco IronPort PostX of PXE Encryption Vulnerability in obtaining decryption key |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
PXE Encryption in Cisco IronPort Encryption Appliance 6.2.4 before 6.2.4.1.1, 6.2.5, 6.2.6, 6.2.7 before 6.2.7.7, 6.3 before 6.3.0.4, and 6.5 before 6.5.0.2; and Cisco IronPort PostX 6.2.1 before 6.2.1.1 and 6.2.2 before 6.2.2.3; allows remote attackers to obtain the decryption key via unspecified vectors, related to a "logic error.". Cisco IronPort Encryption Appliance and PostX are prone to multiple information-disclosure and cross-site request-forgery vulnerabilities.
Attackers may exploit these issues to obtain sensitive information, including user passwords, or to modify user information through the web administration interface. This may aid in further attacks. IronPort series products are widely used email encryption gateways, which can seamlessly complete the encryption, decryption and digital signature of confidential emails. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: IronPort Encryption Appliance / PostX and
PXE Encryption Vulnerabilities
Advisory ID: cisco-sa-20090114-ironport
Revision 1.0
For Public Release 2009 January 14 1600 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
IronPort PXE Encryption is an e-mail encryption solution that is
designed to secure e-mail communications without the need for a
Public Key Infrastructure (PKI) or special agents on receiving
systems. When an e-mail message is targeted for encryption, the PXE
encryption engine on an IronPort e-mail gateway encrypts the original
e-mail message as an HTML file and attaches it to a notification
e-mail message that is sent to the recipient. The per-message key
used to decrypt the HTML file attachment is stored on a local
IronPort Encryption Appliance, PostX software installation or the
Cisco Registered Envelope Service, which is a Cisco-managed software
service.
PXE Encryption Privacy Vulnerabilities
+-------------------------------------
The IronPort PXE Encryption solution is affected by two
vulnerabilities that could allow unauthorized individuals to view the
contents of secure e-mail messages. To exploit the vulnerabilities,
attackers must first intercept secure e-mail messages on the network
or via a compromised e-mail account. These vulnerabilities do not affect Cisco Registered
Envelope Service users.
Cisco has released free software updates that address these
vulnerabilities. There are no workarounds for the vulnerabilities
that are described in this advisory.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20090114-ironport.shtml
Affected Products
=================
Vulnerable Products
+------------------
The following IronPort Encryption Appliance/PostX versions are
affected by these vulnerabilities:
* All PostX 6.2.1 versions prior to 6.2.1.1
* All PostX 6.2.2 versions prior to 6.2.2.3
* All IronPort Encryption Appliance/PostX 6.2.4 versions prior to 6.2.4.1.1
* All IronPort Encryption Appliance/PostX 6.2.5 versions
* All IronPort Encryption Appliance/PostX 6.2.6 versions
* All IronPort Encryption Appliance/PostX 6.2.7 versions prior to 6.2.7.7
* All IronPort Encryption Appliance 6.3 versions prior to 6.3.0.4
* All IronPort Encryption Appliance 6.5 versions prior to 6.5.0.2
The version of software that is running on an IronPort Encryption
Appliance is located on the About page of the IronPort Encryption
Appliance administration interface.
Note: Customers should contact IronPort support to determine which
software fixes are applicable for their environment. Please consult
the Obtaining Fixed Software section of this advisory for more
information.
Products Confirmed Not Vulnerable
+--------------------------------
IronPort C, M and S-Series appliances are not affected by these
vulnerabilities. Although C-Series appliances can be configured to
use a local IronPort Encryption Appliance for per-message key
retention, the C-Series appliances are not vulnerable. The Cisco
Registered Envelope Service is not vulnerable.
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
Note: IronPort tracks bugs using an internal system that is not
available to customers. The IronPort bug tracking identifiers are
provided for reference only.
PXE Encryption Privacy Vulnerabilities
+-------------------------------------
Individual PXE Encryption users are vulnerable to two message privacy
vulnerabilities that could allow an attacker to gain access to
sensitive information. All the vulnerabilities require an attacker to
first intercept a secure e-mail message as a condition for successful
exploitation. Attackers can obtain secure e-mail messages by
monitoring a network or a compromised user e-mail account. Using the decryption key, an
attacker could decrypt the contents of the secure e-mail message.
This vulnerability is documented in IronPort bug 8062 and has been
assigned Common Vulnerabilities and Exposures (CVE) identifier
CVE-2009-0053.
By modifying the contents of intercepted secure e-mail messages or by
forging a close copy of the e-mail message, it may be possible for an
attacker to convince a user to view a modified secure e-mail message
and then cause the exposure of the user's credentials and message
content. Please see the Workarounds section for more information on
mitigations available to reduce exposure to these phishing-style
attacks. This vulnerability is documented in IronPort bug 8149 and
has been assigned Common Vulnerabilities and Exposures (CVE)
identifier CVE-2009-0054.
IronPort Encryption Appliance Administration Interface Vulnerabilities
+---------------------------------------------------------------------
The administration interface of IronPort Encryption Appliance devices
contains a cross-site request forgery (CSRF) vulnerability that could
allow an attacker to modify a user's IronPort Encryption Appliance
preferences, including their user name and personal security pass
phrase, if the user is logged into the IronPort Encryption Appliance
administration interface. Exploitation of the vulnerability will not
allow an attacker to change a user's password. This vulnerability is
documented in IronPort bug 5806 and has been assigned Common
Vulnerabilities and Exposures (CVE) identifier CVE-2009-0055. Exploitation of the vulnerability will not allow an
attacker to change a user's password. This vulnerability is
documented in IronPort bug 6403 and has been assigned Common
Vulnerabilities and Exposures (CVE) identifier CVE-2009-0056.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
PXE Encryption Message Decryption Vulnerability - IronPort Bug 8062
CVSS Base Score - 7.1
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 5.9
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
PXE Encryption Phishing Vulnerabilities - IronPort Bug 8149
CVSS Base Score - 6.1
Access Vector - Network
Access Complexity - High
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Partial
Availability Impact - None
CVSS Temporal Score - 5
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
IronPort Encryption Appliance CSRF Vulnerability - IronPort Bug 5806
CVSS Base Score - 5.8
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - Partial
Availability Impact - None
CVSS Temporal Score - 4.8
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
IronPort Encryption Appliance Logout Action CSRF Vulnerability - IronPort Bug 6403
CVSS Base Score - 5.8
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - Partial
Availability Impact - None
CVSS Temporal Score - 4.8
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
Impact
======
PXE Encryption Privacy Vulnerabilities
+-------------------------------------
Successful exploitation of these vulnerabilities could allow an
attacker to obtain user credentials and view the contents of
intercepted secure e-mail messages, which could result in the
disclosure of sensitive information.
IronPort Encryption Appliance Administration Interface Vulnerabilities
+---------------------------------------------------------------------
Successful exploitation of these vulnerabilities could allow an
attacker to access user accounts on an IronPort Encryption Appliance
device, which could result in the modification of user preferences.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
Workarounds
===========
There are no workarounds for the vulnerabilities that are described
in this advisory.
There are mitigations available to help prevent exploitation of the
PXE Encryption phishing-style vulnerability. Phishing attacks can be
greatly reduced if DomainKeys Identified Mail (DKIM) and Sender
Policy Framework (SPF) are implemented on IronPort e-mail gateways to
help ensure message integrity and source origin. Additionally, the
PXE Encryption solution contains an anti-phishing Secure Pass Phrase
feature to ensure that secure notification e-mail messages are valid.
This feature is enabled by recipients when configuring their PXE user
profile. Cisco has released a best practices document that describes
several techniques to mitigate against the phishing-style attacks
that is available at the following link:
http://www.cisco.com/web/about/security/intelligence/bpiron.html
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. The affected products in this advisory are directly
supported by IronPort, and not via the Cisco TAC organization.
Customers should contact IronPort technical support at the link below
to obtain software fixes. IronPort technical support will assist
customers in determining the correct fixes and installation
procedures. Customers should direct all warranty questions to
IronPort technical support.
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
http://www.ironport.com/support/contact_support.html
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities that are described in this advisory.
J.B. Snyder of Brintech reported a method for obtaining PXE
Encryption user credentials via a phishing-style attack to Cisco.
All other vulnerabilities were discovered by Cisco or reported by
customers.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20090114-ironport.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-January-14 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iD8DBQFJbhoo86n/Gc8U/uARAjuxAJ4oLc1JjS7N9728Ueb6JB7Y2LVJtACfaSfA
A6WIz481vajHya3jIlp+/Xc=
=cFJ6
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Did you know that a change in our assessment rating, exploit code
availability, or if an updated patch is released by the vendor, is
not part of this mailing-list?
Click here to learn more:
http://secunia.com/advisories/business_solutions/
----------------------------------------------------------------------
TITLE:
Cisco IronPort Products Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA33479
VERIFY ADVISORY:
http://secunia.com/advisories/33479/
CRITICAL:
Moderately critical
IMPACT:
Cross Site Scripting, Exposure of sensitive information
WHERE:
>From remote
OPERATING SYSTEM:
Cisco IronPort Encryption Appliance 6.x
http://secunia.com/advisories/product/20990/
SOFTWARE:
Cisco IronPort PostX 6.x
http://secunia.com/advisories/product/20991/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco IronPort products,
which can be exploited by malicious people to disclose sensitive
information or conduct cross-site request forgery attacks.
3) The web-based administration interface allows user to perform
certain actions via HTTP request without performing any validity
checks to verify the requests. This can be exploited to e.g.
http://www.ironport.com/support/contact_support.html
PROVIDED AND/OR DISCOVERED BY:
2) The vendor credits J.B. Snyder of Brintech
ORIGINAL ADVISORY:
Cisco (cisco-sa-20090114-ironport):
http://www.cisco.com/en/US/products/products_security_advisory09186a0080a5c4f7.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200901-0291 | CVE-2009-0054 | Cisco IronPort Encryption Appliance of PXE Encryption and Cisco IronPort PostX Vulnerabilities in which authentication information is obtained |
CVSS V2: 4.3 CVSS V3: - Severity: MEDIUM |
PXE Encryption in Cisco IronPort Encryption Appliance 6.2.4 before 6.2.4.1.1, 6.2.5, 6.2.6, 6.2.7 before 6.2.7.7, 6.3 before 6.3.0.4, and 6.5 before 6.5.0.2; and Cisco IronPort PostX 6.2.1 before 6.2.1.1 and 6.2.2 before 6.2.2.3; allows remote attackers to capture credentials by tricking a user into reading a modified or crafted e-mail message. Cisco IronPort Encryption Appliance and PostX are prone to multiple information-disclosure and cross-site request-forgery vulnerabilities.
Attackers may exploit these issues to obtain sensitive information, including user passwords, or to modify user information through the web administration interface. This may aid in further attacks. IronPort series products are widely used email encryption gateways, which can seamlessly complete the encryption, decryption and digital signature of confidential emails. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: IronPort Encryption Appliance / PostX and
PXE Encryption Vulnerabilities
Advisory ID: cisco-sa-20090114-ironport
Revision 1.0
For Public Release 2009 January 14 1600 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
IronPort PXE Encryption is an e-mail encryption solution that is
designed to secure e-mail communications without the need for a
Public Key Infrastructure (PKI) or special agents on receiving
systems. When an e-mail message is targeted for encryption, the PXE
encryption engine on an IronPort e-mail gateway encrypts the original
e-mail message as an HTML file and attaches it to a notification
e-mail message that is sent to the recipient. The per-message key
used to decrypt the HTML file attachment is stored on a local
IronPort Encryption Appliance, PostX software installation or the
Cisco Registered Envelope Service, which is a Cisco-managed software
service.
PXE Encryption Privacy Vulnerabilities
+-------------------------------------
The IronPort PXE Encryption solution is affected by two
vulnerabilities that could allow unauthorized individuals to view the
contents of secure e-mail messages. To exploit the vulnerabilities,
attackers must first intercept secure e-mail messages on the network
or via a compromised e-mail account. These vulnerabilities do not affect Cisco Registered
Envelope Service users.
Cisco has released free software updates that address these
vulnerabilities. There are no workarounds for the vulnerabilities
that are described in this advisory.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20090114-ironport.shtml
Affected Products
=================
Vulnerable Products
+------------------
The following IronPort Encryption Appliance/PostX versions are
affected by these vulnerabilities:
* All PostX 6.2.1 versions prior to 6.2.1.1
* All PostX 6.2.2 versions prior to 6.2.2.3
* All IronPort Encryption Appliance/PostX 6.2.4 versions prior to 6.2.4.1.1
* All IronPort Encryption Appliance/PostX 6.2.5 versions
* All IronPort Encryption Appliance/PostX 6.2.6 versions
* All IronPort Encryption Appliance/PostX 6.2.7 versions prior to 6.2.7.7
* All IronPort Encryption Appliance 6.3 versions prior to 6.3.0.4
* All IronPort Encryption Appliance 6.5 versions prior to 6.5.0.2
The version of software that is running on an IronPort Encryption
Appliance is located on the About page of the IronPort Encryption
Appliance administration interface.
Note: Customers should contact IronPort support to determine which
software fixes are applicable for their environment. Please consult
the Obtaining Fixed Software section of this advisory for more
information.
Products Confirmed Not Vulnerable
+--------------------------------
IronPort C, M and S-Series appliances are not affected by these
vulnerabilities. Although C-Series appliances can be configured to
use a local IronPort Encryption Appliance for per-message key
retention, the C-Series appliances are not vulnerable. The Cisco
Registered Envelope Service is not vulnerable.
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
Note: IronPort tracks bugs using an internal system that is not
available to customers. The IronPort bug tracking identifiers are
provided for reference only. All the vulnerabilities require an attacker to
first intercept a secure e-mail message as a condition for successful
exploitation. Attackers can obtain secure e-mail messages by
monitoring a network or a compromised user e-mail account. Using the decryption key, an
attacker could decrypt the contents of the secure e-mail message.
This vulnerability is documented in IronPort bug 8062 and has been
assigned Common Vulnerabilities and Exposures (CVE) identifier
CVE-2009-0053.
By modifying the contents of intercepted secure e-mail messages or by
forging a close copy of the e-mail message, it may be possible for an
attacker to convince a user to view a modified secure e-mail message
and then cause the exposure of the user's credentials and message
content. Please see the Workarounds section for more information on
mitigations available to reduce exposure to these phishing-style
attacks. This vulnerability is documented in IronPort bug 8149 and
has been assigned Common Vulnerabilities and Exposures (CVE)
identifier CVE-2009-0054.
IronPort Encryption Appliance Administration Interface Vulnerabilities
+---------------------------------------------------------------------
The administration interface of IronPort Encryption Appliance devices
contains a cross-site request forgery (CSRF) vulnerability that could
allow an attacker to modify a user's IronPort Encryption Appliance
preferences, including their user name and personal security pass
phrase, if the user is logged into the IronPort Encryption Appliance
administration interface. Exploitation of the vulnerability will not
allow an attacker to change a user's password. This vulnerability is
documented in IronPort bug 5806 and has been assigned Common
Vulnerabilities and Exposures (CVE) identifier CVE-2009-0055. Exploitation of the vulnerability will not allow an
attacker to change a user's password. This vulnerability is
documented in IronPort bug 6403 and has been assigned Common
Vulnerabilities and Exposures (CVE) identifier CVE-2009-0056.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
PXE Encryption Message Decryption Vulnerability - IronPort Bug 8062
CVSS Base Score - 7.1
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 5.9
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
PXE Encryption Phishing Vulnerabilities - IronPort Bug 8149
CVSS Base Score - 6.1
Access Vector - Network
Access Complexity - High
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Partial
Availability Impact - None
CVSS Temporal Score - 5
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
IronPort Encryption Appliance CSRF Vulnerability - IronPort Bug 5806
CVSS Base Score - 5.8
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - Partial
Availability Impact - None
CVSS Temporal Score - 4.8
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
IronPort Encryption Appliance Logout Action CSRF Vulnerability - IronPort Bug 6403
CVSS Base Score - 5.8
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - Partial
Availability Impact - None
CVSS Temporal Score - 4.8
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
Impact
======
PXE Encryption Privacy Vulnerabilities
+-------------------------------------
Successful exploitation of these vulnerabilities could allow an
attacker to obtain user credentials and view the contents of
intercepted secure e-mail messages, which could result in the
disclosure of sensitive information.
IronPort Encryption Appliance Administration Interface Vulnerabilities
+---------------------------------------------------------------------
Successful exploitation of these vulnerabilities could allow an
attacker to access user accounts on an IronPort Encryption Appliance
device, which could result in the modification of user preferences.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
Workarounds
===========
There are no workarounds for the vulnerabilities that are described
in this advisory.
There are mitigations available to help prevent exploitation of the
PXE Encryption phishing-style vulnerability. Phishing attacks can be
greatly reduced if DomainKeys Identified Mail (DKIM) and Sender
Policy Framework (SPF) are implemented on IronPort e-mail gateways to
help ensure message integrity and source origin. Additionally, the
PXE Encryption solution contains an anti-phishing Secure Pass Phrase
feature to ensure that secure notification e-mail messages are valid.
This feature is enabled by recipients when configuring their PXE user
profile. Cisco has released a best practices document that describes
several techniques to mitigate against the phishing-style attacks
that is available at the following link:
http://www.cisco.com/web/about/security/intelligence/bpiron.html
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. The affected products in this advisory are directly
supported by IronPort, and not via the Cisco TAC organization.
Customers should contact IronPort technical support at the link below
to obtain software fixes. IronPort technical support will assist
customers in determining the correct fixes and installation
procedures. Customers should direct all warranty questions to
IronPort technical support.
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
http://www.ironport.com/support/contact_support.html
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities that are described in this advisory.
J.B.
All other vulnerabilities were discovered by Cisco or reported by
customers.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20090114-ironport.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-January-14 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iD8DBQFJbhoo86n/Gc8U/uARAjuxAJ4oLc1JjS7N9728Ueb6JB7Y2LVJtACfaSfA
A6WIz481vajHya3jIlp+/Xc=
=cFJ6
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Did you know that a change in our assessment rating, exploit code
availability, or if an updated patch is released by the vendor, is
not part of this mailing-list?
Click here to learn more:
http://secunia.com/advisories/business_solutions/
----------------------------------------------------------------------
TITLE:
Cisco IronPort Products Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA33479
VERIFY ADVISORY:
http://secunia.com/advisories/33479/
CRITICAL:
Moderately critical
IMPACT:
Cross Site Scripting, Exposure of sensitive information
WHERE:
>From remote
OPERATING SYSTEM:
Cisco IronPort Encryption Appliance 6.x
http://secunia.com/advisories/product/20990/
SOFTWARE:
Cisco IronPort PostX 6.x
http://secunia.com/advisories/product/20991/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco IronPort products,
which can be exploited by malicious people to disclose sensitive
information or conduct cross-site request forgery attacks.
3) The web-based administration interface allows user to perform
certain actions via HTTP request without performing any validity
checks to verify the requests. This can be exploited to e.g.
http://www.ironport.com/support/contact_support.html
PROVIDED AND/OR DISCOVERED BY:
2) The vendor credits J.B. Snyder of Brintech
ORIGINAL ADVISORY:
Cisco (cisco-sa-20090114-ironport):
http://www.cisco.com/en/US/products/products_security_advisory09186a0080a5c4f7.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200901-0304 | CVE-2009-0055 | Cisco IronPort Encryption Appliance and Cisco IronPort PostX Cross-site request forgery vulnerability in admin interface |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Cross-site request forgery (CSRF) vulnerability in the administration interface in Cisco IronPort Encryption Appliance 6.2.4 before 6.2.4.1.1, 6.2.5, 6.2.6, 6.2.7 before 6.2.7.7, 6.3 before 6.3.0.4, and 6.5 before 6.5.0.2; and Cisco IronPort PostX 6.2.1 before 6.2.1.1 and 6.2.2 before 6.2.2.3; allows remote attackers to modify appliance preferences as arbitrary users via unspecified vectors.
Attackers may exploit these issues to obtain sensitive information, including user passwords, or to modify user information through the web administration interface. This may aid in further attacks. IronPort series products are widely used email encryption gateways, which can seamlessly complete the encryption, decryption and digital signature of confidential emails. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: IronPort Encryption Appliance / PostX and
PXE Encryption Vulnerabilities
Advisory ID: cisco-sa-20090114-ironport
Revision 1.0
For Public Release 2009 January 14 1600 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
IronPort PXE Encryption is an e-mail encryption solution that is
designed to secure e-mail communications without the need for a
Public Key Infrastructure (PKI) or special agents on receiving
systems. When an e-mail message is targeted for encryption, the PXE
encryption engine on an IronPort e-mail gateway encrypts the original
e-mail message as an HTML file and attaches it to a notification
e-mail message that is sent to the recipient. The per-message key
used to decrypt the HTML file attachment is stored on a local
IronPort Encryption Appliance, PostX software installation or the
Cisco Registered Envelope Service, which is a Cisco-managed software
service.
PXE Encryption Privacy Vulnerabilities
+-------------------------------------
The IronPort PXE Encryption solution is affected by two
vulnerabilities that could allow unauthorized individuals to view the
contents of secure e-mail messages. To exploit the vulnerabilities,
attackers must first intercept secure e-mail messages on the network
or via a compromised e-mail account. These vulnerabilities do not affect Cisco Registered
Envelope Service users.
Cisco has released free software updates that address these
vulnerabilities. There are no workarounds for the vulnerabilities
that are described in this advisory.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20090114-ironport.shtml
Affected Products
=================
Vulnerable Products
+------------------
The following IronPort Encryption Appliance/PostX versions are
affected by these vulnerabilities:
* All PostX 6.2.1 versions prior to 6.2.1.1
* All PostX 6.2.2 versions prior to 6.2.2.3
* All IronPort Encryption Appliance/PostX 6.2.4 versions prior to 6.2.4.1.1
* All IronPort Encryption Appliance/PostX 6.2.5 versions
* All IronPort Encryption Appliance/PostX 6.2.6 versions
* All IronPort Encryption Appliance/PostX 6.2.7 versions prior to 6.2.7.7
* All IronPort Encryption Appliance 6.3 versions prior to 6.3.0.4
* All IronPort Encryption Appliance 6.5 versions prior to 6.5.0.2
The version of software that is running on an IronPort Encryption
Appliance is located on the About page of the IronPort Encryption
Appliance administration interface.
Note: Customers should contact IronPort support to determine which
software fixes are applicable for their environment. Please consult
the Obtaining Fixed Software section of this advisory for more
information.
Products Confirmed Not Vulnerable
+--------------------------------
IronPort C, M and S-Series appliances are not affected by these
vulnerabilities. Although C-Series appliances can be configured to
use a local IronPort Encryption Appliance for per-message key
retention, the C-Series appliances are not vulnerable. The Cisco
Registered Envelope Service is not vulnerable.
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
Note: IronPort tracks bugs using an internal system that is not
available to customers. The IronPort bug tracking identifiers are
provided for reference only.
PXE Encryption Privacy Vulnerabilities
+-------------------------------------
Individual PXE Encryption users are vulnerable to two message privacy
vulnerabilities that could allow an attacker to gain access to
sensitive information. All the vulnerabilities require an attacker to
first intercept a secure e-mail message as a condition for successful
exploitation. Attackers can obtain secure e-mail messages by
monitoring a network or a compromised user e-mail account.
The IronPort Encryption Appliance contains a logic error that could
allow an attacker to obtain the unique, per-message decryption key
that is used to protect the content of an intercepted secure e-mail
message without user interaction. Using the decryption key, an
attacker could decrypt the contents of the secure e-mail message.
This vulnerability is documented in IronPort bug 8062 and has been
assigned Common Vulnerabilities and Exposures (CVE) identifier
CVE-2009-0053.
By modifying the contents of intercepted secure e-mail messages or by
forging a close copy of the e-mail message, it may be possible for an
attacker to convince a user to view a modified secure e-mail message
and then cause the exposure of the user's credentials and message
content. Please see the Workarounds section for more information on
mitigations available to reduce exposure to these phishing-style
attacks. This vulnerability is documented in IronPort bug 8149 and
has been assigned Common Vulnerabilities and Exposures (CVE)
identifier CVE-2009-0054. Exploitation of the vulnerability will not
allow an attacker to change a user's password. This vulnerability is
documented in IronPort bug 5806 and has been assigned Common
Vulnerabilities and Exposures (CVE) identifier CVE-2009-0055. Exploitation of the vulnerability will not allow an
attacker to change a user's password. This vulnerability is
documented in IronPort bug 6403 and has been assigned Common
Vulnerabilities and Exposures (CVE) identifier CVE-2009-0056.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
PXE Encryption Message Decryption Vulnerability - IronPort Bug 8062
CVSS Base Score - 7.1
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 5.9
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
PXE Encryption Phishing Vulnerabilities - IronPort Bug 8149
CVSS Base Score - 6.1
Access Vector - Network
Access Complexity - High
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Partial
Availability Impact - None
CVSS Temporal Score - 5
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
IronPort Encryption Appliance CSRF Vulnerability - IronPort Bug 5806
CVSS Base Score - 5.8
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - Partial
Availability Impact - None
CVSS Temporal Score - 4.8
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
IronPort Encryption Appliance Logout Action CSRF Vulnerability - IronPort Bug 6403
CVSS Base Score - 5.8
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - Partial
Availability Impact - None
CVSS Temporal Score - 4.8
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
Impact
======
PXE Encryption Privacy Vulnerabilities
+-------------------------------------
Successful exploitation of these vulnerabilities could allow an
attacker to obtain user credentials and view the contents of
intercepted secure e-mail messages, which could result in the
disclosure of sensitive information.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
Workarounds
===========
There are no workarounds for the vulnerabilities that are described
in this advisory.
There are mitigations available to help prevent exploitation of the
PXE Encryption phishing-style vulnerability. Phishing attacks can be
greatly reduced if DomainKeys Identified Mail (DKIM) and Sender
Policy Framework (SPF) are implemented on IronPort e-mail gateways to
help ensure message integrity and source origin. Additionally, the
PXE Encryption solution contains an anti-phishing Secure Pass Phrase
feature to ensure that secure notification e-mail messages are valid.
This feature is enabled by recipients when configuring their PXE user
profile. Cisco has released a best practices document that describes
several techniques to mitigate against the phishing-style attacks
that is available at the following link:
http://www.cisco.com/web/about/security/intelligence/bpiron.html
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. The affected products in this advisory are directly
supported by IronPort, and not via the Cisco TAC organization.
Customers should contact IronPort technical support at the link below
to obtain software fixes. IronPort technical support will assist
customers in determining the correct fixes and installation
procedures. Customers should direct all warranty questions to
IronPort technical support.
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
http://www.ironport.com/support/contact_support.html
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities that are described in this advisory.
J.B. Snyder of Brintech reported a method for obtaining PXE
Encryption user credentials via a phishing-style attack to Cisco.
All other vulnerabilities were discovered by Cisco or reported by
customers.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20090114-ironport.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-January-14 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iD8DBQFJbhoo86n/Gc8U/uARAjuxAJ4oLc1JjS7N9728Ueb6JB7Y2LVJtACfaSfA
A6WIz481vajHya3jIlp+/Xc=
=cFJ6
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Did you know that a change in our assessment rating, exploit code
availability, or if an updated patch is released by the vendor, is
not part of this mailing-list?
Click here to learn more:
http://secunia.com/advisories/business_solutions/
----------------------------------------------------------------------
TITLE:
Cisco IronPort Products Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA33479
VERIFY ADVISORY:
http://secunia.com/advisories/33479/
CRITICAL:
Moderately critical
IMPACT:
Cross Site Scripting, Exposure of sensitive information
WHERE:
>From remote
OPERATING SYSTEM:
Cisco IronPort Encryption Appliance 6.x
http://secunia.com/advisories/product/20990/
SOFTWARE:
Cisco IronPort PostX 6.x
http://secunia.com/advisories/product/20991/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco IronPort products,
which can be exploited by malicious people to disclose sensitive
information or conduct cross-site request forgery attacks.
3) The web-based administration interface allows user to perform
certain actions via HTTP request without performing any validity
checks to verify the requests. This can be exploited to e.g.
http://www.ironport.com/support/contact_support.html
PROVIDED AND/OR DISCOVERED BY:
2) The vendor credits J.B. Snyder of Brintech
ORIGINAL ADVISORY:
Cisco (cisco-sa-20090114-ironport):
http://www.cisco.com/en/US/products/products_security_advisory09186a0080a5c4f7.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------
| VAR-200901-0305 | CVE-2009-0056 | Cisco IronPort Encryption Appliance and Cisco IronPort PostX Cross-site request forgery vulnerability in admin interface |
CVSS V2: 6.8 CVSS V3: - Severity: MEDIUM |
Cross-site request forgery (CSRF) vulnerability in the administration interface in Cisco IronPort Encryption Appliance 6.2.4 before 6.2.4.1.1, 6.2.5, 6.2.6, 6.2.7 before 6.2.7.7, 6.3 before 6.3.0.4, and 6.5 before 6.5.0.2; and Cisco IronPort PostX 6.2.1 before 6.2.1.1 and 6.2.2 before 6.2.2.3; allows remote attackers to execute commands and modify appliance preferences as arbitrary users via a logout action. Cisco IronPort Encryption Appliance and PostX are prone to multiple information-disclosure and cross-site request-forgery vulnerabilities.
Attackers may exploit these issues to obtain sensitive information, including user passwords, or to modify user information through the web administration interface. This may aid in further attacks. IronPort series products are widely used email encryption gateways, which can seamlessly complete the encryption, decryption and digital signature of confidential emails. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: IronPort Encryption Appliance / PostX and
PXE Encryption Vulnerabilities
Advisory ID: cisco-sa-20090114-ironport
Revision 1.0
For Public Release 2009 January 14 1600 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
IronPort PXE Encryption is an e-mail encryption solution that is
designed to secure e-mail communications without the need for a
Public Key Infrastructure (PKI) or special agents on receiving
systems. When an e-mail message is targeted for encryption, the PXE
encryption engine on an IronPort e-mail gateway encrypts the original
e-mail message as an HTML file and attaches it to a notification
e-mail message that is sent to the recipient. The per-message key
used to decrypt the HTML file attachment is stored on a local
IronPort Encryption Appliance, PostX software installation or the
Cisco Registered Envelope Service, which is a Cisco-managed software
service.
PXE Encryption Privacy Vulnerabilities
+-------------------------------------
The IronPort PXE Encryption solution is affected by two
vulnerabilities that could allow unauthorized individuals to view the
contents of secure e-mail messages. To exploit the vulnerabilities,
attackers must first intercept secure e-mail messages on the network
or via a compromised e-mail account. These vulnerabilities do not affect Cisco Registered
Envelope Service users.
Cisco has released free software updates that address these
vulnerabilities. There are no workarounds for the vulnerabilities
that are described in this advisory.
This advisory is posted at:
http://www.cisco.com/warp/public/707/cisco-sa-20090114-ironport.shtml
Affected Products
=================
Vulnerable Products
+------------------
The following IronPort Encryption Appliance/PostX versions are
affected by these vulnerabilities:
* All PostX 6.2.1 versions prior to 6.2.1.1
* All PostX 6.2.2 versions prior to 6.2.2.3
* All IronPort Encryption Appliance/PostX 6.2.4 versions prior to 6.2.4.1.1
* All IronPort Encryption Appliance/PostX 6.2.5 versions
* All IronPort Encryption Appliance/PostX 6.2.6 versions
* All IronPort Encryption Appliance/PostX 6.2.7 versions prior to 6.2.7.7
* All IronPort Encryption Appliance 6.3 versions prior to 6.3.0.4
* All IronPort Encryption Appliance 6.5 versions prior to 6.5.0.2
The version of software that is running on an IronPort Encryption
Appliance is located on the About page of the IronPort Encryption
Appliance administration interface.
Note: Customers should contact IronPort support to determine which
software fixes are applicable for their environment. Please consult
the Obtaining Fixed Software section of this advisory for more
information.
Products Confirmed Not Vulnerable
+--------------------------------
IronPort C, M and S-Series appliances are not affected by these
vulnerabilities. Although C-Series appliances can be configured to
use a local IronPort Encryption Appliance for per-message key
retention, the C-Series appliances are not vulnerable. The Cisco
Registered Envelope Service is not vulnerable.
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
=======
Note: IronPort tracks bugs using an internal system that is not
available to customers. The IronPort bug tracking identifiers are
provided for reference only.
PXE Encryption Privacy Vulnerabilities
+-------------------------------------
Individual PXE Encryption users are vulnerable to two message privacy
vulnerabilities that could allow an attacker to gain access to
sensitive information. All the vulnerabilities require an attacker to
first intercept a secure e-mail message as a condition for successful
exploitation. Attackers can obtain secure e-mail messages by
monitoring a network or a compromised user e-mail account.
The IronPort Encryption Appliance contains a logic error that could
allow an attacker to obtain the unique, per-message decryption key
that is used to protect the content of an intercepted secure e-mail
message without user interaction. Using the decryption key, an
attacker could decrypt the contents of the secure e-mail message.
This vulnerability is documented in IronPort bug 8062 and has been
assigned Common Vulnerabilities and Exposures (CVE) identifier
CVE-2009-0053.
By modifying the contents of intercepted secure e-mail messages or by
forging a close copy of the e-mail message, it may be possible for an
attacker to convince a user to view a modified secure e-mail message
and then cause the exposure of the user's credentials and message
content. Please see the Workarounds section for more information on
mitigations available to reduce exposure to these phishing-style
attacks. This vulnerability is documented in IronPort bug 8149 and
has been assigned Common Vulnerabilities and Exposures (CVE)
identifier CVE-2009-0054. Exploitation of the vulnerability will not
allow an attacker to change a user's password. This vulnerability is
documented in IronPort bug 5806 and has been assigned Common
Vulnerabilities and Exposures (CVE) identifier CVE-2009-0055. Exploitation of the vulnerability will not allow an
attacker to change a user's password. This vulnerability is
documented in IronPort bug 6403 and has been assigned Common
Vulnerabilities and Exposures (CVE) identifier CVE-2009-0056.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at:
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at:
http://intellishield.cisco.com/security/alertmanager/cvss
PXE Encryption Message Decryption Vulnerability - IronPort Bug 8062
CVSS Base Score - 7.1
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - None
Availability Impact - None
CVSS Temporal Score - 5.9
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
PXE Encryption Phishing Vulnerabilities - IronPort Bug 8149
CVSS Base Score - 6.1
Access Vector - Network
Access Complexity - High
Authentication - None
Confidentiality Impact - Complete
Integrity Impact - Partial
Availability Impact - None
CVSS Temporal Score - 5
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
IronPort Encryption Appliance CSRF Vulnerability - IronPort Bug 5806
CVSS Base Score - 5.8
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - Partial
Availability Impact - None
CVSS Temporal Score - 4.8
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
IronPort Encryption Appliance Logout Action CSRF Vulnerability - IronPort Bug 6403
CVSS Base Score - 5.8
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - Partial
Integrity Impact - Partial
Availability Impact - None
CVSS Temporal Score - 4.8
Exploitability - Functional
Remediation Level - Official Fix
Report Confidence - Confirmed
Impact
======
PXE Encryption Privacy Vulnerabilities
+-------------------------------------
Successful exploitation of these vulnerabilities could allow an
attacker to obtain user credentials and view the contents of
intercepted secure e-mail messages, which could result in the
disclosure of sensitive information.
Software Versions and Fixes
===========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
Workarounds
===========
There are no workarounds for the vulnerabilities that are described
in this advisory.
There are mitigations available to help prevent exploitation of the
PXE Encryption phishing-style vulnerability. Phishing attacks can be
greatly reduced if DomainKeys Identified Mail (DKIM) and Sender
Policy Framework (SPF) are implemented on IronPort e-mail gateways to
help ensure message integrity and source origin. Additionally, the
PXE Encryption solution contains an anti-phishing Secure Pass Phrase
feature to ensure that secure notification e-mail messages are valid.
This feature is enabled by recipients when configuring their PXE user
profile. Cisco has released a best practices document that describes
several techniques to mitigate against the phishing-style attacks
that is available at the following link:
http://www.cisco.com/web/about/security/intelligence/bpiron.html
Obtaining Fixed Software
========================
Cisco has released free software updates that address these
vulnerabilities. The affected products in this advisory are directly
supported by IronPort, and not via the Cisco TAC organization.
Customers should contact IronPort technical support at the link below
to obtain software fixes. IronPort technical support will assist
customers in determining the correct fixes and installation
procedures. Customers should direct all warranty questions to
IronPort technical support.
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
http://www.ironport.com/support/contact_support.html
Exploitation and Public Announcements
=====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities that are described in this advisory.
J.B. Snyder of Brintech reported a method for obtaining PXE
Encryption user credentials via a phishing-style attack to Cisco.
All other vulnerabilities were discovered by Cisco or reported by
customers.
Status of this Notice: FINAL
============================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20090114-ironport.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
================
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-January-14 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco security notices.
All Cisco security advisories are available at:
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (SunOS)
iD8DBQFJbhoo86n/Gc8U/uARAjuxAJ4oLc1JjS7N9728Ueb6JB7Y2LVJtACfaSfA
A6WIz481vajHya3jIlp+/Xc=
=cFJ6
-----END PGP SIGNATURE-----
. ----------------------------------------------------------------------
Did you know that a change in our assessment rating, exploit code
availability, or if an updated patch is released by the vendor, is
not part of this mailing-list?
Click here to learn more:
http://secunia.com/advisories/business_solutions/
----------------------------------------------------------------------
TITLE:
Cisco IronPort Products Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA33479
VERIFY ADVISORY:
http://secunia.com/advisories/33479/
CRITICAL:
Moderately critical
IMPACT:
Cross Site Scripting, Exposure of sensitive information
WHERE:
>From remote
OPERATING SYSTEM:
Cisco IronPort Encryption Appliance 6.x
http://secunia.com/advisories/product/20990/
SOFTWARE:
Cisco IronPort PostX 6.x
http://secunia.com/advisories/product/20991/
DESCRIPTION:
Some vulnerabilities have been reported in Cisco IronPort products,
which can be exploited by malicious people to disclose sensitive
information or conduct cross-site request forgery attacks.
3) The web-based administration interface allows user to perform
certain actions via HTTP request without performing any validity
checks to verify the requests. This can be exploited to e.g.
http://www.ironport.com/support/contact_support.html
PROVIDED AND/OR DISCOVERED BY:
2) The vendor credits J.B. Snyder of Brintech
ORIGINAL ADVISORY:
Cisco (cisco-sa-20090114-ironport):
http://www.cisco.com/en/US/products/products_security_advisory09186a0080a5c4f7.shtml
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/advisories/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------
Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
----------------------------------------------------------------------