VARIoT IoT vulnerabilities database

F5 FirePass 5.4 through 5.5.2 and 6.0 allows remote attackers to access restricted URLs via (1) a trailing null byte, (2) multiple leading slashes, (3) Unicode encoding, (4) URL-encoded directory traversal or same-directory characters, or (5) upper case letters in the domain name. F5 FirePass Limited URL There is a vulnerability that is accessed by.Restricted by a third party via: URL May be accessed. F5 Firepass is prone to multiple input-validation vulnerabilities because the device fails to sufficiently sanitize user-supplied input. These issues include information-disclosure, security bypass, and cross-site scripting vulnerabilities. An attacker can exploit these issues to bypass security restrictions, to view sensitive information, and to steal cookie-based authentication credentials. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible

Multiple cross-site scripting (XSS) vulnerabilities in F5 FirePass SSL VPN allow remote attackers to inject arbitrary web script or HTML via (1) the xcho parameter to my.logon.php3; the (2) topblue, (3) midblue, (4) wtopblue, and certain other Custom color parameters in a per action to vdesk/admincon/index.php; the (5) h321, (6) h311, (7) h312, and certain other Front Door custom text color parameters in a per action to vdesk/admincon/index.php; the (8) ua parameter in a bro action to vdesk/admincon/index.php; the (9) app_param and (10) app_name parameters to webyfiers.php; (11) double eval functions; (12) JavaScript contained in an <FP_DO_NOT_TOUCH> element; and (13) the vhost parameter to my.activation.php. NOTE: it is possible that this candidate overlaps CVE-2006-3550. F5 FirePass SSL VPN Contains a cross-site scripting vulnerability. This vulnerability CVE-2006-3550 And may overlap.By any third party, via Web Script or HTML May be inserted. (1) my.logon.php To xcho Parameters (2) vdesk/admincon/index.php To per In action topblue Custom color parameters (3) vdesk/admincon/index.php To per In action midblue Custom color parameters (4) vdesk/admincon/index.php To per In action wtopblue Custom color parameters, etc. (5) vdesk/admincon/index.php To per In action h321 of Front Door Custom text color parameters (6) vdesk/admincon/index.php To per In action h311 of Front Door Custom text color parameters (7) vdesk/admincon/index.php To per In action h312 of Front Door Custom text color parameters, etc. F5 Firepass is prone to multiple input-validation vulnerabilities because the device fails to sufficiently sanitize user-supplied input. These issues include information-disclosure, security bypass, and cross-site scripting vulnerabilities. An attacker can exploit these issues to bypass security restrictions, to view sensitive information, and to steal cookie-based authentication credentials. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible

Untrusted search path vulnerability in writeconfig in Apple Mac OS X 10.4.8 allows local users to gain privileges via a modified PATH that points to a malicious launchctl program. A vulnerability exists in the Kerberos administration daemon that may allow a remote, unauthenticated user to free uninitialized pointers. Freeing uninitialized pointers corrupts memory in a way that could allow an attacker to execute code. According to Apple information, it may be possible to execute arbitrary code with system privileges. A successful attack can allow local attackers to gain superuser privileges. Mac OS X 10.4.8 is reported vulnerable; other versions may be affected as well. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: Gentoo update for mit-krb5 SECUNIA ADVISORY ID: SA23903 VERIFY ADVISORY: http://secunia.com/advisories/23903/ CRITICAL: Highly critical IMPACT: DoS, System access WHERE: >From remote OPERATING SYSTEM: Gentoo Linux 1.x http://secunia.com/product/339/ DESCRIPTION: Gentoo has issued an update for krb5. This fixes some vulnerabilities, which can potentially be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. For more information: SA23690 SA23696 SOLUTION: Update to "app-crypt/mit-krb5-1.5.2" or later. ORIGINAL ADVISORY: http://www.gentoo.org/security/en/glsa/glsa-200701-21.xml OTHER REFERENCES: SA23690: http://secunia.com/advisories/23690/ SA235696: http://secunia.com/advisories/23696/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

my.activation.php3 in F5 FirePass 5.4 through 5.5.1 and 6.0 displays different error messages for failed login attempts with a valid username than for those with an invalid username, which allows remote attackers to confirm the validity of an LDAP account. F5 Firepass is prone to multiple input-validation vulnerabilities because the device fails to sufficiently sanitize user-supplied input. These issues include information-disclosure, security bypass, and cross-site scripting vulnerabilities. An attacker can exploit these issues to bypass security restrictions, to view sensitive information, and to steal cookie-based authentication credentials. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible

Stack-based buffer overflow in the CSAdmin service in Cisco Secure Access Control Server (ACS) for Windows before 4.1 and ACS Solution Engine before 4.1 allows remote attackers to execute arbitrary code via a crafted HTTP GET request. Versions prior to 4.1 are vulnerable to these issues. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: Cisco Secure ACS Multiple Vulnerabilities SECUNIA ADVISORY ID: SA23629 VERIFY ADVISORY: http://secunia.com/advisories/23629/ CRITICAL: Highly critical IMPACT: DoS, System access WHERE: >From remote OPERATING SYSTEM: Cisco Secure ACS Solution Engine 3.x http://secunia.com/product/4206/ SOFTWARE: Cisco Secure ACS 3.x http://secunia.com/product/679/ Cisco Secure ACS 4.x http://secunia.com/product/10635/ DESCRIPTION: Some vulnerabilities have been reported in Cisco Secure ACS, which can be exploited by malicious users or people to cause a DoS (Denial of Service) or to compromise a vulnerable system. Successful exploitation allows execution of arbitrary code. 2) An unspecified error within the CSRadius service when processing RADIUS Accounting-Request packets can be exploited to cause a stack-based buffer overflow via a specially crafted RADIUS Accounting-Request packet. Successful exploitation allows execution of arbitrary code. 3) Unspecified errors within the CSRadius service when processing RADIUS Access-Request packets can be exploited to crash the service via a specially crafted RADIUS Access-Request packet. Note: The following products are reportedly not affected: * Cisco Secure ACS for Unix (CSU). * Cisco CNS Access Registrar (CAR). * Cisco Secure ACS server for Windows version 4.1(X) or later. SOLUTION: Apply patches. PROVIDED AND/OR DISCOVERED BY: The vendor credits CESG's Vulnerability Research Group and National Infrastructure Security Co-ordination Centre (NISCC). ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20070105-csacs.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

DiskManagementTool in the DiskManagement.framework 92.29 on Mac OS X 10.4.8 does not properly validate Bill of Materials (BOM) files, which allows attackers to gain privileges via a BOM file under /Library/Receipts/, which triggers arbitrary file permission changes upon execution of a diskutil permission repair operation. Apple DiskManagement framework is prone to local privilege-escalation vulnerability. This issue occurs when handling specially crafted Bill Of Material (BOM) files. A successful exploit would allow a local attacker to execute arbitrary code with superuser privileges. A successful exploit would lead to the complete compromise of affected computers. Failed exploit attempts will result in a denial-of-service condition. This issue affects DiskManagement 92.29 and Mac OS X 10.4.8; prior versions may also be affected. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: Mac OS X BOM Privilege Escalation Vulnerability SECUNIA ADVISORY ID: SA23653 VERIFY ADVISORY: http://secunia.com/advisories/23653/ CRITICAL: Less critical IMPACT: Privilege escalation WHERE: Local system OPERATING SYSTEM: Apple Macintosh OS X http://secunia.com/product/96/ DESCRIPTION: A vulnerability has been reported in Mac OS X, which can be exploited by malicious, local users to gain escalated privileges. The vulnerability is reported in version 10.4.8 . Other versions may also be affected. SOLUTION: Remove the setuid bit from /System/Library/PrivateFrameworks/DiskManagement.framework/Resources/DiskManagementTool. PROVIDED AND/OR DISCOVERED BY: Discovered as a 0-day and reported by LMH and Kevin Finisterre (MOAB). ORIGINAL ADVISORY: http://projects.info-pull.com/moab/MOAB-05-01-2007.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco Clean Access (CCA) 3.6.x through 3.6.4.2 and 4.0.x through 4.0.3.2 does not properly configure or allow modification of a shared secret authentication key, which causes all devices to have the same shared sercet and allows remote attackers to gain unauthorized access. Cisco Clean Access (CCA) is prone to a remote security vulnerability. Cisco Clean Access (CCA) is a software solution for automatically detecting, quarantining, and cleaning devices infected with malicious code from accessing the network. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Successful exploitation may allow administrative access to a Cisco Access Server, but requires that the attacker is able to establish TCP connections to the target. The security issue is reported in versions 3.6.x - 3.6.4.2 and 4.0.x - 4.0.3.2. SOLUTION: Update to version 3.6.4.3, 4.0.4 and 4.1.0 or apply patch Patch-CSCsg24153.tar.gz. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/en/US/products/products_security_advisory09186a00807b6621.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco Clean Access (CCA) 3.5.x through 3.5.9 and 3.6.x through 3.6.1.1 on the Clean Access Manager (CAM) allows remote attackers to bypass authentication and download arbitrary manual database backups by guessing the snapshot filename using brute force, then making a direct request for the file. Cisco Clean Access (CCA) is prone to a security bypass vulnerability. Cisco Clean Access (CCA) is a software solution for automatically detecting, quarantining, and cleaning devices infected with malicious code from accessing the network. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: Cisco Clean Access Predictable Snapshots Filename SECUNIA ADVISORY ID: SA23556 VERIFY ADVISORY: http://secunia.com/advisories/23556/ CRITICAL: Moderately critical IMPACT: Exposure of sensitive information WHERE: >From local network SOFTWARE: Cisco Clean Access (CCA) 3.x http://secunia.com/product/5561/ DESCRIPTION: Cisco has acknowledged a security issue in Cisco Clean Access, which can be exploited by malicious people to gain knowledge of sensitive information. The security issue is caused due to the use of a predictable method to name manual backups of the database, which can be exploited to disclose the contents of the database. The security issue is reported in CCA releases 3.5.x - 3.5.9 and 3.6.x - 3.6.1.1. Other versions may also be affected. SOLUTION: Update to versions 3.5.10 or 3.6.2. PROVIDED AND/OR DISCOVERED BY: The vendor credits Chris Hartley from Ohio State University. ORIGINAL ADVISORY: http://www.cisco.com/en/US/products/products_security_advisory09186a00807b6621.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-zone scripting vulnerability in Apple Quicktime 3 to 7.1.3 allows remote user-assisted attackers to execute arbitrary code and list filesystem contents via a QuickTime movie (.MOV) with an HREF Track (HREFTrack) that contains an automatic action tag with a local URI, which is executed in a local zone during preview, as exploited by a MySpace worm. Web browsers running the Apple QuickTime plugin may allow remote web sites to reference content on the local filesystem. This may allow an attacker to execute script within the security context of the local machine. Apple QuickTime is a multimedia playback software developed by Apple (Apple). The software is capable of handling multiple sources such as digital video, media segments, and more. A cross-site scripting vulnerability exists in Apple Quicktime versions 3 through 7.1.3. The HREF Track (HREFTrack) contains an automation tag with a local URI. By exploiting a MySpace worm, it can be run in local storage during the preview

The Apache HTTP Server 1.x and 2.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris, related to the lack of the mod_reqtimeout module in versions before 2.2.15. Apache and Microsoft IIS are prone to a denial-of-service vulnerability. A remote attacker may exploit this issue to cause denial-of-service conditions. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note: the current version of the following document is available here: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03734195 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03734195 Version: 1 HPSBUX02866 SSRT101139 rev.1 - HP-UX Running Apache, Remote Denial of Service (DoS), Execution of Arbitrary Code and other vulnerabilities NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2013-04-15 Last Updated: 2013-04-12 Potential Security Impact: Remote Denial of Service (DoS), execution of arbitrary code and other vulnerabilities Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP-UX Running Apache. These vulnerabilities could be exploited remotely to create a Denial of Service (DoS) or to execute arbitrary code and other vulnerabilities. References: HP-UX Apache: CVE-2007-6750, CVE-2012-2687, CVE-2012-3499, CVE-2012-4557, CVE-2012 -4558, CVE-2012-4929 Tomcat v6.0 and v7.0: CVE-2012-2733, CVE-2012-3546, CVE-2012-4431, CVE-2012-4534, CVE-2012-5885 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.23, B.11.31 running HP-UX Apache Web Server Suite v3.25 or earlier BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2007-6750 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2012-2687 (AV:N/AC:H/Au:N/C:N/I:P/A:N) 2.6 CVE-2012-2733 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2012-3499 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2012-3546 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2012-4431 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2012-4534 (AV:N/AC:H/Au:N/C:N/I:N/A:P) 2.6 CVE-2012-4557 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2012-4558 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2012-4929 (AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6 CVE-2012-5885 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following software updates to resolve the vulnerability. The update for B.11.23 and B.11.31 is available for download from ftp://sb_02866:6hq{PM6a@ftp.usa.hp.com Web Server Suite Version Apache Depot Name HP-UX Web Server Suite v.3.26 containing Apache v2.2.15.15 and Tomcat B.5.5.36.01 HP-UX_11.23_HPUXWS22ATW-B326-11-23-64.depot HP-UX_11.23_HPUXWS22ATW-B326-11-23-32.depot HP-UX Web Server Suite v.3.26 containing Apache v2.2.15.15 and Tomcat C.6.0.36.01 HP-UX_11.31_HPUXWS22ATW-B326-11-31-64.depot HP-UX_11.31_HPUXWS22ATW-B326-11-31-32.depot Tomcat D.7.035.01 HP-UX_11.31_hpuxws22Tomcat_D.7.0.35.01_HP-UX_B.11.31_IA_PA.depot MANUAL ACTIONS: Yes - Update Install HP-UX Web Server Suite v3.26 or subsequent PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX B.11.23 HP-UX B.11.31 ================== hpuxws22APCH32.APACHE hpuxws22APCH32.APACHE2 hpuxws22APCH32.AUTH_LDAP hpuxws22APCH32.AUTH_LDAP2 hpuxws22APCH32.MOD_JK hpuxws22APCH32.MOD_JK2 hpuxws22APCH32.MOD_PERL hpuxws22APCH32.MOD_PERL2 hpuxws22APCH32.PHP hpuxws22APCH32.PHP2 hpuxws22APCH32.WEBPROXY hpuxws22APCH32.WEBPROXY2 action: install revision B.2.2.15.15 or subsequent HP-UX B.11.31 ================== hpuxws22TOMCAT.TOMCAT action: install revision C.6.0.36.01 or subsequent HP-UX B.11.31 ================== hpuxws22TOMCAT.TOMCAT action: install revision D.7.0.35.01 or subsequent END AFFECTED VERSIONS HISTORY Version:1 (rev.1) - 15 April 2013 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c02964430 Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2013 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iEYEARECAAYFAlFok8kACgkQ4B86/C0qfVmyqgCfW30yi9zGzXVizqbVNYgSYrs5 Z2kAoInujdnycP53yYFgrRTBZNn0Y1oR =+4zj -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 APPLE-SA-2017-03-27-7 macOS Server 5.3 macOS Server 5.3 is now available and addresses the following: Profile Manager Available for: macOS 10.12.4 and later Impact: A remote user may be able to cause a denial-of-service Description: A crafted request may cause a global cache to grow indefinitely, leading to a denial-of-service. This was addressed by not caching unknown MIME types. CVE-2007-6750 Wiki Server Available for: macOS 10.12.4 and later Impact: A remote attacker may be able to enumerate users Description: An access issue was addressed through improved permissions checking. CVE-2017-2382: Maris Kocins of SEMTEXX LTD Installation note: macOS Server 5.3 may be obtained from the Mac App Store. Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJY2Yo7AAoJEIOj74w0bLRGF7wP/jfxkNq1X/N7FcXsboILFYkn e5i+hnumf2VSjJnR9saAsQAdSxKxeiByq+j4GLVRiLTlcrLLKE03vYlBaDdQTy2U Y9qQ1HRu6wYwx38y3IQFr5JUQM2BG8yuaodfyQzgSEHUUqNMf0jZFpikub+c3PSh DNUok50Gq4+ifa389TNIs1BPnFZE1yzvXwbOJomweMbc1qXnyfs9yl+ZhgtI62uI E7SwLL2dMBnzWJm31VdZ8WPUtsN23LIBl02Jn60mZzERRsJ8q/+v5q1nTdx2BUkp 9dMShg5XS1pmH+NpZfiFoBCeCDLXrUydBUNWlrvuTJKZDzycEwp2NKtOxbCfzF/e 2B7+exz7C1i3sDkBa9ao/ifxQZR+6aXryvHQASI2M5lY3GUvSd4+e5DfXJ38Abar Od0OIKgVQ6IiXdseC0+NidPlsQiwkTh1jLHHIQzOi5sIo/wp+76XV88qkANBnC2n 8fPsCEXBMt+E3wju5fwLYQlCWz0dALYOtTkoPX7L5/LhBxdyk9YxGn/6OzTosjtC /uEdg7UB/+AKzN6XWbRHBO6hyfEqhotllD0cOYewP6ArfFf/LYAROPxxqvnZPx5b 6SzWprQPbywXJ4WILWbK94tkelJXy0q9ijfINrGojMwOJ+JcM6FwGot6SmOZEpqZ WRqXbE4VG2eU2fGJZ/Sw =a6xp -----END PGP SIGNATURE----- . The HPE Insight Control 7.5.1 Update kit applicable to HPE Insight Control 7.5.x installations is available at the following location: http://www.hpe.com/info/insightcontrol HPE has addressed these vulnerabilities for the impacted software components bundled with HPE Insight Control in the following HPE Security Bulletins: HPE Systems Insight Manager (SIM) (HPE Security Bulletin: HPSBMU03590) http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05131085 HPE System Management Homepage (SMH) (HPE Security Bulletin: HPSBMU03593) http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05111017 Version Control Repository Manager (VCRM) (HPE Security Bulletin: HPSBMU03589) http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05131044 HPE Server Migration Pack(SMP) (HPE Security Bulletin: HPSBMU03591) http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05130958 HPE Insight Control server provisioning (HPE Security Bulletin: HPSBMU03600) https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_ na-c05150736 HISTORY Version:1 (rev.1) - 1 June 2016 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Background ========== Apache HTTP Server is one of the most popular web servers on the Internet. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-servers/apache < 2.2.25 >= 2.2.25 Description =========== Multiple vulnerabilities have been found in Apache HTTP Server. Please review the CVE identifiers and research paper referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Apache HTTP Server users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/apache-2.2.25" References ========== [ 1 ] CVE-2007-6750 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6750 [ 2 ] CVE-2012-4929 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4929 [ 3 ] CVE-2013-1862 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1862 [ 4 ] CVE-2013-1896 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1896 [ 5 ] Compression and Information Leakage of Plaintext http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201309-12.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2013 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

Format string vulnerability in Apple iPhoto 6.0.5 (316), and other versions before 6.0.6, allows remote user-assisted attackers to execute arbitrary code via a crafted photocast with format string specifiers in the title of an RSS iPhoto feed. iLife iPhoto is prone to a remote format-string vulnerability because the application fails to properly sanitize user-supplied input before including it in the format-specifier argument of a formatted-printing function. Version 6.0.5 (316) is vulnerable; other versions may also be affected. Apple iLife iPhoto software allows users to create and share photo pages on websites. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: Apple iLife iPhoto Photocast XML "title" Format String Vulnerability SECUNIA ADVISORY ID: SA23615 VERIFY ADVISORY: http://secunia.com/advisories/23615/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: Apple iLife iPhoto 6.x http://secunia.com/product/13158/ DESCRIPTION: Kevin Finisterre has reported a vulnerability in iLIfe iPhoto, which potentially can be exploited by malicious people to compromise a user's system. Successful exploitation requires that the user e.g. is tricked into subscribing to a malicious Photocast feed. SOLUTION: Do not follow or subscribe to untrusted links to Photocast feeds. PROVIDED AND/OR DISCOVERED BY: Kevin Finisterre ORIGINAL ADVISORY: http://projects.info-pull.com/moab/MOAB-04-01-2007.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Sunbelt Kerio Personal Firewall (SKPF) 4.3.268 and 4.3.246, and possibly other versions allows local users to provide a Trojan horse iphlpapi.dll to SKPF by placing it in the installation directory. A local attacker could exploit this issue to execute arbitrary machine code with SYSTEM-level privileges. A successful exploit could result in the complete compromise of the affected computer. Versions 4.3.246 and 4.3.268 are vulnerable to this issue; other versions may also be affected. If it cannot be found, it loads it from the operating system directory. Moreover, the software installation directory is writable, and local attackers can create fake ones. DLL file, the firewall service loads and executes the code in it when it is initialized, resulting in the execution of arbitrary instructions of the attacker

Buffer overflow in Apple QuickTime 7.1.3 allows remote attackers to execute arbitrary code via a long rtsp:// URI. Apple QuickTime is prone to a remote buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied input prior to copying it to an insufficiently sized stack-based memory buffer. Attackers exploit this issue by coercing targeted users to access malicious HTML or QTL files or by executing malicious JavaScript code. QuickTime 7.1.3 is vulnerable to this issue; other versions may also be affected. Apple QuickTime is a popular multimedia player that supports a wide variety of media formats. A remote attacker can construct something like \"rtsp://[any character]:[ > 256 bytes] The URL string of \" lures the user to click, and the overflow occurs when the system calls QuickTime processing, and any command of the attacker is executed. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA07-005A Apple QuickTime RTSP Buffer Overflow Original release date: January 05, 2007 Last revised: -- Source: US-CERT Systems Affected Apple QuickTime on systems running * Apple Mac OS X * Microsoft Windows Note that Apple iTunes and other software using the vulnerable QuickTime components are also affected. I. Public exploit code is available that demonstrates how opening a .QTL file triggers the buffer overflow. However, we have confirmed that other attack vectors for the vulnerability also exist. Possible attack vectors include * a web page that uses the QuickTime plug-in or ActiveX control * a web page that uses the rtsp:// protocol * a file that is associated with the QuickTime Player US-CERT is tracking this issue as VU#442497. This reference number corresponds to CVE-2007-0015. Note that this vulnerability affects QuickTime on Microsoft Windows and Apple Mac platforms. Although web pages can be used as attack vectors, this vulnerability is not dependent on the specific web browser that is used. II. III. Solution We are currently unaware of a solution to this problem. Until a solution becomes available, the workarounds provided in US-CERT Vulnerability Note VU#442497 are strongly encouraged. <http://www.kb.cert.org/vuls/id/442497> IV. References * US-CERT Vulnerability Note VU#442497 - <http://www.kb.cert.org/vuls/id/442497> * Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/> * CVE-2007-0015 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0015> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA07-005A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA07-005A Feedback VU#442497" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History January 05, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRZ7D9OxOF3G+ig+rAQLG+Af/e+VhtMJEDuzVbT47HRdINgIRiOceCx4u DZFbMaUvYu4hjGu9f+T6AaGWR9FQj1ZzWDYf/JHY67NCSkwJdFY4Th1vR09BXJGy lmAzlj7+l3U4UeR+rEud0ajP8qCO7vwRGP4rPUVkcqgaBXqdyfgQbNHtwIpw6w/z eFYyUp/2EA1vHeTGdPNAkQTupuC95kA0QsiONCVv9xTqg7xnlcXBTwKz+T/DcWig LDLgPMupim8+ruhkzCCOVveIFQPBdXN5Aem/Fvpmhi2V5HRBc65vKaDoLzBpt4BZ Wdbeud6ljPjm0JLPvy84Gn7qFcjCu3WP3Nayd7rhbClFZSWyGilM+Q== =RrHt -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. This can be exploited to cause a stack-based buffer overflow via a specially crafted QTL file with an overly long (more than 256 bytes) "src" parameter (e.g. "rtsp://[any character]:[>256 bytes]"). SOLUTION: Do not open untrusted QTL files. PROVIDED AND/OR DISCOVERED BY: LMH ORIGINAL ADVISORY: http://projects.info-pull.com/moab/MOAB-01-01-2007.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Stack-based buffer overflow in the DoModal function in the Dialog Wrapper Module ActiveX control (DlgWrapper.dll) before 8.4.166.0, as used by ICONICS OPC Enabled Gauge, Switch, and Vessel ActiveX, allows remote attackers to execute arbitrary code via a long (1) FileName or (2) Filter argument. This vulnerability may allow a remote attacker to execute arbitrary code on a vulnerable system. ICONICS is a professional company that provides OPC-based visualization software. Failed attempts can crash the host application. Versions prior to DlgWrapper.dll 8.4.166.0 are affected. ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. visits a malicious website. The vulnerability is confirmed in ICONICS Vessel ActiveX 8.02.140 including DlgWrapper.dll 8.0.138.0. SOLUTION: Update to DlgWrapper.dll 8.4.166.0 by applying the hotfix: http://www.iconics.com/support/free_tools/FreeToolsActiveX_DlgWrapperHotFix.zip PROVIDED AND/OR DISCOVERED BY: Will Dormann ORIGINAL ADVISORY: US-CERT VU#251969: http://www.kb.cert.org/vuls/id/251969 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site scripting (XSS) vulnerability in emfadmin/statusView.do in Tumbleweed EMF Administration Module 6.2.2 Build 4123, and possibly other versions before 6.3.2, allows remote attackers to inject arbitrary web script or HTML via the (1) lineId and (2) sort parameters

Stack-based buffer overflow in the CSRadius service in Cisco Secure Access Control Server (ACS) for Windows before 4.1 and ACS Solution Engine before 4.1 allows remote attackers to execute arbitrary code via a crafted RADIUS Accounting-Request packet. Versions prior to 4.1 are vulnerable to these issues. Two of the vulnerabilities may permit arbitrary code execution after exploitation of the specified vulnerability. Affected Cisco Secure ACS services, and the impact of the vulnerabilities are as follows: * Specially Crafted HTTP GET Request Vulnerability: Processing a specially crafted HTTP GET request may crash the CSAdmin service. This vulnerability is also susceptible to a stack overflow condition. * Specially Crafted RADIUS Accounting-Request Vulnerability: Processing a specially crafted RADIUS Accounting-Request packet may crash the CSRadius service. This vulnerability is also susceptible to a stack overflow condition. * Specially Crafted RADIUS Access-Request Vulnerabilities: Processing a specially crafted RADIUS Access-Request packet may crash the CSRadius service. Cisco has made free software available to address this issue for affected customers. We would like to thank CESG's Vulnerability Research Group and National Infrastructure Security Co-ordination Centre (NISCC) for reporting several of these vulnerabilities to Cisco Systems. We greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in product reports. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070105-csacs.shtml. The following example would be seen when running Cisco Secure ACS software version 4.0(1) Build 27: CiscoSecure ACS ACS software version 4.0(1) Build 27: Copyright information is seen underneath this information. Products Confirmed Not Vulnerable +-------------------------------- * Cisco Secure ACS for Unix (CSU). * Cisco CNS Access Registrar (CAR). * Cisco Secure ACS server for Windows version 4.1(X) or later. * Cisco Secure ACS server solution Engine version 4.1(X) or later. CSAdmin is the service that provides the web server for the ACS web administration interface. CSRadius is the service that communicates between the CSAuth module (the authentication and authorization service) and the access device that is requesting authentication and authorization services. Specially Crafted HTTP GET Request Vulnerability: +------------------------------------------------ This vulnerability is exploited by processing a specially crafted HTTP GET request. Upon successful exploitation, the CSAdmin service may crash. This vulnerability is also susceptible to a stack based overflow condition which may allow arbitrary code execution if successfully exploited. If this vulnerability is successfully exploited, the CSAdmin service will require a manual restart of the service. Normal Authentication, Authorization and Accounting (AAA) processing will continue. With Cisco Secure ACS for Windows you can start or stop CSAdmin from the Windows Control Panel. Upon successful exploitation, the CSRadius service may crash and an exception trap error will be generated for the CSRadius service within the Windows Event Viewer System log. This vulnerability is also susceptible to a stack based overflow condition which may allow arbitrary code execution if successfully exploited. This vulnerability is documented in Cisco Bug ID: * CSCse18278 -- Stack based overflow within CSRadius when processing Accounting-Request. These vulnerabilities will not allow arbitrary code execution after successful exploitation. An exception trap error will be recorded within the CSRadius log file and an error will be seen for the CSRadius service within the Windows Event Viewer System log after successful exploitation. These vulnerabilities are documented in Cisco Bug IDs: * CSCse18250 -- CSRadius Service crashes when processing a specially crafted Access-Request packet. (CVE-2006-4097) * CSCeg04788 -- CSRadius Service crashes when processing a specially crafted Access-Request packet. * CSCeg04666 -- CSRadius Service crashes when processing a specially crafted Access-Request packet. Vulnerability Scoring Details ============================= Cisco is providing scores for the vulnerabilities in this advisory based Con the ommon Vulnerability Scoring System (CVSS). Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco PSIRT will set the bias in all cases to normal. Customers are encouraged to apply the bias parameter when determining the environmental impact of a particular vulnerability. CVSS is a standards based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html. Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss. Cisco Bug IDs: CSCsd96293 - Stack based overflow within CSAdmin when processing HTTP GET request +--------------------------------------- CVSS Base Score - 10 Access Vector: Remote Access Complexity: Low Authentication: Not Required Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete Impact Bias: Normal CVSS Temporal Score - 8.3 Exploitability: Functional Remediation Level: Official Fix Report Confidence: Confirmed CSCse18278 - Stack based overflow within CSRadius when processing Accounting-Request +------------------------------------------ CVSS Base Score - 6.0 Access Vector: Remote Access Complexity: Low Authentication: Required Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete Impact Bias: Normal CVSS Temporal Score - 5.0 Exploitability: Functional Remediation Level: Official Fix Report Confidence: Confirmed CSCse18250 - CSRadius Service crashes when processing a specially crafted Access-Request packet. +---------------------------------------------------- CVSS Base Score - 3.3 Access Vector: Remote Access Complexity: Low Authentication: Not Required Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete Impact Bias: Normal CVSS Temporal Score - 2.7 Exploitability: Functional Remediation Level: Official Fix Report Confidence: Confirmed CSCeg04788 - CSRadius Service crashes when processing a specially crafted Access-Request packet. +---------------------------------------------------- CVSS Base Score - 3.3 Access Vector: Remote Access Complexity: Low Authentication: Not Required Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete Impact Bias: Normal CVSS Temporal Score - 2.7 Exploitability: Functional Remediation Level: Official Fix Report Confidence: Confirmed CSCeg04666 - CSRadius Service crashes when processing a specially crafted Access-Request packet. +---------------------------------------------------- CVSS Base Score - 3.3 Access Vector: Remote Access Complexity: Low Authentication: Not Required Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete Impact Bias: Normal CVSS Temporal Score - 2.7 Exploitability: Functional Remediation Level: Official Fix Report Confidence: Confirmed Impact ====== Specially Crafted HTTP GET Request Vulnerability: +------------------------------------------------ Successful exploitation may result in the web administrative interface being unavailable until the CSAdmin Service is restarted from windows control panel. Normal Authentication, Authorization and Accounting (AAA) processing will continue. This vulnerability may allow arbitrary code execution if successfully exploited. Specially Crafted RADIUS Accounting-Request Vulnerability: +--------------------------------------------------------- Successful exploitation may result in RADIUS Authentication, Authorization and Accounting processing to not be performed until the CSRadius service is restarted. TACACS+ Authentication, Authorization and Accounting (AAA) processing will continue. Repeated exploitation could result in a sustained Denial-of-Service (DoS) condition of the RADIUS AAA services. This vulnerability may allow arbitrary code execution if successfully exploited. Specially Crafted RADIUS Access-Request Vulnerabilities: +------------------------------------------------------- Successful exploitation may result in RADIUS Authentication, Authorization and Accounting processing to not be performed as the CSRadius service restarts. TACACS+ Authentication, Authorization and Accounting (AAA) processing will continue. Repeated exploitation could result in a sustained Denial-of-Service (DoS) condition of the RADIUS AAA services. Software Version and Fixes ========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance. Each row of the software table (below) describes one of the vulnerabilities described in this document. For each vulnerability the earliest possible Release that contains the fix is listed in the "Availability of First Fixed Release" column. A device running a release that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label) or the appropriate patch applied. +-----------------------------------------------------------------------------+ | Vulnerability | Major Software | Availability of First Fixed | | | Release | Releases * | |--------------------------+------------------+-------------------------------| | | 3.1(X) | Vulnerable; Contact TAC | | |------------------+-------------------------------| | | 3.2(X) | Vulnerable; Contact TAC | | |------------------+-------------------------------| | HTTP Vulnerability | 3.3(X) | 3.3(4) Build 12. | | |------------------+-------------------------------| | | 4.0(X) | Apply patch **. | | |------------------+-------------------------------| | | 4.1(X) | Are not vulnerable | |--------------------------+------------------+-------------------------------| | | 3.1(X) | Vulnerable; Contact TAC | | |------------------+-------------------------------| | | 3.2(X) | Vulnerable; Contact TAC | | Accounting-Request |------------------+-------------------------------| | Vulnerability | 3.3(X) | 3.3(4) Build 12. | | |------------------+-------------------------------| | | 4.0(X) | 4.0(1) Build 27. | | |------------------+-------------------------------| | | 4.1(X) | Are not vulnerable | |--------------------------+------------------+-------------------------------| | | 3.1(X) | Vulnerable; Contact TAC | | |------------------+-------------------------------| | | 3.2(X) | Vulnerable; Contact TAC | | Access-Request |------------------+-------------------------------| | Vulnerabilities | 3.3(X) | 3.3(3) Build 11. | | |------------------+-------------------------------| | | 4.0(X) | 4.0(1) Build 27. | | |------------------+-------------------------------| | | 4.1(X) | Are not vulnerable | |-----------------------------------------------------------------------------| | Notes: | | | | * 3.3(4) Build 12 is available by contacting Cisco TAC. The effectiveness of any mitigation or fix is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied mitigation or fix is the most appropriate for use in the intended network before it is deployed. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-air-20070105-csacs.shtml * Infrastructure ACLs (iACL) Apply access control lists (ACLs) on routers, switches and firewalls that filter traffic to the ACS so that traffic is only allowed from stations that need to remotely administer the box, or be authenticated, authorized, or provide accounting data against/to the ACS server. Refer to http://www.cisco.com/warp/public/707/iacl.html for examples on infrastructure ACLs. * Anti-Spoofing To prevent spoofed IP packets with the source IP address set to that of the Cisco Secure ACS administrative management station from reaching the Cisco Secure ACS server, utilize anti-spoofing techniques. For more information on utilizing ACLs for anti-spoofing, refer to http://www.cisco.com/warp/public/707/21.pdf and http://www.ietf.org/rfc/rfc2827.txt. The Unicast Reverse Path Forwarding (Unicast RPF) feature helps to mitigate problems that are caused by forged IP source addresses that are passing through a router. Refer to http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fothersf/scfrpf.htm for more information. Obtaining Fixed Software ======================== Cisco will make free software available to address this vulnerability for affected customers. This advisory will be updated as fixed software becomes available. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html , or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. Several of these vulnerabilities were reported to Cisco by CESG's Vulnerability Research Group and National Infrastructure Security Co-ordination Centre (NISCC). Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20070105-csacs.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------------------------+ | Revision 1.0 | 2007-January-05 | Initial public release | +---------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. - ------------------------------------------------------------------------------- All contents are Copyright 1992-2007 Cisco Systems, Inc. All rights reserved. - ------------------------------------------------------------------------------- Updated: Jan 05, 2007 Document ID: 77820 - ------------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFFnttc8NUAbBmDaxQRAu2sAKCLWvE0/RoF2Oxk1pC6LCaiUFuzOwCfQJVj Q2yeDW5/B49hRvkfrxDEKnY= =A5Tw -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20070105-csacs.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor

Multiple unspecified vulnerabilities in the CSRadius service in Cisco Secure Access Control Server (ACS) for Windows before 4.1 and ACS Solution Engine before 4.1 allow remote attackers to cause a denial of service (crash) via a crafted RADIUS Access-Request packet. NOTE: it has been reported that at least one issue is a heap-based buffer overflow involving the Tunnel-Password attribute. Versions prior to 4.1 are vulnerable to these issues. Two of the vulnerabilities may permit arbitrary code execution after exploitation of the specified vulnerability. This vulnerability is also susceptible to a stack overflow condition. This vulnerability is also susceptible to a stack overflow condition. Cisco has made free software available to address this issue for affected customers. We would like to thank CESG's Vulnerability Research Group and National Infrastructure Security Co-ordination Centre (NISCC) for reporting several of these vulnerabilities to Cisco Systems. We greatly appreciate the opportunity to work with researchers on security vulnerabilities, and welcome the opportunity to review and assist in product reports. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20070105-csacs.shtml. The following example would be seen when running Cisco Secure ACS software version 4.0(1) Build 27: CiscoSecure ACS ACS software version 4.0(1) Build 27: Copyright information is seen underneath this information. Products Confirmed Not Vulnerable +-------------------------------- * Cisco Secure ACS for Unix (CSU). * Cisco CNS Access Registrar (CAR). * Cisco Secure ACS server for Windows version 4.1(X) or later. * Cisco Secure ACS server solution Engine version 4.1(X) or later. CSAdmin is the service that provides the web server for the ACS web administration interface. CSRadius is the service that communicates between the CSAuth module (the authentication and authorization service) and the access device that is requesting authentication and authorization services. Specially Crafted HTTP GET Request Vulnerability: +------------------------------------------------ This vulnerability is exploited by processing a specially crafted HTTP GET request. Upon successful exploitation, the CSAdmin service may crash. This vulnerability is also susceptible to a stack based overflow condition which may allow arbitrary code execution if successfully exploited. If this vulnerability is successfully exploited, the CSAdmin service will require a manual restart of the service. Normal Authentication, Authorization and Accounting (AAA) processing will continue. With Cisco Secure ACS for Windows you can start or stop CSAdmin from the Windows Control Panel. Upon successful exploitation, the CSRadius service may crash and an exception trap error will be generated for the CSRadius service within the Windows Event Viewer System log. This vulnerability is also susceptible to a stack based overflow condition which may allow arbitrary code execution if successfully exploited. This vulnerability is documented in Cisco Bug ID: * CSCse18278 -- Stack based overflow within CSRadius when processing Accounting-Request. These vulnerabilities will not allow arbitrary code execution after successful exploitation. An exception trap error will be recorded within the CSRadius log file and an error will be seen for the CSRadius service within the Windows Event Viewer System log after successful exploitation. These vulnerabilities are documented in Cisco Bug IDs: * CSCse18250 -- CSRadius Service crashes when processing a specially crafted Access-Request packet. (CVE-2006-4097) * CSCeg04788 -- CSRadius Service crashes when processing a specially crafted Access-Request packet. * CSCeg04666 -- CSRadius Service crashes when processing a specially crafted Access-Request packet. Vulnerability Scoring Details ============================= Cisco is providing scores for the vulnerabilities in this advisory based Con the ommon Vulnerability Scoring System (CVSS). Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco PSIRT will set the bias in all cases to normal. Customers are encouraged to apply the bias parameter when determining the environmental impact of a particular vulnerability. CVSS is a standards based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html. Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss. Cisco Bug IDs: CSCsd96293 - Stack based overflow within CSAdmin when processing HTTP GET request +--------------------------------------- CVSS Base Score - 10 Access Vector: Remote Access Complexity: Low Authentication: Not Required Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete Impact Bias: Normal CVSS Temporal Score - 8.3 Exploitability: Functional Remediation Level: Official Fix Report Confidence: Confirmed CSCse18278 - Stack based overflow within CSRadius when processing Accounting-Request +------------------------------------------ CVSS Base Score - 6.0 Access Vector: Remote Access Complexity: Low Authentication: Required Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete Impact Bias: Normal CVSS Temporal Score - 5.0 Exploitability: Functional Remediation Level: Official Fix Report Confidence: Confirmed CSCse18250 - CSRadius Service crashes when processing a specially crafted Access-Request packet. +---------------------------------------------------- CVSS Base Score - 3.3 Access Vector: Remote Access Complexity: Low Authentication: Not Required Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete Impact Bias: Normal CVSS Temporal Score - 2.7 Exploitability: Functional Remediation Level: Official Fix Report Confidence: Confirmed CSCeg04788 - CSRadius Service crashes when processing a specially crafted Access-Request packet. +---------------------------------------------------- CVSS Base Score - 3.3 Access Vector: Remote Access Complexity: Low Authentication: Not Required Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete Impact Bias: Normal CVSS Temporal Score - 2.7 Exploitability: Functional Remediation Level: Official Fix Report Confidence: Confirmed CSCeg04666 - CSRadius Service crashes when processing a specially crafted Access-Request packet. +---------------------------------------------------- CVSS Base Score - 3.3 Access Vector: Remote Access Complexity: Low Authentication: Not Required Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete Impact Bias: Normal CVSS Temporal Score - 2.7 Exploitability: Functional Remediation Level: Official Fix Report Confidence: Confirmed Impact ====== Specially Crafted HTTP GET Request Vulnerability: +------------------------------------------------ Successful exploitation may result in the web administrative interface being unavailable until the CSAdmin Service is restarted from windows control panel. Normal Authentication, Authorization and Accounting (AAA) processing will continue. This vulnerability may allow arbitrary code execution if successfully exploited. TACACS+ Authentication, Authorization and Accounting (AAA) processing will continue. Repeated exploitation could result in a sustained Denial-of-Service (DoS) condition of the RADIUS AAA services. This vulnerability may allow arbitrary code execution if successfully exploited. Specially Crafted RADIUS Access-Request Vulnerabilities: +------------------------------------------------------- Successful exploitation may result in RADIUS Authentication, Authorization and Accounting processing to not be performed as the CSRadius service restarts. TACACS+ Authentication, Authorization and Accounting (AAA) processing will continue. Repeated exploitation could result in a sustained Denial-of-Service (DoS) condition of the RADIUS AAA services. Software Version and Fixes ========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance. Each row of the software table (below) describes one of the vulnerabilities described in this document. For each vulnerability the earliest possible Release that contains the fix is listed in the "Availability of First Fixed Release" column. A device running a release that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label) or the appropriate patch applied. +-----------------------------------------------------------------------------+ | Vulnerability | Major Software | Availability of First Fixed | | | Release | Releases * | |--------------------------+------------------+-------------------------------| | | 3.1(X) | Vulnerable; Contact TAC | | |------------------+-------------------------------| | | 3.2(X) | Vulnerable; Contact TAC | | |------------------+-------------------------------| | HTTP Vulnerability | 3.3(X) | 3.3(4) Build 12. | | |------------------+-------------------------------| | | 4.0(X) | Apply patch **. | | |------------------+-------------------------------| | | 4.1(X) | Are not vulnerable | |--------------------------+------------------+-------------------------------| | | 3.1(X) | Vulnerable; Contact TAC | | |------------------+-------------------------------| | | 3.2(X) | Vulnerable; Contact TAC | | Accounting-Request |------------------+-------------------------------| | Vulnerability | 3.3(X) | 3.3(4) Build 12. | | |------------------+-------------------------------| | | 4.0(X) | 4.0(1) Build 27. | | |------------------+-------------------------------| | | 4.1(X) | Are not vulnerable | |--------------------------+------------------+-------------------------------| | | 3.1(X) | Vulnerable; Contact TAC | | |------------------+-------------------------------| | | 3.2(X) | Vulnerable; Contact TAC | | Access-Request |------------------+-------------------------------| | Vulnerabilities | 3.3(X) | 3.3(3) Build 11. | | |------------------+-------------------------------| | | 4.0(X) | 4.0(1) Build 27. | | |------------------+-------------------------------| | | 4.1(X) | Are not vulnerable | |-----------------------------------------------------------------------------| | Notes: | | | | * 3.3(4) Build 12 is available by contacting Cisco TAC. The effectiveness of any mitigation or fix is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied mitigation or fix is the most appropriate for use in the intended network before it is deployed. Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-air-20070105-csacs.shtml * Infrastructure ACLs (iACL) Apply access control lists (ACLs) on routers, switches and firewalls that filter traffic to the ACS so that traffic is only allowed from stations that need to remotely administer the box, or be authenticated, authorized, or provide accounting data against/to the ACS server. Refer to http://www.cisco.com/warp/public/707/iacl.html for examples on infrastructure ACLs. * Anti-Spoofing To prevent spoofed IP packets with the source IP address set to that of the Cisco Secure ACS administrative management station from reaching the Cisco Secure ACS server, utilize anti-spoofing techniques. For more information on utilizing ACLs for anti-spoofing, refer to http://www.cisco.com/warp/public/707/21.pdf and http://www.ietf.org/rfc/rfc2827.txt. The Unicast Reverse Path Forwarding (Unicast RPF) feature helps to mitigate problems that are caused by forged IP source addresses that are passing through a router. Refer to http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fothersf/scfrpf.htm for more information. Obtaining Fixed Software ======================== Cisco will make free software available to address this vulnerability for affected customers. This advisory will be updated as fixed software becomes available. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html , or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. Several of these vulnerabilities were reported to Cisco by CESG's Vulnerability Research Group and National Infrastructure Security Co-ordination Centre (NISCC). Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20070105-csacs.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------------------------+ | Revision 1.0 | 2007-January-05 | Initial public release | +---------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. - ------------------------------------------------------------------------------- All contents are Copyright 1992-2007 Cisco Systems, Inc. All rights reserved. - ------------------------------------------------------------------------------- Updated: Jan 05, 2007 Document ID: 77820 - ------------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFFnttc8NUAbBmDaxQRAu2sAKCLWvE0/RoF2Oxk1pC6LCaiUFuzOwCfQJVj Q2yeDW5/B49hRvkfrxDEKnY= =A5Tw -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20070105-csacs.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor

Unspecified vulnerability in the Bluetooth stack on Mac OS 10.4.7 and earlier has unknown impact and local attack vectors, related to "Mach Exception Handling", a different issue than CVE-2006-6900. The problem is CVE-2006-6900 It is a different problem.Details of the impact of this vulnerability are unknown. Mac OS X is prone to a local security vulnerability

Unspecified vulnerability in the Bluetooth stack in Apple Mac OS 10.4 has unknown impact and attack vectors, related to an "implementation bug.". Mac OS X is prone to a remote security vulnerability

The Allied Telesis AT-9000/24 Ethernet switch has a default password for its admin account, "manager," which allows remote attackers to perform unauthorized actions. AT-9000/24 is prone to a cross-site request forgery vulnerability