VARIoT IoT vulnerabilities database

The HTTP service on the Cisco Linksys WRH54G with firmware 1.01.03 allows remote attackers to cause a denial of service (management interface outage) or possibly execute arbitrary code via a URI that begins with a "/./" sequence, contains many instances of a "front_page" sequence, and ends with a ".asp" sequence. Firmware Cisco Linksys WRH54G of HTTP Service disrupted service operation (DoS) Vulnerabilities exist. Linksys Wrh54g Router is prone to a denial-of-service vulnerability. The URI begins with a "/./" sequence, contains many "front_page" sequences, and ends with an ".asp" sequence. ---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ International Partner Manager - Project Sales in the IT-Security Industry: http://corporate.secunia.com/about_secunia/64/ ---------------------------------------------------------------------- TITLE: Linksys WRH54G Denial of Service Vulnerability SECUNIA ADVISORY ID: SA30562 VERIFY ADVISORY: http://secunia.com/advisories/30562/ CRITICAL: Less critical IMPACT: DoS WHERE: >From local network OPERATING SYSTEM: Linksys WRH54G http://secunia.com/product/19001/ DESCRIPTION: A vulnerability has been reported in Linksys WRH54G, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error when processing HTTP requests. This can be exploited to disable the HTTP service by sending a specially crafted HTTP request to an affected device. The vulnerability is reported in firmware version 1.01.03. Prior versions may also be affected. SOLUTION: Update to firmware version 1.01.04. PROVIDED AND/OR DISCOVERED BY: dubingyao ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in Apple QuickTime before 7.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted AAC-encoded file that triggers memory corruption. These issues arise when the application handles specially crafted PICT image files, Indeo video content, movie files, 'file:' URIs, and AAC-encoded media. Successful exploits may allow attackers to gain remote unauthorized access in the context of a vulnerable user; failed exploits will cause denial-of-service conditions. Versions prior to QuickTime 7.5 are affected. NOTE: This BID is being retired; the following individual records have been created to better document the issues: 29649 Apple QuickTime 'PICT' Image 'PixData' Structures Handling Heap Overflow Vulnerability 29650 Apple QuickTime 'file:' URI File Execution Vulnerability 29654 Apple QuickTime 'AAC-encoded' Media Memory Corruption Vulnerability 29648 Apple QuickTime 'PICT' Image Buffer Overflow Vulnerability 29652 Apple QuickTime Indo Video Codec Buffer Overflow Vulnerability. ---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ International Partner Manager - Project Sales in the IT-Security Industry: http://corporate.secunia.com/about_secunia/64/ ---------------------------------------------------------------------- TITLE: Apple QuickTime Multiple Vulnerabilities SECUNIA ADVISORY ID: SA29293 VERIFY ADVISORY: http://secunia.com/advisories/29293/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: Apple QuickTime 7.x http://secunia.com/product/5090/ DESCRIPTION: Some vulnerabilities have been reported in Apple QuickTime, which can be exploited by malicious people to compromise a user's system. 1) A boundary error when parsing packed scanlines from a PixData structure in a PICT file can be exploited to cause a heap-based buffer overflow via a specially crafted PICT file. 5) An error in the handling of "file:" URLs can be exploited to e.g. execute arbitrary programs when playing specially crafted QuickTIme content in QuickTime Player. SOLUTION: Update to version 7.5 (via Software Update or Apple Downloads. See vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: 1) Dyon Balding, Secunia Research 2) Independently discovered by: * Dave Soldera, NGS Software * Jens Alfke 3) Liam O Murchu, Symantec 4) An anonymous researcher, reported via ZDI 5) Independently discovered by: * Vinoo Thomas and Rahul Mohandas, McAfee Avert Labs * Petko D. (pdp) Petkov, GNUCITIZEN ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT1991 Secunia Research: http://secunia.com/secunia_research/2008-9/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA08-162C Apple Quicktime Updates for Multiple Vulnerabilities Original release date: June 10, 2008 Last revised: -- Source: US-CERT Systems Affected * Apple Mac OS X running versions of QuickTime prior to 7.5 * Microsoft Windows running versions of QuickTime prior to 7.5 Overview Apple QuickTime contains multiple vulnerabilities as described in the Apple Knowledgebase article HT1991. I. Apple QuickTime 7.5 addresses these vulnerabilities. Note that Apple iTunes for Windows installs QuickTime, so any system with iTunes may be vulnerable. II. For further information, please see Apple knowledgebase article HT1991 about the security content of QuickTime 7.5 III. Solution Upgrade QuickTime Upgrade to QuickTime 7.5. This and other updates for Mac OS X are available via Apple Update. Secure your web browser To help mitigate these and other vulnerabilities that can be exploited via a web browser, refer to Securing Your Web Browser. IV. References * About the security content of the QuickTime 7.5 Update - <http://support.apple.com/kb/HT1991> * How to tell if Software Update for Windows is working correctly when no updates are available - <http://docs.info.apple.com/article.html?artnum=304263> * Apple - QuickTime - Download - <http://www.apple.com/quicktime/download/> * Mac OS X: Updating your software - <http://docs.info.apple.com/article.html?artnum=106704> * Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/> * US-CERT Vulnerability Notes for QuickTime 7.5 - <http://www.kb.cert.org/vuls/byid?searchview&query=apple_quicktime_7.5> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA08-162C.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA08-162C Feedback VU#132419" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2008 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History June 10, 2008: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSE7bhHIHljM+H4irAQKGtQf/bW1M/gN6V35MDqIGFK3PbaIXBqnhtFws xPl6zNdWmYVCHid6u0aZ+UYE+AESK3Qw3DdiwLRr3X9R4hoGmRUGiedv4h0owQTb Rij3K5simf2vbNBsVopFNeVnokOowkcRYUk/n0QnGn5FUnwDeKutrMwXQ94As/Y3 8z/VsKpwqjScHgedT6Hv67f8E6kSma4BBcK2NlRC9VMTWN2oUD7MDI/BSp5kcqaM TJfBJzqsWUywWRP3Bi8PYOLYbmC5Qj7nirl0lzCjJdNiS/GKUnT4LezHTlVhVOv5 FTnkO25morpDQph2+oBi6o+lCOBu6G6RtfQ7u15CGDCeZyme2B79eg== =e01A -----END PGP SIGNATURE-----

Heap-based buffer overflow in Apple QuickTime before 7.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PICT image, a different vulnerability than CVE-2008-1581. Apple QuickTime does not properly handle "file: URLs" which may allow an attacker to execute arbitrary code. CVE-2008-1581 Is a different vulnerability.Service disruption by a third party (DoS) Could be put into a state or arbitrary code could be executed. These issues arise when the application handles specially crafted PICT image files, Indeo video content, movie files, 'file:' URIs, and AAC-encoded media. Successful exploits may allow attackers to gain remote unauthorized access in the context of a vulnerable user; failed exploits will cause denial-of-service conditions. Versions prior to QuickTime 7.5 are affected. ---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ International Partner Manager - Project Sales in the IT-Security Industry: http://corporate.secunia.com/about_secunia/64/ ---------------------------------------------------------------------- TITLE: Apple QuickTime Multiple Vulnerabilities SECUNIA ADVISORY ID: SA29293 VERIFY ADVISORY: http://secunia.com/advisories/29293/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: Apple QuickTime 7.x http://secunia.com/product/5090/ DESCRIPTION: Some vulnerabilities have been reported in Apple QuickTime, which can be exploited by malicious people to compromise a user's system. 5) An error in the handling of "file:" URLs can be exploited to e.g. execute arbitrary programs when playing specially crafted QuickTIme content in QuickTime Player. SOLUTION: Update to version 7.5 (via Software Update or Apple Downloads. See vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: 1) Dyon Balding, Secunia Research 2) Independently discovered by: * Dave Soldera, NGS Software * Jens Alfke 3) Liam O Murchu, Symantec 4) An anonymous researcher, reported via ZDI 5) Independently discovered by: * Vinoo Thomas and Rahul Mohandas, McAfee Avert Labs * Petko D. (pdp) Petkov, GNUCITIZEN ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT1991 Secunia Research: http://secunia.com/secunia_research/2008-9/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA08-162C Apple Quicktime Updates for Multiple Vulnerabilities Original release date: June 10, 2008 Last revised: -- Source: US-CERT Systems Affected * Apple Mac OS X running versions of QuickTime prior to 7.5 * Microsoft Windows running versions of QuickTime prior to 7.5 Overview Apple QuickTime contains multiple vulnerabilities as described in the Apple Knowledgebase article HT1991. I. Apple QuickTime 7.5 addresses these vulnerabilities. Note that Apple iTunes for Windows installs QuickTime, so any system with iTunes may be vulnerable. II. For further information, please see Apple knowledgebase article HT1991 about the security content of QuickTime 7.5 III. Solution Upgrade QuickTime Upgrade to QuickTime 7.5. This and other updates for Mac OS X are available via Apple Update. Secure your web browser To help mitigate these and other vulnerabilities that can be exploited via a web browser, refer to Securing Your Web Browser. IV. References * About the security content of the QuickTime 7.5 Update - <http://support.apple.com/kb/HT1991> * How to tell if Software Update for Windows is working correctly when no updates are available - <http://docs.info.apple.com/article.html?artnum=304263> * Apple - QuickTime - Download - <http://www.apple.com/quicktime/download/> * Mac OS X: Updating your software - <http://docs.info.apple.com/article.html?artnum=106704> * Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/> * US-CERT Vulnerability Notes for QuickTime 7.5 - <http://www.kb.cert.org/vuls/byid?searchview&query=apple_quicktime_7.5> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA08-162C.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA08-162C Feedback VU#132419" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2008 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History June 10, 2008: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSE7bhHIHljM+H4irAQKGtQf/bW1M/gN6V35MDqIGFK3PbaIXBqnhtFws xPl6zNdWmYVCHid6u0aZ+UYE+AESK3Qw3DdiwLRr3X9R4hoGmRUGiedv4h0owQTb Rij3K5simf2vbNBsVopFNeVnokOowkcRYUk/n0QnGn5FUnwDeKutrMwXQ94As/Y3 8z/VsKpwqjScHgedT6Hv67f8E6kSma4BBcK2NlRC9VMTWN2oUD7MDI/BSp5kcqaM TJfBJzqsWUywWRP3Bi8PYOLYbmC5Qj7nirl0lzCjJdNiS/GKUnT4LezHTlVhVOv5 FTnkO25morpDQph2+oBi6o+lCOBu6G6RtfQ7u15CGDCeZyme2B79eg== =e01A -----END PGP SIGNATURE-----

Heap-based buffer overflow in Apple QuickTime before 7.5 on Windows allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted packed scanlines in PixData structures in a PICT image. Apple QuickTime does not properly handle "file: URLs" which may allow an attacker to execute arbitrary code. These issues arise when the application handles specially crafted PICT image files, Indeo video content, movie files, 'file:' URIs, and AAC-encoded media. Successful exploits may allow attackers to gain remote unauthorized access in the context of a vulnerable user; failed exploits will cause denial-of-service conditions. Versions prior to QuickTime 7.5 are affected. An attacker can exploit this issue to execute arbitrary within the context of the affected application. Failed exploit attempts will result in a denial-of-service vulnerability. If the user is tricked into opening a malicious PICT graphics, it will cause the player to terminate or execute arbitrary instructions. ---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ International Partner Manager - Project Sales in the IT-Security Industry: http://corporate.secunia.com/about_secunia/64/ ---------------------------------------------------------------------- TITLE: Apple QuickTime Multiple Vulnerabilities SECUNIA ADVISORY ID: SA29293 VERIFY ADVISORY: http://secunia.com/advisories/29293/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: Apple QuickTime 7.x http://secunia.com/product/5090/ DESCRIPTION: Some vulnerabilities have been reported in Apple QuickTime, which can be exploited by malicious people to compromise a user's system. 5) An error in the handling of "file:" URLs can be exploited to e.g. execute arbitrary programs when playing specially crafted QuickTIme content in QuickTime Player. SOLUTION: Update to version 7.5 (via Software Update or Apple Downloads. See vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: 1) Dyon Balding, Secunia Research 2) Independently discovered by: * Dave Soldera, NGS Software * Jens Alfke 3) Liam O Murchu, Symantec 4) An anonymous researcher, reported via ZDI 5) Independently discovered by: * Vinoo Thomas and Rahul Mohandas, McAfee Avert Labs * Petko D. (pdp) Petkov, GNUCITIZEN ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT1991 Secunia Research: http://secunia.com/secunia_research/2008-9/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA08-162C Apple Quicktime Updates for Multiple Vulnerabilities Original release date: June 10, 2008 Last revised: -- Source: US-CERT Systems Affected * Apple Mac OS X running versions of QuickTime prior to 7.5 * Microsoft Windows running versions of QuickTime prior to 7.5 Overview Apple QuickTime contains multiple vulnerabilities as described in the Apple Knowledgebase article HT1991. I. Apple QuickTime 7.5 addresses these vulnerabilities. II. For further information, please see Apple knowledgebase article HT1991 about the security content of QuickTime 7.5 III. Solution Upgrade QuickTime Upgrade to QuickTime 7.5. This and other updates for Mac OS X are available via Apple Update. Secure your web browser To help mitigate these and other vulnerabilities that can be exploited via a web browser, refer to Securing Your Web Browser. IV. References * About the security content of the QuickTime 7.5 Update - <http://support.apple.com/kb/HT1991> * How to tell if Software Update for Windows is working correctly when no updates are available - <http://docs.info.apple.com/article.html?artnum=304263> * Apple - QuickTime - Download - <http://www.apple.com/quicktime/download/> * Mac OS X: Updating your software - <http://docs.info.apple.com/article.html?artnum=106704> * Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/> * US-CERT Vulnerability Notes for QuickTime 7.5 - <http://www.kb.cert.org/vuls/byid?searchview&query=apple_quicktime_7.5> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA08-162C.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA08-162C Feedback VU#132419" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2008 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History June 10, 2008: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSE7bhHIHljM+H4irAQKGtQf/bW1M/gN6V35MDqIGFK3PbaIXBqnhtFws xPl6zNdWmYVCHid6u0aZ+UYE+AESK3Qw3DdiwLRr3X9R4hoGmRUGiedv4h0owQTb Rij3K5simf2vbNBsVopFNeVnokOowkcRYUk/n0QnGn5FUnwDeKutrMwXQ94As/Y3 8z/VsKpwqjScHgedT6Hv67f8E6kSma4BBcK2NlRC9VMTWN2oUD7MDI/BSp5kcqaM TJfBJzqsWUywWRP3Bi8PYOLYbmC5Qj7nirl0lzCjJdNiS/GKUnT4LezHTlVhVOv5 FTnkO25morpDQph2+oBi6o+lCOBu6G6RtfQ7u15CGDCeZyme2B79eg== =e01A -----END PGP SIGNATURE----- . ====================================================================== 6) Time Table 10/03/2008 - Vendor notified. 13/03/2008 - Vendor response. 10/06/2008 - Public disclosure. ====================================================================== 7) Credits Discovered by Dyon Balding, Secunia Research. ====================================================================== 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2008-1581 for the vulnerability. ====================================================================== 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://corporate.secunia.com/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://corporate.secunia.com/secunia_research/33/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/secunia_vacancies/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/secunia_security_advisories/ ====================================================================== 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2008-9/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ======================================================================

Stack-based buffer overflow in Indeo.qtx in Apple QuickTime before 7.5 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via crafted Indeo video codec content in a movie file. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of Quicktime files that utilize the Indeo video codec. A lack of proper bounds checking within Indeo.qtx can result in a stack based buffer overflow leading to arbitrary code execution under the context of the currently logged in user. These issues arise when the application handles specially crafted PICT image files, Indeo video content, movie files, 'file:' URIs, and AAC-encoded media. Successful exploits may allow attackers to gain remote unauthorized access in the context of a vulnerable user; failed exploits will cause denial-of-service conditions. Versions prior to QuickTime 7.5 are affected. ---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ International Partner Manager - Project Sales in the IT-Security Industry: http://corporate.secunia.com/about_secunia/64/ ---------------------------------------------------------------------- TITLE: Apple QuickTime Multiple Vulnerabilities SECUNIA ADVISORY ID: SA29293 VERIFY ADVISORY: http://secunia.com/advisories/29293/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: Apple QuickTime 7.x http://secunia.com/product/5090/ DESCRIPTION: Some vulnerabilities have been reported in Apple QuickTime, which can be exploited by malicious people to compromise a user's system. 1) A boundary error when parsing packed scanlines from a PixData structure in a PICT file can be exploited to cause a heap-based buffer overflow via a specially crafted PICT file. 5) An error in the handling of "file:" URLs can be exploited to e.g. SOLUTION: Update to version 7.5 (via Software Update or Apple Downloads. See vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: 1) Dyon Balding, Secunia Research 2) Independently discovered by: * Dave Soldera, NGS Software * Jens Alfke 3) Liam O Murchu, Symantec 4) An anonymous researcher, reported via ZDI 5) Independently discovered by: * Vinoo Thomas and Rahul Mohandas, McAfee Avert Labs * Petko D. (pdp) Petkov, GNUCITIZEN ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT1991 Secunia Research: http://secunia.com/secunia_research/2008-9/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT1222 -- Disclosure Timeline: 2008-02-07 - Vulnerability reported to vendor 2008-06-10 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at postmaster@3com.com. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA08-162C Apple Quicktime Updates for Multiple Vulnerabilities Original release date: June 10, 2008 Last revised: -- Source: US-CERT Systems Affected * Apple Mac OS X running versions of QuickTime prior to 7.5 * Microsoft Windows running versions of QuickTime prior to 7.5 Overview Apple QuickTime contains multiple vulnerabilities as described in the Apple Knowledgebase article HT1991. I. Apple QuickTime 7.5 addresses these vulnerabilities. Note that Apple iTunes for Windows installs QuickTime, so any system with iTunes may be vulnerable. II. For further information, please see Apple knowledgebase article HT1991 about the security content of QuickTime 7.5 III. Solution Upgrade QuickTime Upgrade to QuickTime 7.5. This and other updates for Mac OS X are available via Apple Update. Secure your web browser To help mitigate these and other vulnerabilities that can be exploited via a web browser, refer to Securing Your Web Browser. IV. References * About the security content of the QuickTime 7.5 Update - <http://support.apple.com/kb/HT1991> * How to tell if Software Update for Windows is working correctly when no updates are available - <http://docs.info.apple.com/article.html?artnum=304263> * Apple - QuickTime - Download - <http://www.apple.com/quicktime/download/> * Mac OS X: Updating your software - <http://docs.info.apple.com/article.html?artnum=106704> * Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/> * US-CERT Vulnerability Notes for QuickTime 7.5 - <http://www.kb.cert.org/vuls/byid?searchview&query=apple_quicktime_7.5> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA08-162C.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA08-162C Feedback VU#132419" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2008 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History June 10, 2008: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSE7bhHIHljM+H4irAQKGtQf/bW1M/gN6V35MDqIGFK3PbaIXBqnhtFws xPl6zNdWmYVCHid6u0aZ+UYE+AESK3Qw3DdiwLRr3X9R4hoGmRUGiedv4h0owQTb Rij3K5simf2vbNBsVopFNeVnokOowkcRYUk/n0QnGn5FUnwDeKutrMwXQ94As/Y3 8z/VsKpwqjScHgedT6Hv67f8E6kSma4BBcK2NlRC9VMTWN2oUD7MDI/BSp5kcqaM TJfBJzqsWUywWRP3Bi8PYOLYbmC5Qj7nirl0lzCjJdNiS/GKUnT4LezHTlVhVOv5 FTnkO25morpDQph2+oBi6o+lCOBu6G6RtfQ7u15CGDCeZyme2B79eg== =e01A -----END PGP SIGNATURE-----

Apple QuickTime before 7.5 uses the url.dll!FileProtocolHandler handler for unrecognized URIs in qt:next attributes within SMIL text in video files, which sends these URIs to explorer.exe and thereby allows remote attackers to execute arbitrary programs, as originally demonstrated by crafted file: URLs. User interaction is required to exploit this vulnerability in that the target must open a malicious file.The specific flaw exists in the handling of SMIL text embedded in video formats. No sanity checking is performed on values of the qt:next attribute. These issues arise when the application handles specially crafted PICT image files, Indeo video content, movie files, 'file:' URIs, and AAC-encoded media. Versions prior to QuickTime 7.5 are affected. This issue may lead to a remote compromise. The issue arises because of improper handling of the 'file:' URI. Versions prior to QuickTime 7.5 running on Apple Mac OS X 10.3.9, Mac OS X 10.4.9 to v10.4.11, Mac OS X 10.5 or later, Windows Vista, and Windows XP SP2 are affected. ZDI-08-038: QuickTime SMIL qtnext Redirect File Execution http://www.zerodayinitiative.com/advisories/ZDI-08-038 June 10, 2008 -- CVE ID: CVE-2008-1585 -- Affected Vendors: Apple -- Affected Products: Apple Quicktime -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 6119. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT1222 -- Disclosure Timeline: 2008-05-08 - Vulnerability reported to vendor 2008-06-10 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Petko D. (pdp) Petkov | GNUCITIZEN -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at postmaster@3com.com. execute arbitrary programs when playing specially crafted QuickTIme content in QuickTime Player. See vendor's advisory for details). ---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ International Partner Manager - Project Sales in the IT-Security Industry: http://corporate.secunia.com/about_secunia/64/ ---------------------------------------------------------------------- TITLE: Apple TV Multiple Vulnerabilities SECUNIA ADVISORY ID: SA31034 VERIFY ADVISORY: http://secunia.com/advisories/31034/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote OPERATING SYSTEM: Apple TV 2.x http://secunia.com/product/19289/ DESCRIPTION: Some vulnerabilities have been reported in Apple TV, which can be exploited by malicious people to compromise a vulnerable system. 1) A boundary error in the handling of data reference atoms in movie files can be exploited to cause a buffer overflow. For more information see vulnerability #3 in: SA29650 2) A boundary error in the handling of "crgn" atoms in movie files can be exploited to cause a heap-based buffer overflow. For more information see vulnerability #5 in: SA29650 3) A boundary error in the handling of "chan" atoms in movie files can be exploited to cause a heap-based buffer overflow. For more information see vulnerability #6 in: SA29650 4) An error in the handling of "file:" URLs can be exploited to e.g. execute arbitrary programs. For more more information see vulnerability #5 in: SA29293 5) A boundary error when handling RTSP replies can be exploited to cause a heap-based buffer overflow. For more information: SA28423 6) A boundary error when processing compressed PICT images can be exploited to cause a buffer overflow. For more information see vulnerability #4 in: SA28502 SOLUTION: Update to version 2.1. PROVIDED AND/OR DISCOVERED BY: 1,6) Chris Ries of Carnegie Mellon University Computing Services. 2) Sanbin Li, reporting via ZDI. 3) An anonymous researcher, reporting via ZDI. 4) Independently discovered by: * Vinoo Thomas and Rahul Mohandas, McAfee Avert Labs * Petko D. (pdp) Petkov, GNUCITIZEN 5) Luigi Auriemma ORIGINAL ADVISORY: http://support.apple.com/kb/HT2304 OTHER REFERENCES: SA28423: http://secunia.com/advisories/28423/ SA28502: http://secunia.com/advisories/28502/ SA29293: http://secunia.com/advisories/29293/ SA29650: http://secunia.com/advisories/29650/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA08-162C Apple Quicktime Updates for Multiple Vulnerabilities Original release date: June 10, 2008 Last revised: -- Source: US-CERT Systems Affected * Apple Mac OS X running versions of QuickTime prior to 7.5 * Microsoft Windows running versions of QuickTime prior to 7.5 Overview Apple QuickTime contains multiple vulnerabilities as described in the Apple Knowledgebase article HT1991. I. Apple QuickTime 7.5 addresses these vulnerabilities. Note that Apple iTunes for Windows installs QuickTime, so any system with iTunes may be vulnerable. II. For further information, please see Apple knowledgebase article HT1991 about the security content of QuickTime 7.5 III. Solution Upgrade QuickTime Upgrade to QuickTime 7.5. Secure your web browser To help mitigate these and other vulnerabilities that can be exploited via a web browser, refer to Securing Your Web Browser. IV. References * About the security content of the QuickTime 7.5 Update - <http://support.apple.com/kb/HT1991> * How to tell if Software Update for Windows is working correctly when no updates are available - <http://docs.info.apple.com/article.html?artnum=304263> * Apple - QuickTime - Download - <http://www.apple.com/quicktime/download/> * Mac OS X: Updating your software - <http://docs.info.apple.com/article.html?artnum=106704> * Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/> * US-CERT Vulnerability Notes for QuickTime 7.5 - <http://www.kb.cert.org/vuls/byid?searchview&query=apple_quicktime_7.5> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA08-162C.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA08-162C Feedback VU#132419" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2008 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History June 10, 2008: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSE7bhHIHljM+H4irAQKGtQf/bW1M/gN6V35MDqIGFK3PbaIXBqnhtFws xPl6zNdWmYVCHid6u0aZ+UYE+AESK3Qw3DdiwLRr3X9R4hoGmRUGiedv4h0owQTb Rij3K5simf2vbNBsVopFNeVnokOowkcRYUk/n0QnGn5FUnwDeKutrMwXQ94As/Y3 8z/VsKpwqjScHgedT6Hv67f8E6kSma4BBcK2NlRC9VMTWN2oUD7MDI/BSp5kcqaM TJfBJzqsWUywWRP3Bi8PYOLYbmC5Qj7nirl0lzCjJdNiS/GKUnT4LezHTlVhVOv5 FTnkO25morpDQph2+oBi6o+lCOBu6G6RtfQ7u15CGDCeZyme2B79eg== =e01A -----END PGP SIGNATURE-----

A cross-site scripting vulnerability has been found in the Hitachi Groupmax Collaboration products.A remote attacker could execute arbitrary scripts.

XMAP3's print function has a vulnerability that could cause a temporary denial of service (DoS) condition when receiving unexpected data.An attacker could cause a denial of service (DoS) condition by sending unexpected data to XMAP3's print service.

Multiple vulnerabilities have been found in the JP1/Cm2/Network Node Manager (NNM) Web coordinated function.A remote attacker could execute arbitrary scripts or code, or cause a denial of service (DoS) condition.

NetScout (formerly Network General) Visualizer V2100 and InfiniStream i1730 do not restrict access to ResourceManager/en_US/domains/add_domain.jsp, which allows remote attackers to gain administrator privileges via a direct request. Attackers can exploit this issue to perform unauthorized administrative functions. This can aid in further attacks. The NetScout Administrator device is vulnerable; other devices may also be affected. Reports indicated that this issue may exist in Network General Visualizer V2100 and Network General Infinistream i1730 Sniffer. This has not been confirmed. ---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ International Partner Manager - Project Sales in the IT-Security Industry: http://corporate.secunia.com/about_secunia/64/ ---------------------------------------------------------------------- TITLE: NetScout Visualizer / InfiniStream Security Bypass SECUNIA ADVISORY ID: SA30514 VERIFY ADVISORY: http://secunia.com/advisories/30514/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From remote OPERATING SYSTEM: NetScout Visualizer http://secunia.com/product/19033/ Network General InfiniStream i1730 http://secunia.com/product/19035/ DESCRIPTION: A vulnerability has been reported in NetScout Visualizer and InfiniStream, which can be exploited by malicious users to perform certain actions with escalated privileges. The vulnerability is caused due to improper access restrictions to certain administrative pages in the web interface. This can be exploited to access administrative functions by directly accessing the URL of such pages. SOLUTION: Grant only trusted users access to affected system. PROVIDED AND/OR DISCOVERED BY: jgrove_2000 ORIGINAL ADVISORY: http://archives.neohapsis.com/archives/bugtraq/2008-06/0068.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple cross-site scripting (XSS) vulnerabilities in F5 FirePass SSL VPN 6.0.2 hotfix 3, and possibly earlier versions, allow remote attackers to inject arbitrary web script or HTML via quotes in (1) the css_exceptions parameter in vdesk/admincon/webyfiers.php and (2) the sql_matchscope parameter in vdesk/admincon/index.php. (1) vdesk/admincon/webyfiers.php Inside css_exceptions Parameters (2) vdesk/admincon/index.php Inside sql_matchscope Parameters. F5 FirePass SSL VPN is prone to multiple cross-site request-forgery vulnerabilities because it fails to adequately sanitize user-supplied input. Exploiting these issues may allow a remote attacker to execute arbitrary actions in the context of the affected application. FirePass 6.0.2 hotfix 3 is vulnerable; other versions may also be affected. F5 FirePass SSL VPN devices allow users to securely connect to critical business applications. The F5 FirePass SSL VPN device performs basic filtering on web requests submitted through Portal Access. The Content Inspection function is configured and customized through the web management interface, and the /vdesk/admincon/webyfiers.php file of this web management interface is not correct. If a remote attacker submits a malicious HTTP request to the above page, a cross-site scripting attack can be executed, resulting in the execution of arbitrary instructions. ---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: F5 FirePass SSL VPN Appliance Cross-Site Scripting Vulnerabilities SECUNIA ADVISORY ID: SA30550 VERIFY ADVISORY: http://secunia.com/advisories/30550/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote OPERATING SYSTEM: FirePass 5.x http://secunia.com/product/4695/ FirePass 6.x http://secunia.com/product/13146/ DESCRIPTION: nnposter has reported some vulnerabilities in F5 FirePass, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the "css_exceptions" parameter in /vdesk/admincon/webyfiers.php and to the "sql_matchscope" parameter in /vdesk/admincon/index.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of the administrative interface. SOLUTION: Do not visit untrusted sites or follow untrusted links while being logged in to the administrative interface. PROVIDED AND/OR DISCOVERED BY: nnposter ORIGINAL ADVISORY: http://archives.neohapsis.com/archives/bugtraq/2008-06/0063.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco Adaptive Security Appliance (ASA) and Cisco PIX security appliance 7.1.x before 7.1(2)70, 7.2.x before 7.2(4), and 8.0.x before 8.0(3)10 allows remote attackers to cause a denial of service via a crafted TCP ACK packet to the device interface. Cisco PIX and Cisco ASA are prone to multiple denial-of-service vulnerabilities and an unauthorized-access vulnerability. An attacker can exploit these issues to bypass ACL lists and to cause an affected device to reboot or crash. This security advisory outlines details of these vulnerabilities: * Crafted TCP ACK Packet Vulnerability * Crafted TLS Packet Vulnerability * Instant Messenger Inspection Vulnerability * Vulnerability Scan Denial of Service * Control-plane Access Control List Vulnerability The first four vulnerabilities may lead to a denial of service (DoS) condition and the fifth vulnerability may allow an attacker to bypass control-plane access control lists (ACL). Note: These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080604-asa.shtml Affected Products ================= Vulnerable Products +------------------ The following are the details about each vulnerability described within this advisory. Software versions prior to 7.1(2)70 on the 7.1.x release, 7.2(4) on the 7.2.x release, and 8.0 (3)10 on the 8.0.x release are affected. Devices running software versions on the 8.0 release that are configured for Telnet, Secure Shell (SSH), WebVPN, SSL VPN, or ASDM enabled are affected by this vulnerability. Note: Devices running IPv4 and IPv6 are affected by this vulnerability. Devices running software versions in the 7.0.x and 7.1.x releases are not vulnerable. Additionally, devices that do not have Instant Messaging Inspection enabled are not vulnerable. Note: Instant Messaging Inspection is disabled by default. Control-plane Access Control List Vulnerability +---------------------------------------------- Cisco ASA and Cisco PIX devices are affected by a vulnerability if the device is configured to use control-plane ACLs and if it is running software versions prior to 8.0(3)9 on the 8.0.x release. Devices running software versions 7.x or 8.1.x are not vulnerable. Note: Control-plane ACLs were first introduced in software version 8.0(2). The control-plane ACLs are not enabled by default. The show version command-line interface (CLI) command can be used to determine if a vulnerable version of the Cisco PIX or Cisco ASA software is running. Products Confirmed Not Vulnerable +-------------------------------- The Cisco Firewall Services Module (FWSM) is not affected by any of these vulnerabilities. Cisco PIX security appliances running versions 6.x are not vulnerable. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities are independent of each other. 1. Only packets destined to the device (not transiting the device) may trigger the effects of this vulnerability. Devices running software versions on the 8.0 release that are configured for Telnet, Secure Shell (SSH), WebVPN, SSL VPN, or ASDM enabled are affected by this vulnerability. The telnet command is used identify the IP addresses from which the security appliance accepts Telnet connections. ASA(config)# telnet 192.168.10.0 255.255.255.0 inside In the previous example, the Cisco ASA is configured to accept Telnet connections on the inside interface from the 192.168.10.0/24 network. Note: You cannot use Telnet to the lowest security interface unless you use Telnet inside an IPSec tunnel. ASDM management sessions are enabled via the http server enable and http commands. The ssh command is used identify the IP addresses from which the security appliance accepts SSH connections. For example: ASA(config)# ssh 192.168.10.0 255.255.255.0 inside In the previous example the Cisco ASA is configured to accept SSH connections on the inside interface from the 192.168.10.0/24 network. Clientless WebVPN, SSL VPN Client, and AnyConnect connections are enabled via the webvpn command. For example, the following configuration shows a Cisco ASA with WebVPN configured and enabled. In this case the ASA will listen for WebVPN connections on the default port, TCP port 443: http server enable ! webvpn enable outside Note that with this particular configuration, the device is vulnerable to attacks coming from the outside interface. This vulnerability is documented in Cisco Bug ID CSCsm84110 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-2055. 2. Crafted TLS Packet Vulnerability +---------------------------------- Transport Layer Security (TLS) is the replacement for the Secure Socket Layer (SSL) protocol. It is a protocol that provides, via cryptography, secure communications between two end-points. In all these scenarios, the PIX and ASA may be affected by a vulnerability in the handling of the TLS protocol that may lead to a reload of the device when it processes specially crafted TLS packets. Note: Only packets destined to the device (not transiting the device) may trigger the effects of this vulnerability. The following list contains some of the applications within the Cisco ASA and Cisco PIX devices that use TLS: * Clientless WebVPN, SSL VPN Client, and AnyConnect Connections * ASDM (HTTPS) Management Sessions * Cut-Through Proxy for Network Access * TLS Proxy for Encrypted Voice Inspection Clientless WebVPN, SSL VPN Client, and AnyConnect Connections +------------------------------------------------------------ Clientless WebVPN, SSL VPN Client, and AnyConnect connections are enabled via the webvpn command. For example, the following configuration shows a Cisco ASA with WebVPN configured and enabled. In this case the ASA will listen for WebVPN connections on the default port, TCP port 443: http server enable ! webvpn enable outside Note that with this particular configuration, the device is vulnerable to attacks coming from the outside interface. ASDM (HTTPS) Management Sessions +------------------------------- ASDM management sessions are enabled via the http server enable and http commands. For example, the following configuration shows an ASA configured for remote HTTPS management: http server enable http 192.168.0.0 255.255.255.0 inside Note that with this particular configuration the device is vulnerable to attacks coming from the inside interface and from the 192.168.0.0/ 24 IP sub-network. Cut-Through Proxy for Network Access +------------------------------------ The cut-through proxy feature is used to authenticate users before they can access the network. The following is an example of a configuration that requires users to authenticate before they can be granted network access: access-list auth-proxy extended permit tcp any any eq www access-list auth-proxy extended permit tcp any any eq telnet access-list auth-proxy extended permit tcp any any eq https ! aaa authentication match auth-proxy inside LOCAL aaa authentication secure-http-client aaa authentication listener https inside port https A configuration affected by this vulnerability will contain the command aaa authentication secure-http-client or aaa authentication listener https inside port <port number>. Note that with the configuration in the preceding example, the device is vulnerable to attacks coming from the inside interface. TLS Proxy for Encrypted Voice Inspection +--------------------------------------- The TLS proxy for encrypted voice inspection feature allows the security appliance to decrypt, inspect and modify (as needed, for example, performing NAT fixup), and re-encrypt voice signaling traffic while all of the existing VoIP inspection functions for SCCP and Session Initiation Protocol (SIP) protocols are preserved. Once voice signaling is decrypted, the plain-text signaling message is passed to the existing inspection engines. The security appliance accomplishes this by acting as a TLS proxy between the IP phone and Cisco Unified CallManager and Cisco Unified Communications Manager, which implies that TLS sessions are terminating on the security appliance. This is done over TCP ports 2443 and 5061. If the output contains the text tls-proxy: active and some statistics, then the device has a vulnerable configuration. The following example shows a vulnerable Cisco ASA Security Appliance: ASA# show service-policy | include tls Inspect: sip tls-proxy myproxy, packet 0, drop 0, reset-drop 0 tls-proxy: active sess 0, most sess 0, byte 0 Inspect: skinny tls-proxy myproxy, packet 0, drop 0, reset-drop 0 tls-proxy: active sess 0, most sess 0, byte 0 ASA# This vulnerability is documented in Cisco Bug ID CSCsm26841 and has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-2056. 3. Instant Messenger Inspection Vulnerability +-------------------------------------------- The Cisco ASA and Cisco PIX Instant Messenger (IM) inspection engine is used to apply fine grained controls on the IM application usage within your network. More information on the IM inspection feature and its configuration can be found at: http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html#wp1479354 This vulnerability is documented in Cisco Bug ID CSCso22981 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-2057. 4. Certain vulnerability (port) scanners will cause the system to reload. Note: This vulnerability is affected by traffic destined to the device on TCP port 443. The Cisco ASA and Cisco PIX security appliances use TCP port 443 for Clientless WebVPN, SSL VPN Client, AnyConnect client connections, HTTPS Management Sessions, Cut-Through Proxy for Network Access, and TLS Proxy for Encrypted Voice Inspection. Please refer to the details of the Crafted TLS Packet Vulnerability for additional information on these services. This vulnerability is documented in Cisco Bug ID CSCsj60659 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-2058. 5. Control-plane Access Control List Vulnerability +------------------------------------------------- Control-plane ACLs are designed to protect traffic destined to the security appliance. The following example uses the show running-config | include control-plane command to determine if a control-plane ACL is configured on the device: ASA# show running-config | include control-plane access-group 101 in interface inside control-plane ASA# This vulnerability is documented in Cisco Bug ID CSCsm67466 and has been assigned Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-2059. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss CSCsm84110 - Crafted TCP ACK Packet Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsm26841 - Crafted TLS Packet Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCso22981 - Instant Messenger Inspection Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsj60659 - Vulnerability Scan Denial of Service CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed CSCsm67466 - Control-plane Access Control List Vulnerability CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the first four vulnerabilities may cause a reload of the affected device. Repeated exploitation could result in a sustained Denial-of-Service (DoS) condition. Successful exploitation of the fifth vulnerability may allow an attacker to bypass control-plane ACLs and successfully send malicious traffic to the device. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. The following list contains the first fixed software release of each vulnerability: +---------------------------------------+ | | Affected | First | | Vulnerability | Release | Fixed | | | | Release | |---------------+----------+------------| | | 7.0 | Not | | | | vulnerable | | |----------+------------| | | 7.1 | 7.1(2)70 | |Crafted TCP |----------+------------| | ACK Packet | 7.2 | 7.2(4) | |Vulnerability |----------+------------| | | 8.0 | 8.0(3)10 | | |----------+------------| | | 8.1 | Not | | | | vulnerable | |---------------+----------+------------| | | 7.0 | Not | | | | vulnerable | | |----------+------------| | | 7.1 | Not | | Crafted TLS | | vulnerable | |Packet |----------+------------| | Vulnerability | 7.2 | Not | | | | vulnerable | | |----------+------------| | | 8.0 | 8.0(3)9 | | |----------+------------| | | 8.1 | 8.1(1)1 | |---------------+----------+------------| | | 7.0 | Not | | | | vulnerable | | |----------+------------| | Instant | 7.1 | Not | | Messenger | | vulnerable | |Inspection |----------+------------| | Vulnerability | 7.2 | 7.2(4) | | |----------+------------| | | 8.0 | 8.0(3)10 | | |----------+------------| | | 8.1 | 8.1(1)2 | |---------------+----------+------------| | | 7.0 | Not | | | | vulnerable | | |----------+------------| | | 7.1 | Not | | Vulnerability | | vulnerable | |Scan Denial |----------+------------| | of Service | 7.2 | 7.2(3)2 | | |----------+------------| | | 8.0 | 8.0(2)17 | | |----------+------------| | | 8.1 | Not | | | | vulnerable | |---------------+----------+------------| | | 7.0 | Not | | | | vulnerable | | |----------+------------| | | 7.1 | Not | | Control-plane | | vulnerable | |Access |----------+------------| | Control List | 7.2 | Not | | Vulnerability | | vulnerable | | |----------+------------| | | 8.0 | 8.0(3)9 | | |----------+------------| | | 8.1 | Not | | | | vulnerable | +---------------------------------------+ Fixed PIX software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/pix?psrtdcat20e2 Fix ASA software can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/asa?psrtdcat20e2 Workarounds =========== This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities and their respective workarounds are independent of each other. Crafted TCP ACK Packet Vulnerability +----------------------------------- As a workaround and best practice allow Telnet, SSH, and ASDM connections from only trusted hosts in your network. Additionally, filters that deny TCP ports 22, 23, 80, and 443 packets may be deployed throughout the network as part of a transit ACL (tACL) policy for protection of traffic which enters the network at ingress access points. This policy should be configured to protect the network device where the filter is applied and other devices behind it. Filters for packets using TCP ports 22, 23, 80, and 443 should also be deployed in front of vulnerable network devices so that traffic is only allowed from trusted clients. Additional information about tACLs is available in "Transit Access Control Lists : Filtering at Your Edge": http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml Crafted TLS Packet Vulnerability +------------------------------- There are no workarounds for this vulnerability. Instant Messenger Inspection Vulnerability The only workaround for this vulnerability is to disable IM inspection on the security appliance. Port Scan Denial of Service Vulnerability +---------------------------------------- There are no workarounds for this vulnerability. Control-plane Access Control List Vulnerability +---------------------------------------------- There are no workarounds for this vulnerability. Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20080604-asa.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact psirt@cisco.com or security-alert@cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac@cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. These vulnerabilities were found during internal testing and during the troubleshooting of a technical support service request. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at : http://www.cisco.com/warp/public/707/cisco-sa-20080604-asa.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce@cisco.com * first-teams@first.org * bugtraq@securityfocus.com * vulnwatch@vulnwatch.org * cisco@spot.colorado.edu * cisco-nsp@puck.nether.net * full-disclosure@lists.grok.org.uk * comp.dcom.sys.cisco@newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-June-04 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkhGwG8ACgkQ86n/Gc8U/uAXugCgl3ldbkYO1vTiMqcWSf7NPfNO oQgAn2DiTO9kCOY0anGos0sdjHU0jAai =30Rf -----END PGP SIGNATURE----- . 4) An unspecified error can be exploited to cause an affected system to reload via specially crafted network traffic (e.g. SOLUTION: Update to fixed versions (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/en/US/products/products_security_advisory09186a00809a8354.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco Adaptive Security Appliance (ASA) and Cisco PIX security appliance 8.0.x before 8.0(3)9 and 8.1.x before 8.1(1)1 allows remote attackers to cause a denial of service (device reload) via a crafted Transport Layer Security (TLS) packet to the device interface. Cisco PIX and Cisco ASA are prone to multiple denial-of-service vulnerabilities and an unauthorized-access vulnerability. An attacker can exploit these issues to bypass ACL lists and to cause an affected device to reboot or crash. Only packets sent to the device, not through the device, can trigger this vulnerability. 1) An unspecified error in the processing of TCP ACK packets can be exploited to cause a DoS by sending a specially crafted packet to an affected device. This vulnerability affects software versions 7.1.x, 7.2.x, and 8.0.x. 2) An unspecified error in the handling of the TLS protocol can be exploited to cause an affected device to reload by sending a specially crafted TLS packet to an affected device. This vulnerability affects software version 8.0.x and 8.1.x. 3) An unspecified error in the Instant Messaging Inspection can be exploited to cause a DoS. Successful exploitation requires that Instant Messaging Inspection is enabled. This vulnerability affects software versions 7.2.x, 8.0.x, and 8.1.x. 4) An unspecified error can be exploited to cause an affected system to reload via specially crafted network traffic (e.g. by certain vulnerability / port scanners) to TCP port 443. This vulnerability affects software versions 7.2.x and 8.0.x. 5) An unspecified error causes the control-plane access control lists (ACL) to not work properly, which can be exploited to bypass configured control-plane ACLs. This vulnerability affects software versions 8.0.x. NOTE: Depending on the configuration some of the vulnerabilities are exploitable via the outside interface (please see the vendor's advisory for more information). SOLUTION: Update to fixed versions (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/en/US/products/products_security_advisory09186a00809a8354.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Instant Messenger (IM) inspection engine in Cisco Adaptive Security Appliance (ASA) and Cisco PIX security appliance 7.2.x before 7.2(4), 8.0.x before 8.0(3)10, and 8.1.x before 8.1(1)2 allows remote attackers to cause a denial of service via a crafted packet. Cisco PIX and Cisco ASA are prone to multiple denial-of-service vulnerabilities and an unauthorized-access vulnerability. An attacker can exploit these issues to bypass ACL lists and to cause an affected device to reboot or crash. Cisco ASA and Cisco PIX IM inspection engines are used to apply fine-grained control over IM usage in the network. 1) An unspecified error in the processing of TCP ACK packets can be exploited to cause a DoS by sending a specially crafted packet to an affected device. This vulnerability affects software versions 7.1.x, 7.2.x, and 8.0.x. 2) An unspecified error in the handling of the TLS protocol can be exploited to cause an affected device to reload by sending a specially crafted TLS packet to an affected device. This vulnerability affects software version 8.0.x and 8.1.x. 3) An unspecified error in the Instant Messaging Inspection can be exploited to cause a DoS. Successful exploitation requires that Instant Messaging Inspection is enabled. This vulnerability affects software versions 7.2.x, 8.0.x, and 8.1.x. 4) An unspecified error can be exploited to cause an affected system to reload via specially crafted network traffic (e.g. by certain vulnerability / port scanners) to TCP port 443. This vulnerability affects software versions 7.2.x and 8.0.x. 5) An unspecified error causes the control-plane access control lists (ACL) to not work properly, which can be exploited to bypass configured control-plane ACLs. This vulnerability affects software versions 8.0.x. NOTE: Depending on the configuration some of the vulnerabilities are exploitable via the outside interface (please see the vendor's advisory for more information). SOLUTION: Update to fixed versions (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/en/US/products/products_security_advisory09186a00809a8354.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco Adaptive Security Appliance (ASA) and Cisco PIX security appliance 7.2.x before 7.2(3)2 and 8.0.x before 8.0(2)17 allows remote attackers to cause a denial of service (device reload) via a port scan against TCP port 443 on the device. interferes with service operation (DoS) There is a possibility of being put into a state. Cisco PIX and Cisco ASA are prone to multiple denial-of-service vulnerabilities and an unauthorized-access vulnerability. An attacker can exploit these issues to bypass ACL lists and to cause an affected device to reboot or crash. Certain vulnerability/port scanners can cause system overloads. 1) An unspecified error in the processing of TCP ACK packets can be exploited to cause a DoS by sending a specially crafted packet to an affected device. This vulnerability affects software versions 7.1.x, 7.2.x, and 8.0.x. 2) An unspecified error in the handling of the TLS protocol can be exploited to cause an affected device to reload by sending a specially crafted TLS packet to an affected device. This vulnerability affects software version 8.0.x and 8.1.x. 3) An unspecified error in the Instant Messaging Inspection can be exploited to cause a DoS. Successful exploitation requires that Instant Messaging Inspection is enabled. This vulnerability affects software versions 7.2.x, 8.0.x, and 8.1.x. 4) An unspecified error can be exploited to cause an affected system to reload via specially crafted network traffic (e.g. by certain vulnerability / port scanners) to TCP port 443. This vulnerability affects software versions 7.2.x and 8.0.x. 5) An unspecified error causes the control-plane access control lists (ACL) to not work properly, which can be exploited to bypass configured control-plane ACLs. This vulnerability affects software versions 8.0.x. NOTE: Depending on the configuration some of the vulnerabilities are exploitable via the outside interface (please see the vendor's advisory for more information). SOLUTION: Update to fixed versions (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/en/US/products/products_security_advisory09186a00809a8354.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco Adaptive Security Appliance (ASA) and Cisco PIX security appliance 8.0.x before 8.0(3)9 allows remote attackers to bypass control-plane ACLs for the device via unknown vectors. Cisco PIX and Cisco ASA are prone to multiple denial-of-service vulnerabilities and an unauthorized-access vulnerability. An attacker can exploit these issues to bypass ACL lists and to cause an affected device to reboot or crash. Control-plane ACLs are used to secure traffic sent to security devices. 1) An unspecified error in the processing of TCP ACK packets can be exploited to cause a DoS by sending a specially crafted packet to an affected device. This vulnerability affects software versions 7.1.x, 7.2.x, and 8.0.x. 2) An unspecified error in the handling of the TLS protocol can be exploited to cause an affected device to reload by sending a specially crafted TLS packet to an affected device. This vulnerability affects software version 8.0.x and 8.1.x. 3) An unspecified error in the Instant Messaging Inspection can be exploited to cause a DoS. Successful exploitation requires that Instant Messaging Inspection is enabled. This vulnerability affects software versions 7.2.x, 8.0.x, and 8.1.x. 4) An unspecified error can be exploited to cause an affected system to reload via specially crafted network traffic (e.g. by certain vulnerability / port scanners) to TCP port 443. This vulnerability affects software versions 7.2.x and 8.0.x. 5) An unspecified error causes the control-plane access control lists (ACL) to not work properly, which can be exploited to bypass configured control-plane ACLs. This vulnerability affects software versions 8.0.x. NOTE: Depending on the configuration some of the vulnerabilities are exploitable via the outside interface (please see the vendor's advisory for more information). SOLUTION: Update to fixed versions (please see the vendor's advisory for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www.cisco.com/en/US/products/products_security_advisory09186a00809a8354.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple SQL injection vulnerabilities in Phoenix View CMS Pre Alpha2 and earlier allow remote attackers to execute arbitrary SQL commands via the del parameter to (1) gbuch.admin.php, (2) links.admin.php, (3) menue.admin.php, (4) news.admin.php, and (5) todo.admin.php in admin/module/. (1) admin/module/ Subordinate gbuch.admin.php (2) admin/module/ Subordinate links.admin.php (3) admin/module/ Subordinate menue.admin.php (4) admin/module/ Subordinate news.admin.php (5) admin/module/ Subordinate todo.admin.php. Phoenix View Cms is prone to a sql-injection vulnerability

Directory traversal vulnerability in admin/admin_frame.php in Phoenix View CMS Pre Alpha2 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the ltarget parameter. ( Dot dot ) including ltarget Any local file may be included and executed via parameters. Phoenix View Cms is prone to a file-upload vulnerability

Stack-based buffer overflow in SecurityGateway.dll in Alt-N Technologies SecurityGateway 1.0.1 allows remote attackers to execute arbitrary code via a long username parameter. SecurityGateway is prone to a buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized buffer. Failed exploit attempts will result in a denial-of-service condition. SecurityGateway 1.0.1 is vulnerable; other versions may also be affected. ---------------------------------------------------------------------- Want a new job? http://secunia.com/secunia_security_specialist/ http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: Alt-N SecurityGateway "username" Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA30497 VERIFY ADVISORY: http://secunia.com/advisories/30497/ CRITICAL: Highly critical IMPACT: DoS, System access WHERE: >From remote SOFTWARE: Alt-N SecurityGateway 1.x http://secunia.com/product/18916/ DESCRIPTION: securfrog has discovered a vulnerability in Alt-N SecurityGateway, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error in the processing of HTTP requests sent to the administrative web interface. Successful exploitation allows execution of arbitrary code. The vulnerability is confirmed in version 1.0.1. SOLUTION: Restrict network access to the administrative web interface. PROVIDED AND/OR DISCOVERED BY: securfrog ORIGINAL ADVISORY: http://milw0rm.com/exploits/5718 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Apple Safari on Mac OS X, and before 3.1.2 on Windows, does not prompt the user before downloading an object that has an unrecognized content type, which allows remote attackers to place malware into the (1) Desktop directory on Windows or (2) Downloads directory on Mac OS X, and subsequently allows remote attackers to execute arbitrary code on Windows by leveraging an untrusted search path vulnerability in (a) Internet Explorer 7 on Windows XP or (b) the SearchPath function in Windows XP, Vista, and Server 2003 and 2008, aka a "Carpet Bomb" and a "Blended Threat Elevation of Privilege Vulnerability," a different issue than CVE-2008-1032. NOTE: Apple considers this a vulnerability only because the Microsoft products can load application libraries from the desktop and, as of 20080619, has not covered the issue in an advisory for Mac OS X. A vulnerability in Apple Safari on the Microsoft Windows operating system stems from a combination of security issues in Safari and all versions of Windows XP and Vista that will allow executables to be downloaded to a user's computer and run without prompting. A vulnerability in Safari, known as the 'carpet-bombing' issue reported by Nitesh Dhanjani, allows an attacker to silently place malicious DLL files on a victim's computer. A problem in Internet Explorer, reported in December of 2006 by Aviv Raff, can then be used to run those malicious DLLs. An attacker can exploit this issue by tricking a victim into visiting a malicious page with Safari; the malicious files will run when the victim starts Internet Explorer. Successful exploitation allows execution of arbitrary code when a user visits a malicious web site. SOLUTION: Set the download location in Safari to a location other than "Desktop". ORIGINAL ADVISORY: http://www.microsoft.com/technet/security/advisory/953818.mspx ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA09-104A Microsoft Updates for Multiple Vulnerabilities Original release date: April 14, 2009 Last revised: -- Source: US-CERT Systems Affected * Microsoft Windows * Microsoft Office * Microsoft Windows Server * Microsoft ISA Server Overview Microsoft has released updates that address vulnerabilities in Microsoft Windows, Office, Windows Server, and ISA Server. I. Description As part of the Microsoft Security Bulletin Summary for April 2009, Microsoft released updates to address vulnerabilities that affect Microsoft Windows, Office, Windows Server, and ISA Server. II. Impact A remote, unauthenticated attacker could execute arbitrary code, gain elevated privileges, or cause a vulnerable application to crash. III. Solution Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for April 2009. The security bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. Administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). IV. References * Microsoft Security Bulletin Summary for April 2009 - <http://www.microsoft.com/technet/security/bulletin/ms09-apr.mspx> * Microsoft Windows Server Update Services - <http://technet.microsoft.com/en-us/wsus/default.aspx> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA09-104A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA09-104A Feedback VU#999892" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2009 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History April 14, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSeTi+XIHljM+H4irAQIIWQf/TWAkmQKay9j5fDLBcyMGJ3icTpG05Zp2 rM8UXMjKohKcDBhY1K9mxKxif5L81+y87PlBz/WTl3icn+57wAGMl/pAAeTz3Hp3 T98eKMXfzvVU57WDGGxy+4Ad57DIIF5hRkiGusDjnNJfd5kdH7q+8rPjPCUvtYAu H+0auzCpmob7NsIv/YuRXIHekkLiX5GPanhecy+mve1cvbSpXGKF9vf7LEGaFEsT 1XOtTeY0r4TjZEk/c5ahKqGehJINujvv4eVdiajqDOCVecaALi+p+XwMSLtlJvgK Vaa/ioPIFq8nNUz7eefVSadsary2RfmKegDwmg8FZX/UOso+tQ21KQ== =q59/ -----END PGP SIGNATURE-----