VARIoT IoT vulnerabilities database

Buffer overflow in apply.cgi in Linksys WRT54G 3.01.03, 3.03.6, and possibly other versions before 4.20.7, allows remote attackers to execute arbitrary code via a long HTTP POST request. WRT54G v1.0 is prone to a remote security vulnerability. Successfully exploiting this issue may allow an attacker to execute arbitrary code in the context of the affected application. Failed exploit attempts may cause a denial-of-service condition. Linksys WRT54G Router Remote Administration apply.cgi Buffer Overflow Vulnerability iDEFENSE Security Advisory 09.13.05 www.idefense.com/application/poi/display?id=305&type=vulnerabilities September 13, 2005 I. BACKGROUND The Linksys WRT54G is a combination wireless access point, switch and router. More information is available at the following URL: http://www.linksys.com/products/product.asp?prid=508 II. The vulnerability specifically exists in the 'apply.cgi' handler of the httpd running on the internal interfaces, including the by default the wireless interface. This handler is used by the many of the configuration pages to perform the configuration management of the router. III. This could allow any operation to be performed on the router, including changing passwords and firewall configuration, installation of new firmware with other features, or denial of service. Exploitation of this vulnerability requires that an attacker can connect to the web management port of the router. The httpd is running by default but is only accessible via the LAN ports or the WLAN (wireless LAN). An attacker who can associate via the wireless interface to the network running a vulnerable httpd could send an exploit from a wireless device, and so not require direct physical access to an affected network. Additionally, if the httpd is configured to listen on the WAN (internet) interface, this vulnerability would be exploitable remotely over the internet. On some versions of the WRT54G firmware the buffer used to store the POST input, 'post_buf', is before a structure in memory containing pointers to the 'mime_handlers' structure, which contains function pointers for handling the various types of input. By overwriting this structure so some function pointers point into post_buf, it is possible to execute arbitrary commands. Overwriting these values with nulls will prevent access to the httpd on the system until the router is restarted. Overwriting these values with 'garbage' values will cause the httpd to crash but it will be restarted by a system monitoring process within 2 minutes, allowing multiple exploitation attempts. Although authentication checks are performed on access to this page, the code which reads in the buffer is executed even if authentication fails, so as to clear the input buffer from the client before returning an error message. This may allow an unauthenticated user to exploit the vulnerability. IV. DETECTION iDEFENSE has confirmed the existence of this vulnerability in version 3.01.03 of the firmware of the Linksys WRT54G, and has identified the same code is present in version 3.03.6. All versions prior to 4.20.7 may be affected. As this firmware is Open Source, and based on a reference implementation supplied by the original hardware maker, there may be other affected 3rd party firmware which use the same or similar code, and are thus also affected. V. WORKAROUND In order to mitigate exposure of the internal network to outside attackers, ensure encryption is enabled on the wireless interface. The exact settings to use are dependent on your wireless deployment policies. VI. VENDOR RESPONSE This vulnerability is addressed in firmware version 4.20.7 available for download at: http://www.linksys.com/servlet/Satellite?childpagename=US%2FLayout &packedargs=c%3DL_Download_C2%26cid%3D1115417109974%26sku%3D112491680264 5 &pagename=Linksys%2FCommon%2FVisitorWrapper VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-2799 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 06/07/2005 Initial vendor notification 06/07/2005 Initial vendor response 09/13/2005 Coordinated public disclosure IX. CREDIT This vulnerability was discovered by Greg MacManus of iDEFENSE Labs. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright (c) 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information

Multiple SQL injection vulnerabilities in modules.php in PHP-Nuke 7.8, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) name, (2) sid, and (3) pid parameters in a POST request, which bypasses security checks that are performed for GET requests. PHP-Nuke is prone to a sql-injection vulnerability. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. There are multiple SQL injection vulnerabilities in modules.php in PHP-Nuke 7.8. When magic_quotes_gpc is disabled, a remote attacker can execute arbitrary SQL commands. Such requests bypass the security checks performed for GET requests. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: PHP-Nuke SQL Injection Vulnerabilities SECUNIA ADVISORY ID: SA16801 VERIFY ADVISORY: http://secunia.com/advisories/16801/ CRITICAL: Moderately critical IMPACT: Manipulation of data WHERE: >From remote SOFTWARE: PHP-Nuke 7.x http://secunia.com/product/2385/ DESCRIPTION: Robin Verton has discovered some vulnerabilities in PHP-Nuke, which can be exploited by malicious people to conduct SQL injection attacks. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The vulnerabilities have been confirmed in version 7.7. Version 7.8 and prior are reportedly also be affected. SOLUTION: Edit the source code to ensure that input is properly sanitised. PROVIDED AND/OR DISCOVERED BY: Robin Verton ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Linksys WRT54G router allows remote attackers to cause a denial of service (CPU consumption and server hang) via an HTTP POST request with a negative Content-Length value. WRT54G v1.0 is prone to a denial-of-service vulnerability. Linksys WRT54G is a Cisco wireless router

ezconfig.asp in Linksys WRT54G router 3.01.03, 3.03.6, non-default configurations of 2.04.4, and possibly other versions, does not use an authentication initialization function, which allows remote attackers to obtain encrypted configuration information and, if the key is known, modify the configuration. WRT54G v1.0 is prone to a remote security vulnerability. Linksys WRT54G is a Cisco wireless router

ezconfig.asp in Linksys WRT54G router 3.01.03, 3.03.6, non-default configurations of 2.04.4, and possibly other versions, uses weak encryption (XOR encoding with a fixed byte mask) for configuration information, which could allow attackers to decrypt the information and possibly re-encrypt it in conjunction with CVE-2005-2914. WRT54G v1.0 is prone to a remote security vulnerability. Linksys WRT54G is a Cisco wireless router

Linksys WRT54G 3.01.03, 3.03.6, 4.00.7, and possibly other versions before 4.20.7, does not verify user authentication until after an HTTP POST request has been processed, which allows remote attackers to (1) modify configuration using restore.cgi or (2) upload new firmware using upgrade.cgi. WRT54G v1.0 is prone to a remote security vulnerability. Linksys WRT54G is a Cisco wireless router. cgi to modify configuration or (2) upload new firmware using upgrade.cgi

Multiple vulnerabilities have been identified in Linksys WRT54G routers. These issue all require that an attacker have access to either the wireless, or internal LAN network segments of the affected device. Exploitation from the WAN interface is only possible if the affected device has remote management enabled. This issue allows attackers to: - Download and replace the configuration of affected routers. - Execute arbitrary machine code in the context of the affected device. - Utilize HTTP POST requests to upload router configuration and firmware files without proper authentication - Degrade the performance of affected devices and cause the Web server to become unresponsive, potentially denying service to legitimate users.

ADSL Road Runner modem in the Annex A family has a service running on port 224, which allows remote attackers to login to the modem with a blank password and gain unauthorized access. Annex is a modem specification

Argument injection vulnerability in Barracuda Spam Firewall running firmware 3.1.16 and 3.1.17 allows remote attackers to (1) read portions of source code via the -f option to Dig (dig_device.cgi), (2) determine file existence via the -r argument to Tcpdump (tcpdump_device.cgi) or (3) modify files in the cgi-bin directory via the -w argument to Tcpdump. Barracuda Spam Firewall is prone to a remote security vulnerability. Barracuda Spam Firewall is the main product of Bovite, which provides users with a safe, efficient and comprehensive overall solution for spam and virus email protection

Check Point NGX R60 does not properly verify packets against the predefined service group "CIFS" rule, which allows remote attackers to bypass intended restrictions. CIFS There is a vulnerability that will be interpreted.Check Point VPN-1/FireWall-1 May be restricted and may be connected to a computer in the network. This issue is due to a failure of the software to properly implement expected firewall rules. This vulnerability allows attackers to bypass firewall rules, letting them attack protected services and computers without expected restriction. This also issue leads to a false sense of security by firewall administrators. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Check Point Firewall CIFS Service Group Rule Bypass SECUNIA ADVISORY ID: SA16770 VERIFY ADVISORY: http://secunia.com/advisories/16770/ CRITICAL: Less critical IMPACT: Security Bypass WHERE: >From remote SOFTWARE: Check Point VPN-1/Firewall-1 NG http://secunia.com/product/89/ Check Point VPN-1 Server 4.x http://secunia.com/product/2965/ Check Point Provider-1 http://secunia.com/product/3262/ Check Point FireWall-1 GX 2.x http://secunia.com/product/3263/ Check Point Firewall-1 4.x http://secunia.com/product/88/ Check Point VPN-1/FireWall-1 NG with Application Intelligence (AI) http://secunia.com/product/2542/ Check Point VPN-1/FireWall-1 VSX NG http://secunia.com/product/3264/ DESCRIPTION: fitz has reported a security issue in Check Point Firewall, which potentially can be exploited by malicious people to bypass certain security restrictions. The security issue has been reported in the following products: * VPN-1/FireWall-1 * VPN-1 VSX * Provider-1 SOLUTION: The vendor suggests renaming the CIFS service group. Refer to the vendor's advisory for instructions. PROVIDED AND/OR DISCOVERED BY: fitz ORIGINAL ADVISORY: Check Point: http://secureknowledge.us.checkpoint.com/SecureKnowledge/viewSolutionDocument.do?id=sk31196 OTHER REFERENCES: US-CERT VU#508209: http://www.kb.cert.org/vuls/id/508209 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Buffer overflow in Firewall Authentication Proxy for FTP and/or Telnet Sessions for Cisco IOS 12.2ZH and 12.2ZL, 12.3 and 12.3T, and 12.4 and 12.4T allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted user authentication credentials. IOS is prone to a denial-of-service vulnerability. Successful exploitation of this issue could cause a denial of service or potential execution of arbitrary code. This issue affects the FTP and Telnet protocols, but not HTTP. Cisco's Internet Operating System (IOS) is a complex operating system optimized for Internetworking -- similar to a Local Area Operating System (NOS), such as Novell's NetWare, optimized for LANs. The vulnerability is caused due to a boundary error when the Authentication Proxy FTP/Telnet is processing user authentication credentials. This can be exploited to cause a buffer overflow. The vulnerability is reported in the following versions: * 12.2ZH and 12.2ZL based trains * 12.3 based trains * 12.3T based trains * 12.4 based trains * 12.4T based trains SOLUTION: Fixes are available (see patch matrix in vendor advisory). http://www.cisco.com/warp/public/707/cisco-sa-20050907-auth_proxy.shtml#software PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://www.cisco.com/warp/public/707/cisco-sa-20050907-auth_proxy.shtml OTHER REFERENCES: US-CERT VU#236045: http://www.kb.cert.org/vuls/id/236045 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

img.pl in Barracuda Spam Firewall running firmware 3.1.16 and 3.1.17 allows remote attackers to execute arbitrary commands via shell metacharacters in the f parameter. This issue arises when user-specified commands are supplied to the Web interface of the device. An attacker can supply arbitrary commands and have them executed in the context of the server. This issue may facilitate unauthorized remote access. Barracuda Spam Firewall firmware 3.1.17 and prior versions are affected by this issue. The img.pl script tries to disconnect the file when the user finishes reading it. In /cgi-bin/img.pl script: my $file_img=\"/tmp/\".CGI::param(\'\'f\'\'); open (IMG, $file_img) or die \ "Could not open image because: $!\n\"; ... unlink ($file_img); The perl open function can also be used to execute commands. If the string ends with \"|\", the script executes the command

Directory traversal vulnerability in img.pl in Barracuda Spam Firewall running firmware 3.1.16 and 3.1.17 allows remote attackers to read arbitrary files via a .. (dot dot) in the f parameter. This issue affects the Web interface of the appliance. Exploitation of this vulnerability could lead to a loss of confidentiality as arbitrary files are disclosed to an attacker. Information obtained through this attack may aid in further attacks against the underlying system. Barracuda Spam Firewall firmware 3.1.17 and prior versions are affected by this issue. The img.pl script tries to disconnect the file when the user finishes reading it. In /cgi-bin/img.pl script: my $file_img=\"/tmp/\".CGI::param(\'\';f\'\'); open (IMG, $file_img) or die \"Could not open image because: $!\n\"; ... unlink ($file_img); The perl open function can also be used to execute commands. If the string ends with \"|\", the script executes the command, piping the output to the IMG file descriptor. File retrieval: f=../etc/passwd An attacker could exploit this vulnerability to obtain sensitive information such as administrator passwords

Symantec AntiVirus Corporate Edition 9.0.1.x and 9.0.4.x, and possibly other versions, when obtaining updates from an internal LiveUpdate server, stores sensitive information in cleartext in the Log.Liveupdate log file, which allows attackers to obtain the username and password to the internal LiveUpdate server. Symantec LiveUpdate Client is susceptible to a local information disclosure vulnerability. A local attacker can subsequently access the file and disclose authentication credentials to access the server. This may lead to various attacks including the potential compromise of the server. Symantec Antivirus is an antivirus software produced by Symantec Corporation

Microsoft IIS 5.1 and 6 allows remote attackers to spoof the SERVER_NAME variable to bypass security checks and conduct various attacks via a GET request with an http://localhost URI, which makes it appear as if the request is coming from localhost. Microsoft IIS In SERVER_NAME Incorrect handling of variables HTTP A vulnerability exists in which a variable can be changed to an arbitrary value by sending a request.It is possible to obtain important information in the system. IIS Far East Edition is prone to a remote security vulnerability. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Microsoft IIS "SERVER_NAME" Variable Spoofing Vulnerability SECUNIA ADVISORY ID: SA16548 VERIFY ADVISORY: http://secunia.com/advisories/16548/ CRITICAL: Less critical IMPACT: Spoofing WHERE: >From remote SOFTWARE: Microsoft Internet Information Services (IIS) 5.x http://secunia.com/product/39/ Microsoft Internet Information Services (IIS) 6 http://secunia.com/product/1438/ DESCRIPTION: Inge Henriksen has discovered a vulnerability in Microsoft Internet Information Services (IIS), which can be exploited by malicious people to spoof certain information. The vulnerability is caused due to an error when determining the "SERVER_NAME" variable and can be exploited to spoof it via a specially crafted HTTP request. Successful exploitation may e.g. disclose parts of an ASP scripts' source code or make it possible to bypass security checks performed by a web application based on the "SERVER_NAME" variable. The vulnerability has been confirmed in IIS 5.1 and has also been reported in versions 5.0 and 6.0. SOLUTION: Don't make assumptions based on the "SERVER_NAME" variable in web applications. Don't use the default 500-100.asp error page, as it makes assumptions based on the "SERVER_NAME" variable and may return script contents when encountering errors. PROVIDED AND/OR DISCOVERED BY: Inge Henriksen ORIGINAL ADVISORY: http://ingehenriksen.blogspot.com/2005/08/remote-iis-5x-and-iis-60-server-name.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

pwmconfig in LM_sensors before 2.9.1 creates temporary files insecurely, which allows local users to overwrite arbitrary files via a symlink attack on the fancontrol temporary file. lm_sensors Implemented in pwmconfig The script contains temporary files in a security inappropriate manner (/tmp/fancontrol) Therefore, there is a vulnerability that is subject to symbolic link attacks.pwmconfig Any file may be overwritten with the authority of the user who executes the command. The issue exists in the 'pwmconfig' script. Exploitation would most likely result in loss of data or a denial of service if critical files are overwritten in the attack. Other attacks may be possible as well. lm_sensors version 2.9.1 is reportedly affected, however, other versions may be vulnerable as well. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 814-1 security@debian.org http://www.debian.org/security/ Martin Schulze September 15th, 2005 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : lm-sensors Vulnerability : insecure temporary file Problem type : local Debian-specific: no CVE ID : CAN-2005-2672] Debian Bug : 324193 Javier Fern\xe1ndez-Sanguino Pe\xf1a discovered that a script of lm-sensors, utilities to read temperature/voltage/fan sensors, creates a temporary file with a predictable filename, leaving it vulnerable for a symlink attack. The old stable distribution (woody) is not affected by this problem. For the stable distribution (sarge) this problem has been fixed in version 2.9.1-1sarge2. For the unstable distribution (sid) this problem has been fixed in version 2.9.1-7. We recommend that you upgrade your lm-sensors package. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2.dsc Size/MD5 checksum: 1089 b29b66e67c0cdc230e00e5183724427a http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2.diff.gz Size/MD5 checksum: 32896 551c338fbc31a17f7fd909c8c18f495e http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1.orig.tar.gz Size/MD5 checksum: 870765 f5af615e39441d95471bdb72a3f01709 Architecture independent components: http://security.debian.org/pool/updates/main/l/lm-sensors/kernel-patch-2.4-lm-sensors_2.9.1-1sarge2_all.deb Size/MD5 checksum: 304604 9b936604bcb60dd90c26de965bc8ae7f http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors-source_2.9.1-1sarge2_all.deb Size/MD5 checksum: 956166 a4cc7cf62245912cca061249e7ff153e Alpha architecture: http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors-dev_2.9.1-1sarge2_alpha.deb Size/MD5 checksum: 107734 6672ce70e0a11a3db57b5cc5410a887f http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors3_2.9.1-1sarge2_alpha.deb Size/MD5 checksum: 88004 07333a65127b12aaa3bb7593ca998fc8 http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2_alpha.deb Size/MD5 checksum: 469638 2894c427fa1a171588ee25ec7944aeae http://security.debian.org/pool/updates/main/l/lm-sensors/sensord_2.9.1-1sarge2_alpha.deb Size/MD5 checksum: 60162 996e3f4caa6f99a509612ed9409538a1 AMD64 architecture: http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors-dev_2.9.1-1sarge2_amd64.deb Size/MD5 checksum: 99604 5a2ecb59416841693f291c18ffc36b9f http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors3_2.9.1-1sarge2_amd64.deb Size/MD5 checksum: 86024 be04743cfbe7a3dba14522ce35807a46 http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2_amd64.deb Size/MD5 checksum: 471644 de8c9584f1d5bc2a2fc4134ebb0a5958 http://security.debian.org/pool/updates/main/l/lm-sensors/sensord_2.9.1-1sarge2_amd64.deb Size/MD5 checksum: 57960 7d2bcf38f644cc293814d9be97e7e462 ARM architecture: http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors-dev_2.9.1-1sarge2_arm.deb Size/MD5 checksum: 95374 76afc070abfaca6877c53b3dc97e2efe http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors3_2.9.1-1sarge2_arm.deb Size/MD5 checksum: 77598 688a884f1c1a3d9966863f9dd13e6378 http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2_arm.deb Size/MD5 checksum: 466524 f60ec616c55ffecd7d32d9ce6701520b http://security.debian.org/pool/updates/main/l/lm-sensors/sensord_2.9.1-1sarge2_arm.deb Size/MD5 checksum: 56518 001487c8ebf59a64eca3c4b1ebd3a4fc Intel IA-32 architecture: http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors-dev_2.9.1-1sarge2_i386.deb Size/MD5 checksum: 93822 18985e4483e7ba7f1ee4e08c31e77ee6 http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors3_2.9.1-1sarge2_i386.deb Size/MD5 checksum: 77704 c7360febfe8fb136d4edc7447c4a3787 http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2_i386.deb Size/MD5 checksum: 471594 4bb236b1ad878a31115d7231f624d53b http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors-2.4.27-2-386_2.9.1-1sarge2_i386.deb Size/MD5 checksum: 258638 9dab2f0c6ca40bb6b1fa648c72dea266 http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors-2.4.27-2-586tsc_2.9.1-1sarge2_i386.deb Size/MD5 checksum: 258646 27ec0369b7e5710cfa9b8a2f6dc7f976 http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors-2.4.27-2-686_2.9.1-1sarge2_i386.deb Size/MD5 checksum: 258638 7b59494c8c7e836392ec8d29832a37f7 http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors-2.4.27-2-686-smp_2.9.1-1sarge2_i386.deb Size/MD5 checksum: 259220 1f84862f63d4b84ca52d3b0188eae27f http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors-2.4.27-2-k6_2.9.1-1sarge2_i386.deb Size/MD5 checksum: 258658 f44895c10b0a2a66f9f8fc2fc1c08945 http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors-2.4.27-2-k7_2.9.1-1sarge2_i386.deb Size/MD5 checksum: 258950 fc63b5a3190378d192810b865db159d7 http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors-2.4.27-2-k7-smp_2.9.1-1sarge2_i386.deb Size/MD5 checksum: 259496 acbd3d286c9f83c33075207a32297bfe http://security.debian.org/pool/updates/main/l/lm-sensors/sensord_2.9.1-1sarge2_i386.deb Size/MD5 checksum: 56282 4aaa87fa8ec4a9c7a80cc5fa2a2a65c7 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors-dev_2.9.1-1sarge2_ia64.deb Size/MD5 checksum: 110518 31b9a4a92124027fc290af68a33c9d72 http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors3_2.9.1-1sarge2_ia64.deb Size/MD5 checksum: 94704 1c7b33cb67d43b00bc5c560e010cba42 http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2_ia64.deb Size/MD5 checksum: 487502 b2c2e822feccd91e2cf4e16b788ee8b2 http://security.debian.org/pool/updates/main/l/lm-sensors/sensord_2.9.1-1sarge2_ia64.deb Size/MD5 checksum: 63894 6f5dd42f2e9bfe4e6f6dfc0d657c231c HP Precision architecture: http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors-dev_2.9.1-1sarge2_hppa.deb Size/MD5 checksum: 103444 b90312374564a949899f1fc5efe0afca http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors3_2.9.1-1sarge2_hppa.deb Size/MD5 checksum: 88110 c2c6817f83c05784e7ae6dfb342c3f45 http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2_hppa.deb Size/MD5 checksum: 470520 cff17a1708ab3698cbe576845758f040 http://security.debian.org/pool/updates/main/l/lm-sensors/sensord_2.9.1-1sarge2_hppa.deb Size/MD5 checksum: 59432 2316f77020a58c9bbcb4680e39093872 Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors-dev_2.9.1-1sarge2_m68k.deb Size/MD5 checksum: 95016 2570abfafb354bf68ff57e294010d9bd http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors3_2.9.1-1sarge2_m68k.deb Size/MD5 checksum: 82760 8575a48b3ae56c05aa33b1dec7b7e7d8 http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2_m68k.deb Size/MD5 checksum: 457278 2b04efc7078bfcac49bae53de1fa37f4 http://security.debian.org/pool/updates/main/l/lm-sensors/sensord_2.9.1-1sarge2_m68k.deb Size/MD5 checksum: 55334 acf8cedc0bc7b9fcce51bf4028346aa4 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors-dev_2.9.1-1sarge2_mips.deb Size/MD5 checksum: 101340 65525f23eed1bb8bd56104db43613b64 http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors3_2.9.1-1sarge2_mips.deb Size/MD5 checksum: 80346 78e1796d19b2a450001b7db46fa00971 http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2_mips.deb Size/MD5 checksum: 464976 77c81982d7dc7a6e3059e9b7bfe843ae http://security.debian.org/pool/updates/main/l/lm-sensors/sensord_2.9.1-1sarge2_mips.deb Size/MD5 checksum: 58392 fce20208178fcf5e8b34f037a89ebeb8 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors-dev_2.9.1-1sarge2_mipsel.deb Size/MD5 checksum: 99308 561831d67a0b6c5a2c23ce19d63fd4e9 http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors3_2.9.1-1sarge2_mipsel.deb Size/MD5 checksum: 78318 bf864fc9cc93f35f74cb383916b93187 http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2_mipsel.deb Size/MD5 checksum: 465612 90be081b2fe5d58208cdc22f922ace6a http://security.debian.org/pool/updates/main/l/lm-sensors/sensord_2.9.1-1sarge2_mipsel.deb Size/MD5 checksum: 58452 862e8a3b5f5bf5ab9a7e37f91828a96a PowerPC architecture: http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors-dev_2.9.1-1sarge2_powerpc.deb Size/MD5 checksum: 105926 1c01fa48983ca51785fb6cebcb1352e7 http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors3_2.9.1-1sarge2_powerpc.deb Size/MD5 checksum: 84122 362b899e12a413c46a1aa3bb80ae9564 http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2_powerpc.deb Size/MD5 checksum: 476730 326fe3274869079637c4a425430d9cc9 http://security.debian.org/pool/updates/main/l/lm-sensors/sensord_2.9.1-1sarge2_powerpc.deb Size/MD5 checksum: 59362 2be27fc39b66107b8bc28df51bfd929f IBM S/390 architecture: http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors-dev_2.9.1-1sarge2_s390.deb Size/MD5 checksum: 105122 aa913f7a24298b97954809094c966d13 http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors3_2.9.1-1sarge2_s390.deb Size/MD5 checksum: 86884 2c6ebcada8848923a727f21d348089bf http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2_s390.deb Size/MD5 checksum: 463706 d0d5e649c114bd891c9dd5a742b3dd7f http://security.debian.org/pool/updates/main/l/lm-sensors/sensord_2.9.1-1sarge2_s390.deb Size/MD5 checksum: 57970 fccda7621dfee8331517dc5f47587246 Sun Sparc architecture: http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors-dev_2.9.1-1sarge2_sparc.deb Size/MD5 checksum: 100274 63098e8e9f4c3fab8147c04aa17d811c http://security.debian.org/pool/updates/main/l/lm-sensors/libsensors3_2.9.1-1sarge2_sparc.deb Size/MD5 checksum: 80906 18db5ab878c2185c7a999f968b36e204 http://security.debian.org/pool/updates/main/l/lm-sensors/lm-sensors_2.9.1-1sarge2_sparc.deb Size/MD5 checksum: 470238 3edce01e75344d0a8a3985c564060243 http://security.debian.org/pool/updates/main/l/lm-sensors/sensord_2.9.1-1sarge2_sparc.deb Size/MD5 checksum: 56654 c47257c9c9263f657a3e96f55b14c40b These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDKYEPW5ql+IAeqTIRAvkXAJsG3t7J+SurPWsgUlq3bgSvDTBr3gCgtCBV zykdnzOaXU1T+P83Q3O0KLQ= =z0Ex -----END PGP SIGNATURE----- . For more information: SA16501 SOLUTION: Update to "sys-apps/lm_sensors-2.9.1-r1" or later. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: LM Sensors Insecure Temporary File Creation Vulnerability SECUNIA ADVISORY ID: SA16501 VERIFY ADVISORY: http://secunia.com/advisories/16501/ CRITICAL: Less critical IMPACT: Privilege escalation WHERE: Local system SOFTWARE: LM Sensors 2.x http://secunia.com/product/5572/ DESCRIPTION: Javier Fernandez-Sanguino Pena has reported a vulnerability in LM Sensors, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. SOLUTION: Grant only trusted users access to vulnerable systems. PROVIDED AND/OR DISCOVERED BY: Javier Fernandez-Sanguino Pena ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200508-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: lm_sensors: Insecure temporary file creation Date: August 30, 2005 Bugs: #103568 ID: 200508-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== lm_sensors is vulnerable to linking attacks, potentially allowing a local user to overwrite arbitrary files. Background ========== lm_sensors is a software package that provides drivers for monitoring the temperatures, voltages, and fans of Linux systems with hardware monitoring devices. When the pwmconfig script of lm_sensors is executed, this would result in the file being overwritten with the rights of the user running the script, which typically is the root user. Workaround ========== There is no known workaround at this time. Resolution ========== All lm_sensors users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-apps/lm_sensors-2.9.1-r1" References ========== [ 1 ] CAN-2005-2672 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2672 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200508-19.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 . For more information: SA16501 SOLUTION: Updated packages are available from Red Hat Network

Unspecified vulnerability in the SSL certificate checking functionality in Cisco CiscoWorks Management Center for IDS Sensors (IDSMC) 2.0 and 2.1, and Monitoring Center for Security (Security Monitor or Secmon) 1.1 through 2.0 and 2.1, allows remote attackers to spoof a Cisco Intrusion Detection Sensor (IDS) or Intrusion Prevention System (IPS). This issue is due to a failure of the software to properly validate SSL certificates. By spoofing these connections attackers may gain access to login credentials, aiding them in further attacks. Spoofed connections may also allow for the insertion of false data or the modification or destruction of other valid data contained in the affected management software. This allows attackers to hide the traces of their malicious activity, creating a false sense of security. Other attacks may also be possible

Unspecified vulnerability in the command line processing (CLI) logic in Cisco Intrusion Prevention System 5.0(1) and 5.0(2) allows local users with OPERATOR or VIEWER privileges to gain additional privileges via unknown vectors. Cisco IPS is susceptible to a local privilege escalation vulnerability. This issue is due to a flaw in the logic of the command line interface (CLI). These privileges are non-privileged accounts designated for monitoring and troubleshooting of IPS devices. By exploiting this vulnerability, attackers may gain full administrative privileges on affected devices. This allows them to bypass the network security features of the device, aiding them in further attacks. Arbitrary code execution and denial of network services is also possible. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: Cisco Intrusion Prevention System Privilege Escalation SECUNIA ADVISORY ID: SA16545 VERIFY ADVISORY: http://secunia.com/advisories/16545/ CRITICAL: Less critical IMPACT: Privilege escalation WHERE: Local system OPERATING SYSTEM: Cisco Intrusion Prevention System (IPS) 5.x http://secunia.com/product/5600/ DESCRIPTION: A vulnerability has been reported in Cisco Intrusion Prevention System, which can be exploited by malicious, local users to gain escalated privileges. The vulnerability affects versions 5.0(1) and 5.0(2). Versions 4.x and prior are not vulnerable. SOLUTION: Update to version 5.0(3). http://www.cisco.com/pcgi-bin/tablebuild.pl/ips5 PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20050824-ips.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Computer Associates (CA) Message Queuing (CAM / CAFT) 1.05, 1.07 before Build 220_13, and 1.11 before Build 29_13 allows remote attackers to execute arbitrary commands via spoofed CAFT packets. CAM is prone to a vulnerability that could permit the spoofing of a CAFT application utilizing the CAM instance. This may ultimately allow the execution of arbitrary commands. CAFT is a file transfer application that utilizes CAM to send and receive the files. The problem presents itself due to a failure in the CAM service to verify the legitimacy of the CAFT application. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: CA Various Products Message Queuing Vulnerabilities SECUNIA ADVISORY ID: SA16513 VERIFY ADVISORY: http://secunia.com/advisories/16513/ CRITICAL: Moderately critical IMPACT: Spoofing, DoS, System access WHERE: >From local network SOFTWARE: CA Unicenter TNG 2.x http://secunia.com/product/3206/ CA Unicenter Software Delivery 4.x http://secunia.com/product/5597/ CA Unicenter Software Delivery 3.x http://secunia.com/product/5596/ CA Unicenter Service Level Management 3.x http://secunia.com/product/5595/ CA Unicenter Remote Control 6.x http://secunia.com/product/2622/ CA Unicenter Performance Management for OpenVMS 2.x http://secunia.com/product/5573/ CA Unicenter Network and Systems Management (NSM) Wireless Network Management Option 3.x http://secunia.com/product/5594/ CA Unicenter Network and Systems Management (NSM) 3.x http://secunia.com/product/1683/ CA Unicenter Management for WebSphere MQ 3.x http://secunia.com/product/5590/ CA Unicenter Management for Web Servers 5.x http://secunia.com/product/5593/ CA Unicenter Management for Microsoft Exchange 4.x http://secunia.com/product/5591/ CA Unicenter Management for Lotus Notes/Domino 4.x http://secunia.com/product/5592/ CA Unicenter Jasmine 3.x http://secunia.com/product/5589/ CA Unicenter Enterprise Job Manager 1.x http://secunia.com/product/5588/ CA Unicenter Data Transport Option 2.x http://secunia.com/product/5587/ CA Unicenter Asset Management 4.x http://secunia.com/product/1682/ CA Unicenter Asset Management 3.x http://secunia.com/product/5586/ CA Unicenter Application Performance Monitor 3.x http://secunia.com/product/5585/ CA eTrust Admin 8.x http://secunia.com/product/5584/ CA eTrust Admin 2.x http://secunia.com/product/5583/ CA CleverPath Predictive Analysis Server 3.x http://secunia.com/product/5581/ CA CleverPath Predictive Analysis Server 2.x http://secunia.com/product/5580/ CA CleverPath OLAP 5.x http://secunia.com/product/5578/ CA CleverPath Enterprise Content Manager (ECM) 3.x http://secunia.com/product/5579/ CA CleverPath Aion 10.x http://secunia.com/product/5582/ CA BrightStor SAN Manager 11.x http://secunia.com/product/5576/ CA BrightStor SAN Manager 1.x http://secunia.com/product/5575/ CA BrightStor Portal 11.x http://secunia.com/product/5577/ CA Advantage Data Transport 3.x http://secunia.com/product/5574/ DESCRIPTION: Some vulnerabilities have been reported in various products within the CA Message Queuing (CAM / CAFT) software, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. 1) An unspecified error in the CAM service can be exploited to cause a DoS by sending specially crafted packets to the TCP port. 2) Unspecified boundary errors can be exploited to cause buffer overflows by sending specially crafted packets to the service. SOLUTION: Apply patches (see vendor advisory for details). PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: Computer Associates: http://supportconnectw.ca.com/public/ca_common_docs/camsecurity_notice.asp ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple buffer overflows in Computer Associates (CA) Message Queuing (CAM / CAFT) 1.05, 1.07 before Build 220_13, and 1.11 before Build 29_13 allow remote attackers to execute arbitrary code via unknown vectors. This may allow an attacker to escalate their privileges to SYSTEM level. CA Unicenter Management Portal provides access to enterprise management information and various Unicenter management solutions such as personalized WEB interface. ---------------------------------------------------------------------- Bist Du interessiert an einem neuen Job in IT-Sicherheit? Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- Sicherheit: http://secunia.com/secunia_vacancies/ ---------------------------------------------------------------------- TITLE: CA Various Products Message Queuing Vulnerabilities SECUNIA ADVISORY ID: SA16513 VERIFY ADVISORY: http://secunia.com/advisories/16513/ CRITICAL: Moderately critical IMPACT: Spoofing, DoS, System access WHERE: >From local network SOFTWARE: CA Unicenter TNG 2.x http://secunia.com/product/3206/ CA Unicenter Software Delivery 4.x http://secunia.com/product/5597/ CA Unicenter Software Delivery 3.x http://secunia.com/product/5596/ CA Unicenter Service Level Management 3.x http://secunia.com/product/5595/ CA Unicenter Remote Control 6.x http://secunia.com/product/2622/ CA Unicenter Performance Management for OpenVMS 2.x http://secunia.com/product/5573/ CA Unicenter Network and Systems Management (NSM) Wireless Network Management Option 3.x http://secunia.com/product/5594/ CA Unicenter Network and Systems Management (NSM) 3.x http://secunia.com/product/1683/ CA Unicenter Management for WebSphere MQ 3.x http://secunia.com/product/5590/ CA Unicenter Management for Web Servers 5.x http://secunia.com/product/5593/ CA Unicenter Management for Microsoft Exchange 4.x http://secunia.com/product/5591/ CA Unicenter Management for Lotus Notes/Domino 4.x http://secunia.com/product/5592/ CA Unicenter Jasmine 3.x http://secunia.com/product/5589/ CA Unicenter Enterprise Job Manager 1.x http://secunia.com/product/5588/ CA Unicenter Data Transport Option 2.x http://secunia.com/product/5587/ CA Unicenter Asset Management 4.x http://secunia.com/product/1682/ CA Unicenter Asset Management 3.x http://secunia.com/product/5586/ CA Unicenter Application Performance Monitor 3.x http://secunia.com/product/5585/ CA eTrust Admin 8.x http://secunia.com/product/5584/ CA eTrust Admin 2.x http://secunia.com/product/5583/ CA CleverPath Predictive Analysis Server 3.x http://secunia.com/product/5581/ CA CleverPath Predictive Analysis Server 2.x http://secunia.com/product/5580/ CA CleverPath OLAP 5.x http://secunia.com/product/5578/ CA CleverPath Enterprise Content Manager (ECM) 3.x http://secunia.com/product/5579/ CA CleverPath Aion 10.x http://secunia.com/product/5582/ CA BrightStor SAN Manager 11.x http://secunia.com/product/5576/ CA BrightStor SAN Manager 1.x http://secunia.com/product/5575/ CA BrightStor Portal 11.x http://secunia.com/product/5577/ CA Advantage Data Transport 3.x http://secunia.com/product/5574/ DESCRIPTION: Some vulnerabilities have been reported in various products within the CA Message Queuing (CAM / CAFT) software, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system. 1) An unspecified error in the CAM service can be exploited to cause a DoS by sending specially crafted packets to the TCP port. 2) Unspecified boundary errors can be exploited to cause buffer overflows by sending specially crafted packets to the service. 3) An error can be exploited to spoof CAFT and execute arbitrary commands with escalated privileges. The vulnerabilities affect all versions of the CA Message Queuing software prior to versions 1.07 Build 220_13 and 1.11 Build 29_13. SOLUTION: Apply patches (see vendor advisory for details). PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: Computer Associates: http://supportconnectw.ca.com/public/ca_common_docs/camsecurity_notice.asp ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------