VARIoT IoT vulnerabilities database

Stack-based buffer overflow in the Message Queuing Server (Cam.exe) in CA (formerly Computer Associates) Message Queuing (CAM / CAFT) software before 1.11 Build 54_4 on Windows and NetWare, as used in CA Advantage Data Transport, eTrust Admin, certain BrightStor products, certain CleverPath products, and certain Unicenter products, allows remote attackers to execute arbitrary code via a crafted message to TCP port 3104. Multiple Computer Associates products are prone to a remote stack-based buffer-overflow vulnerability. This issue affects the Message Queuing (CAM/CAFT) component. The application fails to properly bounds-check user-supplied data before copying it to an insufficiently sized buffer. A successful exploit will allow an attacker to execute arbitrary code with SYSTEM-level privileges. There is a buffer overflow vulnerability in the CAM service when processing malformed user requests. Remote attackers may use this vulnerability to control the server. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Full Featured Secunia Network Software Inspector (NSI) is now available: http://secunia.com/network_software_inspector/ The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. Please see the vendor's advisory for more details. CAM (Windows): http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO89945 CAM(Netware): http://supportconnect.ca.com/sc/redir.jsp?reqPage=search&searchID=QO89943 PROVIDED AND/OR DISCOVERED BY: IBM ISS X-Force ORIGINAL ADVISORY: CA: http://supportconnectw.ca.com/public/dto_transportit/infodocs/camsgquevul-secnot.asp IBM ISS X-Force: http://www.iss.net/threats/272.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Mitigating Factors: None Severity: CA has given this vulnerability a High risk rating. i.e. CAM versions 1.04, 1.05, 1.06, 1.07, 1.10 (prior to Build 54_4) and 1.11 (prior to Build 54_4). Affected Products: Advantage Data Transport 3.0 BrightStor SAN Manager 11.1, 11.5 BrightStor Portal 11.1 CleverPath OLAP 5.1 CleverPath ECM 3.5 CleverPath Predictive Analysis Server 2.0, 3.0 CleverPath Aion 10.0 eTrust Admin 2.01, 2.04, 2.07, 2.09, 8.0, 8.1 Unicenter Application Performance Monitor 3.0, 3.5 Unicenter Asset Management 3.1, 3.2, 3.2 SP1, 3.2 SP2, 4.0, 4.0 SP1 Unicenter Data Transport Option 2.0 Unicenter Enterprise Job Manager 1.0 SP1, 1.0 SP2 Unicenter Jasmine 3.0 Unicenter Management for WebSphere MQ 3.5 Unicenter Management for Microsoft Exchange 4.0, 4.1 Unicenter Management for Lotus Notes/Domino 4.0 Unicenter Management for Web Servers 5, 5.0.1 Unicenter NSM 3.0, 3.1 Unicenter NSM Wireless Network Management Option 3.0 Unicenter Remote Control 6.0, 6.0 SP1 Unicenter Service Level Management 3.0, 3.0.1, 3.0.2, 3.5 Unicenter Software Delivery 3.0, 3.1, 3.1 SP1, 3.1 SP2, 4.0, 4.0 SP1 Unicenter TNG 2.1, 2.2, 2.4, 2.4.2 Unicenter TNG JPN 2.2 Affected Platforms: Windows and NetWare Platforms NOT affected: AIX, AS/400, DG Intel, DG Motorola, DYNIX, HP-UX, IRIX, Linux Intel, Linux s/390, MVS, Open VMS, OS/2, OSF1, Solaris Intel, Solaris Sparc and UnixWare. Status and Recommendation: CA has made patches available for all affected products. These patches are independent of the CA Software that installed CAM. Simply select the patch appropriate to the platform, and the installed version of CAM, and follow the patch application instructions. You should also review the product home pages on SupportConnect for any additional product specific instructions. Solutions for CAM: Platform Solution Windows QO89945 NetWare QO89943 How to determine if you are affected: Determining CAM versions: Simply running camstat will return the version information in the top line of the output on any platform. The camstat command is located in the bin subfolder of the installation directory. The example below indicates that CAM version 1.11 build 27 increment 2 is running. E:\>camstat CAM – machine.ca.com Version 1.11 (Build 27_2) up 0 days 1:16 Determining the CAM install directory: Windows: The install location is specified by the %CAI_MSQ% environment variable. Unix/Linux/Mac: The /etc/catngcampath text file holds the CAM install location. Workaround: The affected listening port can be disabled by creating or updating CAM's configuration file, CAM.CFG, with the following entry under the "*CONFIG" section: *CONFIG cas_port=0 The CA Messaging Server must be recycled in order for this to take effect. We advise that products dependent upon CAM should be shutdown prior to recycling CAM. Once dependent products have been shutdown, CAM can be recycled with the following commands: On Windows: camclose cam start On NetWare: load camclose load cam start Once CAM has been restarted, any CAM dependent products that were shutdown can be restarted. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability" form. URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2007 CA. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFGpqCHeSWR3+KUGYURAt6DAJ0YpnaiwrNfhhQlvdvL28LYxBYbZgCfRpKQ pNdOPBvd1/BVRF6Lo65uo2o= =7w0f -----END PGP SIGNATURE-----

arclib.dll before 7.3.0.9 in CA Anti-Virus (formerly eTrust Antivirus) 8 and certain other CA products allows remote attackers to cause a denial of service (infinite loop and loss of antivirus functionality) via an invalid "previous listing chunk number" field in a CHM file. Multiple Computer Associates products are prone to a denial-of-service vulnerability because the applications fail to handle malformed CHM files. Successfully exploiting this issue will cause the affected applications to stop responding, denying service to legitimate users. This issue affects applications that use the 'arclib.dll' library versions prior to 7.3.0.9. The Arclib.DLL library in eTrust products has a security vulnerability. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Title: [CAID 35525, 35526]: CA Products Arclib Library Denial of Service Vulnerabilities CA Vuln ID (CAID): 35525, 35526 CA Advisory Date: 2007-07-24 Reported By: CVE-2006-5645 - Titon of BastardLabs and Damian Put <pucik at overflow dot pl> working with the iDefense VCP. CVE-2007-3875 - An anonymous researcher working with the iDefense VCP. Sergio Alvarez of n.runs AG also reported these issues. Impact: A remote attacker can cause a denial of service. Summary: CA products that utilize the Arclib library contain two denial of service vulnerabilities. The second vulnerability, CVE-2006-5645, is due to an application hang when processing a specially malformed RAR file. Mitigating Factors: None Severity: CA has given these vulnerabilities a Medium risk rating. Affected Products: CA Anti-Virus for the Enterprise (formerly eTrust Antivirus) 7.0, 7.1, r8, r8.1 CA Anti-Virus 2007 (v8) eTrust EZ Antivirus r7, r6.1 CA Internet Security Suite 2007 (v3) eTrust Internet Security Suite r1, r2 eTrust EZ Armor r1, r2, r3.x CA Threat Manager for the Enterprise (formerly eTrust Integrated Threat Management) r8 CA Anti-Virus Gateway (formerly eTrust Antivirus eTrust Antivirus Gateway) 7.1 CA Protection Suites r2, r3 CA Secure Content Manager (formerly eTrust Secure Content Manager) 1.1, 8.0 CA Anti-Spyware for the Enterprise (Formerly eTrust PestPatrol) r8, 8.1 CA Anti-Spyware 2007 Unicenter Network and Systems Management (NSM) r3.0, r3.1, r11, r11.1 BrightStor ARCserve Backup v9.01, r11 for Windows, r11.1, r11.5 BrightStor Enterprise Backup r10.5 BrightStor ARCserve Client agent for Windows eTrust Intrusion Detection 2.0 SP1, 3.0, 3.0 SP1 CA Common Services (CCS) r11, r11.1 CA Anti-Virus SDK (formerly eTrust Anti-Virus SDK) Status and Recommendation: CA has provided an update to address the vulnerabilities. The updated Arclib library is provided in automatic content updates with most products. Ensure that the latest content update is installed. In the case where automatic updates are not available, use the following product specific instructions. CA Secure Content Manager 1.1: Apply QO89469. CA Secure Content Manager 8.0: Apply QO87114. Unicenter Network and Systems Management (NSM) r3.0: Apply QO89141. Unicenter Network and Systems Management (NSM) r3.1: Apply QO89139. Unicenter Network and Systems Management (NSM) r11: Apply QO89140. Unicenter Network and Systems Management (NSM) r11.1: Apply QO89138. CA Common Services (CCS) r11: Apply QO89140. CA Common Services (CCS) r11.1: Apply QO89138. CA Anti-Virus Gateway 7.1: Apply QO89381. eTrust Intrusion Detection 2.0 SP1: Apply QO89474. eTrust Intrusion Detection 3.0: Apply QO86925. eTrust Intrusion Detection 3.0 SP1: Apply QO86923. CA Protection Suites r2: Apply updates for CA Anti-Virus 7.1. BrightStor ARCserve Backup and BrightStor ARCserve Client agent for Windows: Manually replace the arclib.dll file with the one provided in the CA Anti-Virus 7.1 fix set. 1. Locate and rename the existing arclib.dll file. 2. Download the CA Anti-Virus 7.1 patch that matches the host operating system. 3. Unpack the patch and place the arclib.dll file in directory where the existing arclib.dll file was found in step 1. 4. Reboot the host. CA Anti-Virus 7.1 (non Windows): T229327 – Solaris – QO86831 T229328 – Netware – QO86832 T229329 – MacPPC – QO86833 T229330 – MacIntel – QO86834 T229331 – Linux390 – QO86835 T229332 – Linux – QO86836 T229333 – HP-UX – QO86837 CA Anti-Virus 7.1 (Windows): T229337 – NT (32 bit) – QO86843 T229338 – NT (AMD64) – QO86846 CA Threat Manager for the Enterprise r8.1 (non Windows): T229334 – Linux – QO86839 T229335 – Mac – QO86828 T229336 – Solaris – QO86829 How to determine if you are affected: For products on Windows: 1. Using Windows Explorer, locate the file “arclib.dll”. By default, the file is located in the “C:\Program Files\CA\SharedComponents\ScanEngine” directory(*). 2. Right click on the file and select Properties. 3. Select the Version tab. 4. If the file version is earlier than indicated in the table below, the installation is vulnerable. File Name File Version arclib.dll 7.3.0.9 *For eTrust Intrusion Detection 2.0 the file is located in “Program Files\eTrust\Intrusion Detection\Common”, and for eTrust Intrusion Detection 3.0 and 3.0 sp1, the file is located in “Program Files\CA\Intrusion Detection\Common”. For CA Anti-Virus r8.1 on non-Windows: Use the compver utility provided on the CD to determine the version of arclib.dll. The same version information above applies. Workaround: None References (URLs may wrap): CA SupportConnect: http://supportconnect.ca.com/ Security Notice for CA Products Containing Arclib http://supportconnectw.ca.com/public/antivirus/infodocs/caprodarclib-secnot .asp Solution Document Reference APARs: QO89469, QO87114, QO89141, QO89139, QO89140, QO89138, QO89140, QO89138, QO89381, QO89474, QO86925, QO86923, QO86831, QO86832, QO86833, QO86834, QO86835, QO86836, QO86837, QO86843, QO86846, QO86839, QO86828, QO86829 CA Security Advisor posting: CA Products Arclib Library Denial of Service Vulnerabilities http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=149847 CA Vuln ID (CAID): 35525, 35526 http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35525 http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=35526 Reported By: CVE-2006-5645 - Titon of BastardLabs and Damian Put <pucik at overflow dot pl> working with the iDefense VCP. CVE-2007-3875 - An anonymous researcher working with the iDefense VCP. Sergio Alvarez of n.runs AG also reported these issues. iDefense advisories: Computer Associates AntiVirus CHM File Handling DoS Vulnerability http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=567 Multiple Vendor Antivirus RAR File Denial of Service Vulnerability http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=439 CVE References: CVE-2006-5645, CVE-2007-3875 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5645 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3875 OSVDB References: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at http://supportconnect.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to vuln AT ca DOT com, or utilize our "Submit a Vulnerability" form. URL: http://www.ca.com/us/securityadvisor/vulninfo/submit.aspx Regards, Ken Williams ; 0xE2941985 Director, CA Vulnerability Research CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2007 CA. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFGpp9beSWR3+KUGYURAplHAJ4paEd/cX+2AxdBWfnw2zhfjAGQwACfW+mo tCqbonQi4DvtQ9a45c65y70= =o8Ac -----END PGP SIGNATURE----- . BACKGROUND eTrust is an antivirus application developed by Computer Associates. More information can be found on the vendor's website at the following URL. http://www3.ca.com/solutions/product.aspx?ID=156 II. DESCRIPTION Remote exploitation of a denial of Service (DoS) vulnerability in Computer Associates Inc.'s eTrust Antivirus products could allow attackers to create a DoS condition on the affected computer. III. ANALYSIS This denial of service attack will prevent the scanner from scanning other files on disk while it is stuck on the exploit file. The hung process can be quit by the user and does not consume all system resources. IV. DETECTION iDefense has confirmed this vulnerability in eTrust AntiVirus version r8. Previous versions of eTrust Antivirus are suspected vulnerable. Other Computer Associates products, as well as derived products, may also be vulnerable. V. WORKAROUND iDefense is not aware of any workarounds for this issue. VI. VENDOR RESPONSE Computer Associates has addressed this vulnerability by releasing updates. More information is available within Computer Associates advisory at the following URL. http://supportconnectw.ca.com/public/antivirus/infodocs/caprodarclib-secnot.asp VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-3875 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 01/16/2007 Initial vendor notification 01/17/2007 Initial vendor response 07/24/2007 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://labs.idefense.com/methodology/vulnerability/vcp.php Free tools, research and upcoming events http://labs.idefense.com/ X. LEGAL NOTICES Copyright \xa9 2007 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Full Featured Secunia Network Software Inspector (NSI) is now available: http://secunia.com/network_software_inspector/ The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. scanning a specially crafted RAR archive. Please see the vendor's advisory for details. 2) The vendor credits Titon of BastardLabs and Damian Put, reported via iDefense Labs. ORIGINAL ADVISORY: CA: http://supportconnectw.ca.com/public/antivirus/infodocs/caprodarclib-secnot.asp iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=567 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cisco 4100 and 4400, Airespace 4000, and Catalyst 6500 and 3750 Wireless LAN Controller (WLC) software before 3.2 20070727, 4.0 before 20070727, and 4.1 before 4.1.180.0 allows remote attackers to cause a denial of service (traffic amplification or ARP storm) via a crafted unicast ARP request that (1) has a destination MAC address unknown to the Layer-2 infrastructure, aka CSCsj69233; or (2) occurs during Layer-3 roaming across IP subnets, aka CSCsj70841. Cisco Wireless LAN Controller (WLC) is prone to multiple denial-of-service vulnerabilities. An attacker can exploit these issues to crash the device, denying service to legitimate users. These issues affect Cisco Wireless LAN Control 3.2, 4.0, and 4.1; other versions may also be affected. Cisco Wireless LAN Controllers (WLCs) provide real-time communication between lightweight access points and other wireless-providing LAN controllers to perform centralized system-wide WLAN configuration and management functions. Vulnerable WLCs may mishandle unicast ARP requests from wireless clients, causing ARP storms. Both WLCs attached to the same set of Layer 2 VLANs must have wireless client contexts for this vulnerability to be exposed. This happens after using layer 3 (inter-subnet) roaming or when using guest WLAN (auto-anchor). This allows a second WLC to reprocess the ARP request and incorrectly re-forward the inclusion back to the network. This vulnerability is documented as CSCsj69233. In the case of Layer 3 (L3) roaming, wireless clients move from one controller to another, and the wireless LAN interfaces configured on different controllers are in different IP subnets. In this case, the unicast ARP may not be tunneled back to the anchor controller, but sent by the external controller to its native VLAN. This vulnerability is documented as CSCsj70841

Cisco 4100 and 4400, Airespace 4000, and Catalyst 6500 and 3750 Wireless LAN Controller (WLC) software 4.1 before 4.1.180.0 allows remote attackers to cause a denial of service (ARP storm) via a broadcast ARP packet that "targets the IP address of a known client context", aka CSCsj50374. Cisco Wireless LAN Controller (WLC) is prone to multiple denial-of-service vulnerabilities. An attacker can exploit these issues to crash the device, denying service to legitimate users. These issues affect Cisco Wireless LAN Control 3.2, 4.0, and 4.1; other versions may also be affected. Cisco Wireless LAN Controllers (WLCs) provide real-time communication between lightweight access points and other wireless-providing LAN controllers to perform centralized system-wide WLAN configuration and management functions. There is a vulnerability in the WLC's handling of unicast ARP traffic, and the LAN link between the wireless LAN controllers in the mobility group may be flooded with unicast ARP requests. Vulnerable WLCs may mishandle unicast ARP requests from wireless clients, causing ARP storms. Both WLCs attached to the same set of Layer 2 VLANs must have wireless client contexts for this vulnerability to be exposed. This happens after using layer 3 (inter-subnet) roaming or when using guest WLAN (auto-anchor). If multiple WLCs are installed on the corresponding VLAN, it will cause an ARP storm. This vulnerability is documented as CSCsj50374

The IM Server (aka IMserve or IMserver) 2.0.5.30 and probably earlier in Ipswitch Instant Messaging before 2.07 in Ipswitch Collaboration Suite (ICS) allows remote attackers to cause a denial of service (daemon crash) via certain data to TCP port 5179 that overwrites a destructor, as reachable by the (1) DoAttachVideoSender, (2) DoAttachVideoReceiver, (3) DoAttachAudioSender, and (4) DoAttachAudioReceiver functions. (1) DoAttachVideoSender function (2) DoAttachVideoReceiver function (3) DoAttachAudioSender function (4) DoAttachAudioReceiver function. Ipswitch Instant Messaging Server is prone to a remote denial-of-service vulnerability because the application fails to properly handle unexpected network data. Successfully exploiting this issue allows remote attackers to crash the IM service, denying further instant messages for legitimate users. Ipswitch IM Server 2.0.5.30 is vulnerable; other versions may also be affected. Ipswitch Instant Messaging is the instant messaging software bundled in the Ipswitch collaboration component. The vulnerable code can be reached through the following functions: DoAttachVideoSender DoAttachVideoReceiver DoAttachAudioSender DoAttachAudioReceiver. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Full Featured Secunia Network Software Inspector (NSI) is now available: http://secunia.com/network_software_inspector/ The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. The vulnerability is reported in version 2.0.5.30. SOLUTION: Update to version 2.0.7. http://www.ipswitch.com/support/instant_messaging/patch-upgrades.asp PROVIDED AND/OR DISCOVERED BY: Discovered by an anonymous researcher and reported via iDefense. ORIGINAL ADVISORY: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=566 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Ipswitch IMail Server 2006 before 2006.21 allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors involving an "overwritten destructor.". Ipswitch IMail Server 2006 There is a service disruption ( Daemon crash ) There is a vulnerability that becomes a condition.Service disruption by a third party ( Daemon crash ) There is a possibility of being put into a state. Imail Server is prone to a denial-of-service vulnerability. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Full Featured Secunia Network Software Inspector (NSI) is now available: http://secunia.com/network_software_inspector/ The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. ---------------------------------------------------------------------- TITLE: Ipswitch IMail Server/Collaboration Suite Multiple Buffer Overflows SECUNIA ADVISORY ID: SA26123 VERIFY ADVISORY: http://secunia.com/advisories/26123/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: IMail Server 2006 http://secunia.com/product/8653/ Ipswitch Collaboration Suite 2006 http://secunia.com/product/8652/ DESCRIPTION: Some vulnerabilities have been reported in Ipswitch IMail Server and Collaboration Suite, which can be exploited by malicious users and malicious people to compromise a vulnerable system. 1) A boundary error in the processing of the IMAP "SEARCH" command can be exploited to cause a stack-based buffer overflow. Successful exploitation allows execution of arbitrary code, but requires a valid user account. 2) A boundary error in the processing of the IMAP "SEARCH CHARSET" command can be exploited to cause a heap-based buffer overflow. Successful exploitation allows execution of arbitrary code, but requires a valid user account. Vulnerabilities #1 and #2 are reported in version 6.8.8.1 of imapd32.exe. Prior versions may also be affected. 3) A boundary error in Imailsec can be exploited to cause a heap-based buffer overflow and allows execution of arbitrary code. 4) A boundary error in "subscribe" can be exploited to cause a buffer overflow. No further information is currently available. Vulnerabilities #3 and #4 are reported in Ipswitch IMail Server and Collaboration Suite prior to version 2006.21. SOLUTION: Update to IMail Server version 2006.21. http://www.ipswitch.com/support/imail/releases/im200621.asp Update to Ipswitch Collaboration Suite 2006.21. http://www.ipswitch.com/support/ics/updates/ics200621.asp PROVIDED AND/OR DISCOVERED BY: 1) Manuel Santamarina Suarez, reported via iDefense Labs. 2) An anonymous person, reported via iDefense Labs. 3, 4) The vendor credits TippingPoint and the Zero Day Initiative. ORIGINAL ADVISORY: IPSwitch: http://www.ipswitch.com/support/imail/releases/im200621.asp http://www.ipswitch.com/support/ics/updates/ics200621.asp iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=563 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The web portal interface in Citrix Access Gateway (aka Citrix Advanced Access Control) before Advanced Edition 4.5 HF1 places a session ID in the URL, which allows context-dependent attackers to hijack sessions by reading "residual information", including the a referer log, browser history, or browser cache. " Residual information " Can be hijacked in the session. Citrix Access Gateway Standard and Advanced Edition are prone to multiple remote vulnerabilities. Exploiting these issues could allow an attacker to: - Obtain sensitive information - Execute code remotely - Hijack sessions - Redirect users to arbitrary sites - Make unauthorized configuration changes Citrix has released patches for these vulnerabilities. Note: This is a belated release to the mailing lists (though most of the tracking services picked this up via the Citrix advisory)... -- History -- Discovered: 05.09.06 (Martin O'Neal) Vendor notified: 19.10.06 Document released: 20.07.07 -- Overview -- Citrix Access Gateways are described [1] as "universal SSL VPN appliances providing a secure, always-on, single point-of-access to an organization's applications and data". Amongst other features, the product provides a web portal to corporate applications and resources. -- Analysis -- The web portal interface incorporates a collection of .NET scripts, which utilise a session ID contained within cookies. During the authentication sequence the user session is redirected via a HTTP meta refresh header in an HTML response. The browser subsequently uses this within the next GET request (and the referer header field of the next HTTP request), placing the session ID in history files, and both client and server logs. The use of the session ID within the HTML content is made worse by the application not setting the HTTP cache control headers appropriately, which can lead to the HTML content being stored within the local browser cache. Where this is a particularly problem, is where the web portal is accessed from a shared or public access terminal, such as an Internet Caf,; the very environment that this type of solution is intended for. Strong authentication technology, such as SecurID 2FA, does not protect against this style of attack, as the session ID is generated after the strong authentication process is completed. -- Recommendations -- Review the recommendations in the Citrix alert [2]. Until the product is upgraded, consider reviewing you remote access policy to restrict the use of the product in shared-access environments. -- CVE -- The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-0011 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardises names for security problems. -- References -- [1] http://www.citrix.com/English/ps2/products/product.asp?contentID =15005 [2] http://support.citrix.com/article/CTX113814 -- Revision -- a. Initial release. b. Released. -- Distribution -- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Corsaire accepts no responsibility for any damage caused by the use or misuse of this information. -- Disclaimer -- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Corsaire accepts no responsibility for any damage caused by the use or misuse of this information. -- About Corsaire -- Corsaire are a leading information security consultancy, founded in 1997 in Guildford, Surrey, UK. Corsaire bring innovation, integrity and analytical rigour to every job, which means fast and dramatic security performance improvements. Our services centre on the delivery of information security planning, assessment, implementation, management and vulnerability research. A free guide to selecting a security assessment supplier is available at http://www.penetration-testing.com Copyright 2006-2007 Corsaire Limited. All rights reserved. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Full Featured Secunia Network Software Inspector (NSI) is now available: http://secunia.com/network_software_inspector/ The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. 1) A security issue due to residual information left on the client device can be exploited to gain unauthorized access to a user\x92s active session. 2) Multiple unspecified errors in client components (Net6Helper.DLL and npCtxCAO.dll as ActiveX control and Firefox plugin) of Access Gateway Standard and Advanced Editions can be exploited to execute arbitrary code in context of the logged-in user. 3) The web-based administration console of an Access Gateway appliance allows administrator to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to e.g. change certain configuration settings, by enticing a logged-in administrator to visit a malicious web site. A redirection issue that may facilitate phishing attacks has also been reported. SOLUTION: Apply hotfix and update firmware to version 4.5.5. Access Gateway Standard Edition 4.5: http://support.citrix.com/article/CTX114028 Access Gateway Advanced Edition 4.5: http://support.citrix.com/article/CTX112803 The vendor also recommends to remove the following components from client devices: VPN ActiveX components: * Net6Helper.DLL (Friendly name: Net6Launcher Class, version number up to and including 4.5.2) EPA Components (ActiveX): * npCtxCAO.dll (Friendly name: CCAOControl Object, version number up to 4,5,0,0) EPA Components (Firefox plugin): * npCtxCAO.dll (Friendly name: Citrix Endpoint Analysis Client, present in two locations) PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Martin O\x92Neal, Corsaire. 2) The vendor credits Michael White, Symantec. 3) The vendor credits Paul Johnston. ORIGINAL ADVISORY: http://support.citrix.com/article/CTX113814 http://support.citrix.com/article/CTX113815 http://support.citrix.com/article/CTX113816 http://support.citrix.com/article/CTX113817 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple unspecified vulnerabilities in (1) Net6Helper.DLL (aka Net6Launcher Class) 4.5.2 and earlier, (2) npCtxCAO.dll (aka Citrix Endpoint Analysis Client) in a Firefox plugin directory, and (3) a second npCtxCAO.dll (aka CCAOControl Object) before 4.5.0.0 in Citrix Access Gateway Standard Edition before 4.5.5 and Advanced Edition before 4.5 HF1 have unknown impact and attack vectors, possibly related to buffer overflows. NOTE: vector 3 might overlap CVE-2007-3679. This vulnerability CVE-2007-3679 And may overlap.Details of the impact of this vulnerability are unknown. Exploiting these issues could allow an attacker to: - Obtain sensitive information - Execute code remotely - Hijack sessions - Redirect users to arbitrary sites - Make unauthorized configuration changes Citrix has released patches for these vulnerabilities. Citrix Access Gateway, a general-purpose SSL VPN device, provides secure and always-on single-point access support for information resources. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Full Featured Secunia Network Software Inspector (NSI) is now available: http://secunia.com/network_software_inspector/ The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. 1) A security issue due to residual information left on the client device can be exploited to gain unauthorized access to a user\x92s active session. 3) The web-based administration console of an Access Gateway appliance allows administrator to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to e.g. change certain configuration settings, by enticing a logged-in administrator to visit a malicious web site. This vulnerability is reported in Access Gateway model 2000 appliances with firmware version 4.5.2 and prior. A redirection issue that may facilitate phishing attacks has also been reported. SOLUTION: Apply hotfix and update firmware to version 4.5.5. 2) The vendor credits Michael White, Symantec. 3) The vendor credits Paul Johnston. ORIGINAL ADVISORY: http://support.citrix.com/article/CTX113814 http://support.citrix.com/article/CTX113815 http://support.citrix.com/article/CTX113816 http://support.citrix.com/article/CTX113817 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Unspecified vulnerability in the client components in Citrix Access Gateway Standard Edition before 4.5.5 and Advanced Edition before 4.5 HF1 allows attackers to execute arbitrary code via unspecified vectors. Exploiting these issues could allow an attacker to: - Obtain sensitive information - Execute code remotely - Hijack sessions - Redirect users to arbitrary sites - Make unauthorized configuration changes Citrix has released patches for these vulnerabilities. Citrix Access Gateway, a general-purpose SSL VPN device, provides secure and always-on single-point access support for information resources. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Full Featured Secunia Network Software Inspector (NSI) is now available: http://secunia.com/network_software_inspector/ The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. 1) A security issue due to residual information left on the client device can be exploited to gain unauthorized access to a user\x92s active session. 3) The web-based administration console of an Access Gateway appliance allows administrator to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to e.g. change certain configuration settings, by enticing a logged-in administrator to visit a malicious web site. This vulnerability is reported in Access Gateway model 2000 appliances with firmware version 4.5.2 and prior. A redirection issue that may facilitate phishing attacks has also been reported. SOLUTION: Apply hotfix and update firmware to version 4.5.5. Access Gateway Standard Edition 4.5: http://support.citrix.com/article/CTX114028 Access Gateway Advanced Edition 4.5: http://support.citrix.com/article/CTX112803 The vendor also recommends to remove the following components from client devices: VPN ActiveX components: * Net6Helper.DLL (Friendly name: Net6Launcher Class, version number up to and including 4.5.2) EPA Components (ActiveX): * npCtxCAO.dll (Friendly name: CCAOControl Object, version number up to 4,5,0,0) EPA Components (Firefox plugin): * npCtxCAO.dll (Friendly name: Citrix Endpoint Analysis Client, present in two locations) PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Martin O\x92Neal, Corsaire. 2) The vendor credits Michael White, Symantec. 3) The vendor credits Paul Johnston. ORIGINAL ADVISORY: http://support.citrix.com/article/CTX113814 http://support.citrix.com/article/CTX113815 http://support.citrix.com/article/CTX113816 http://support.citrix.com/article/CTX113817 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site request forgery (CSRF) vulnerability in the web-based administration console in Citrix Access Gateway before firmware 4.5.5 allows remote attackers to perform certain configuration changes as administrators. Citrix Access Gateway Standard and Advanced Edition are prone to multiple remote vulnerabilities. Exploiting these issues could allow an attacker to: - Obtain sensitive information - Execute code remotely - Hijack sessions - Redirect users to arbitrary sites - Make unauthorized configuration changes Citrix has released patches for these vulnerabilities. Citrix Access Gateway, a general-purpose SSL VPN device, provides secure and always-on single-point access support for information resources. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Full Featured Secunia Network Software Inspector (NSI) is now available: http://secunia.com/network_software_inspector/ The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. 1) A security issue due to residual information left on the client device can be exploited to gain unauthorized access to a user\x92s active session. 2) Multiple unspecified errors in client components (Net6Helper.DLL and npCtxCAO.dll as ActiveX control and Firefox plugin) of Access Gateway Standard and Advanced Editions can be exploited to execute arbitrary code in context of the logged-in user. This can be exploited to e.g. This vulnerability is reported in Access Gateway model 2000 appliances with firmware version 4.5.2 and prior. A redirection issue that may facilitate phishing attacks has also been reported. SOLUTION: Apply hotfix and update firmware to version 4.5.5. Access Gateway Standard Edition 4.5: http://support.citrix.com/article/CTX114028 Access Gateway Advanced Edition 4.5: http://support.citrix.com/article/CTX112803 The vendor also recommends to remove the following components from client devices: VPN ActiveX components: * Net6Helper.DLL (Friendly name: Net6Launcher Class, version number up to and including 4.5.2) EPA Components (ActiveX): * npCtxCAO.dll (Friendly name: CCAOControl Object, version number up to 4,5,0,0) EPA Components (Firefox plugin): * npCtxCAO.dll (Friendly name: Citrix Endpoint Analysis Client, present in two locations) PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Martin O\x92Neal, Corsaire. 2) The vendor credits Michael White, Symantec. 3) The vendor credits Paul Johnston. ORIGINAL ADVISORY: http://support.citrix.com/article/CTX113814 http://support.citrix.com/article/CTX113815 http://support.citrix.com/article/CTX113816 http://support.citrix.com/article/CTX113817 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Citrix Access Gateway Advanced Edition before firmware 4.5.5 allows attackers to redirect users to arbitrary web sites and conduct phishing attacks via unknown vectors. Citrix Access Gateway Standard and Advanced Edition are prone to multiple remote vulnerabilities. Exploiting these issues could allow an attacker to: - Obtain sensitive information - Execute code remotely - Hijack sessions - Redirect users to arbitrary sites - Make unauthorized configuration changes Citrix has released patches for these vulnerabilities. Citrix Access Gateway, a general-purpose SSL VPN device, provides secure and always-on single-point access support for information resources. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Full Featured Secunia Network Software Inspector (NSI) is now available: http://secunia.com/network_software_inspector/ The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. 1) A security issue due to residual information left on the client device can be exploited to gain unauthorized access to a user\x92s active session. 2) Multiple unspecified errors in client components (Net6Helper.DLL and npCtxCAO.dll as ActiveX control and Firefox plugin) of Access Gateway Standard and Advanced Editions can be exploited to execute arbitrary code in context of the logged-in user. 3) The web-based administration console of an Access Gateway appliance allows administrator to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to e.g. change certain configuration settings, by enticing a logged-in administrator to visit a malicious web site. This vulnerability is reported in Access Gateway model 2000 appliances with firmware version 4.5.2 and prior. A redirection issue that may facilitate phishing attacks has also been reported. SOLUTION: Apply hotfix and update firmware to version 4.5.5. Access Gateway Standard Edition 4.5: http://support.citrix.com/article/CTX114028 Access Gateway Advanced Edition 4.5: http://support.citrix.com/article/CTX112803 The vendor also recommends to remove the following components from client devices: VPN ActiveX components: * Net6Helper.DLL (Friendly name: Net6Launcher Class, version number up to and including 4.5.2) EPA Components (ActiveX): * npCtxCAO.dll (Friendly name: CCAOControl Object, version number up to 4,5,0,0) EPA Components (Firefox plugin): * npCtxCAO.dll (Friendly name: Citrix Endpoint Analysis Client, present in two locations) PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Martin O\x92Neal, Corsaire. 2) The vendor credits Michael White, Symantec. 3) The vendor credits Paul Johnston. ORIGINAL ADVISORY: http://support.citrix.com/article/CTX113814 http://support.citrix.com/article/CTX113815 http://support.citrix.com/article/CTX113816 http://support.citrix.com/article/CTX113817 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Citrix EPA ActiveX control (aka the "endpoint checking control" or CCAOControl Object) before 4.5.0.0 in npCtxCAO.dll in Citrix Access Gateway Standard Edition before 4.5.5 and Advanced Edition before 4.5 HF1 allows remote attackers to download and execute arbitrary programs onto a client system. Citrix EPA ActiveX control is prone to a remote code-execution vulnerability. An attacker may exploit this issue by enticing victims into visiting a malicious webpage. Successful exploits may allow attackers to execute arbitrary code on a victim's computer. This may facilitate a compromise of vulnerable computers. Citrix Access Gateway, a general-purpose SSL VPN device, provides secure and always-on single-point access support for information resources. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Symantec Vulnerability Research http://www.symantec.com/research Security Advisory Advisory ID: SYMSA-2007-006 Advisory Title: Citrix EPA ActiveX Control Design Flaw Author: Michael White / michael_white@symantec.com Release Date: 19-07-2007 Application: Citrix Access Gateway Platform: Internet Explorer/Win32 Severity: Remote arbitrary code execution Vendor status: Patch available CVE Number: CVE-2007-3679 Reference: http://www.securityfocus.com/bid/24865 Overview: Citrix Access Gateway offers a clientless SSL VPN solution implemented through a series of browser-based controls. As part of the endpoint validation, the ActiveX control for Internet Explorer downloads and executes a series of executable modules from the remote server. Details: Researchers identified that the endpoint checking control can be embedded in any web page and subverted to download and execute any executable module of the attacker\x92s choosing. This vulnerability represents a design flaw in the architecture of the endpoint validation practice. A high level of browser trust is required to allow the endpoint checks to function correctly, and the control is signed by Citrix Corporation. Vendor Response: This has been addressed by a product update. See http://support.citrix.com/article/CTX113815 Recommendation: Apply the product update as detailed in http://support.citrix.com/article/CTX113815 Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CVE-2007-3679 - -------Symantec Vulnerability Research Advisory Information------- For questions about this advisory, or to report an error: research@symantec.com For details on Symantec's Vulnerability Reporting Policy: http://www.symantec.com/research/Symantec-Responsible-Disclosure.pdf Symantec Vulnerability Research Advisory Archive: http://www.symantec.com/research/ Symantec Vulnerability Research GPG Key: http://www.symantec.com/research/Symantec_Vulnerability_Research_GPG.asc - -------------Symantec Product Advisory Information------------- To Report a Security Vulnerability in a Symantec Product: secure@symantec.com For general information on Symantec's Product Vulnerability reporting and response: http://www.symantec.com/security/ Symantec Product Advisory Archive: http://www.symantec.com/avcenter/security/SymantecAdvisories.html Symantec Product Advisory PGP Key: http://www.symantec.com/security/Symantec-Vulnerability-Management-Key.asc - --------------------------------------------------------------- Copyright (c) 2007 by Symantec Corp. Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Consulting Services. Reprinting the whole or part of this alert in any medium other than electronically requires permission from research@symantec.com. Disclaimer The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Symantec, Symantec products, and Symantec Consulting Services are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFGnRXXuk7IIFI45IARAla8AKDKwcYD23htC+trwq1Ke5Qvam99YACfUgJh VynDvAnppLmojz2wbrLfR+U= =QakL -----END PGP SIGNATURE----- . ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Full Featured Secunia Network Software Inspector (NSI) is now available: http://secunia.com/network_software_inspector/ The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. ---------------------------------------------------------------------- TITLE: Citrix Access Gateway Multiple Vulnerabilities SECUNIA ADVISORY ID: SA26143 VERIFY ADVISORY: http://secunia.com/advisories/26143/ CRITICAL: Highly critical IMPACT: Cross Site Scripting, Exposure of sensitive information, System access WHERE: >From remote SOFTWARE: Citrix Access Gateway 4.x http://secunia.com/product/6168/ DESCRIPTION: Some vulnerabilities and a security issue have been reported in Citrix Access Gateway, which can be exploited by malicious people to disclose sensitive information, conduct cross-site request forgery attacks, or to compromise a user's system. 1) A security issue due to residual information left on the client device can be exploited to gain unauthorized access to a user\x92s active session. This security issue is reported in Access Gateway Advanced Edition 4.5 and prior. These vulnerabilities are reported in Access Gateway Standard Edition 4.5.2 and prior and Access Gateway Advanced Editions version 4.5 and prior with appliance firmware 4.5.2 and prior. 3) The web-based administration console of an Access Gateway appliance allows administrator to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to e.g. change certain configuration settings, by enticing a logged-in administrator to visit a malicious web site. This vulnerability is reported in Access Gateway model 2000 appliances with firmware version 4.5.2 and prior. Access Gateway Enterprise Edition is reportedly not affected. A redirection issue that may facilitate phishing attacks has also been reported. SOLUTION: Apply hotfix and update firmware to version 4.5.5. 2) The vendor credits Michael White, Symantec. 3) The vendor credits Paul Johnston. ORIGINAL ADVISORY: http://support.citrix.com/article/CTX113814 http://support.citrix.com/article/CTX113815 http://support.citrix.com/article/CTX113816 http://support.citrix.com/article/CTX113817 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The Common Internet File System (CIFS) optimization in Cisco Wide Area Application Services (WAAS) 4.0.7 and 4.0.9, as used by Cisco WAE appliance and the NM-WAE-502 network module, when Edge Services are configured, allows remote attackers to cause a denial of service (loss of service) via a flood of TCP SYN packets to port (1) 139 or (2) 445. Cisco Wide Area Application Services software is prone to a remote denial-of-service vulnerability. Exploiting this issue allows remote attackers to cause a device running the affected software to stop processing all types of traffic, effectively denying service to legitimate users. Cisco WAAS 4.0.7 and 4.0.9 are affected. NOTE: Only devices configured with Edge Services are vulnerable to this issue. There is a loophole in the implementation of WAAS, and a remote attacker may use this loophole to make the device unavailable. The CIFS function of WAAS software uses ports 139 and 445. This can be caused by network traffic sent directly to WAAS platforms or by automated systems such as host scanners, port scanners, or network worms. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Full Featured Secunia Network Software Inspector (NSI) is now available: http://secunia.com/network_software_inspector/ The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. The vulnerability is caused due to an error in Edge Services, which uses CIFS optimisation, when handling packets sent to ports 139/TCP and 445/TCP. The vulnerability is reported in WAE appliances and the NM-WAE-502 network modules running WAAS versions 4.0.7 or 4.0.9. SOLUTION: Update to version 4.0.11. http://www.cisco.com/pcgi-bin/tablebuild.pl/waas40?psrtdcat20e2 PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: Cisco: http://www.cisco.com/warp/public/707/cisco-sa-20070718-waas.shtml ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple buffer overflows in the IMAP service (imapd32.exe) in Ipswitch IMail Server 2006 before 2006.21 allow remote authenticated users to execute arbitrary code via the (1) Search or (2) Search Charset command. Ipswitch IMail Server is prone to multiple buffer-overflow vulnerabilities because the software fails to properly check boundaries on user-supplied data before copying it to an insufficiently sized buffer. Successful attacks allow arbitrary code to run, facilitating the remote compromise of affected computers. Exploit attempts may also cause the application to crash. Ipswitch IMail Server 2006 is vulnerable to these issues; other versions may also be affected. Ipswitch IMail Server is an American Ipswitch company's mail server running on the Microsoft Windows operating system. IMail bundles an IMAP daemon (imapd32.exe) that allows users to access mail. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Full Featured Secunia Network Software Inspector (NSI) is now available: http://secunia.com/network_software_inspector/ The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. ---------------------------------------------------------------------- TITLE: Ipswitch IMail Server/Collaboration Suite Multiple Buffer Overflows SECUNIA ADVISORY ID: SA26123 VERIFY ADVISORY: http://secunia.com/advisories/26123/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: IMail Server 2006 http://secunia.com/product/8653/ Ipswitch Collaboration Suite 2006 http://secunia.com/product/8652/ DESCRIPTION: Some vulnerabilities have been reported in Ipswitch IMail Server and Collaboration Suite, which can be exploited by malicious users and malicious people to compromise a vulnerable system. Vulnerabilities #1 and #2 are reported in version 6.8.8.1 of imapd32.exe. 3) A boundary error in Imailsec can be exploited to cause a heap-based buffer overflow and allows execution of arbitrary code. 4) A boundary error in "subscribe" can be exploited to cause a buffer overflow. No further information is currently available. Vulnerabilities #3 and #4 are reported in Ipswitch IMail Server and Collaboration Suite prior to version 2006.21. SOLUTION: Update to IMail Server version 2006.21. http://www.ipswitch.com/support/imail/releases/im200621.asp Update to Ipswitch Collaboration Suite 2006.21. http://www.ipswitch.com/support/ics/updates/ics200621.asp PROVIDED AND/OR DISCOVERED BY: 1) Manuel Santamarina Suarez, reported via iDefense Labs. 2) An anonymous person, reported via iDefense Labs. 3, 4) The vendor credits TippingPoint and the Zero Day Initiative. ORIGINAL ADVISORY: IPSwitch: http://www.ipswitch.com/support/imail/releases/im200621.asp http://www.ipswitch.com/support/ics/updates/ics200621.asp iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=563 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple buffer overflows in Ipswitch IMail Server 2006 before 2006.21 (1) allow remote attackers to execute arbitrary code via unspecified vectors in Imailsec and (2) allow attackers to have an unknown impact via an unspecified vector related to "subscribe.". Ipswitch IMail Server is prone to multiple buffer-overflow vulnerabilities because the software fails to properly check boundaries on user-supplied data before copying it to an insufficiently sized buffer. Successful attacks allow arbitrary code to run, facilitating the remote compromise of affected computers. Exploit attempts may also cause the application to crash. Ipswitch IMail Server 2006 is vulnerable to these issues; other versions may also be affected. Ipswitch IMail Server is an American Ipswitch company's mail server running on the Microsoft Windows operating system. The IMailsec.dll component uses the lstrcpyA() function to copy the data provided by the user to a fixed-length heap buffer when trying to authenticate the user, so an attacker can trigger an overflow by submitting an overlong authentication request, resulting in arbitrary code execution. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Full Featured Secunia Network Software Inspector (NSI) is now available: http://secunia.com/network_software_inspector/ The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. ---------------------------------------------------------------------- TITLE: Ipswitch IMail Server/Collaboration Suite Multiple Buffer Overflows SECUNIA ADVISORY ID: SA26123 VERIFY ADVISORY: http://secunia.com/advisories/26123/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: IMail Server 2006 http://secunia.com/product/8653/ Ipswitch Collaboration Suite 2006 http://secunia.com/product/8652/ DESCRIPTION: Some vulnerabilities have been reported in Ipswitch IMail Server and Collaboration Suite, which can be exploited by malicious users and malicious people to compromise a vulnerable system. 1) A boundary error in the processing of the IMAP "SEARCH" command can be exploited to cause a stack-based buffer overflow. 2) A boundary error in the processing of the IMAP "SEARCH CHARSET" command can be exploited to cause a heap-based buffer overflow. Vulnerabilities #1 and #2 are reported in version 6.8.8.1 of imapd32.exe. 3) A boundary error in Imailsec can be exploited to cause a heap-based buffer overflow and allows execution of arbitrary code. 4) A boundary error in "subscribe" can be exploited to cause a buffer overflow. No further information is currently available. Vulnerabilities #3 and #4 are reported in Ipswitch IMail Server and Collaboration Suite prior to version 2006.21. SOLUTION: Update to IMail Server version 2006.21. http://www.ipswitch.com/support/imail/releases/im200621.asp Update to Ipswitch Collaboration Suite 2006.21. http://www.ipswitch.com/support/ics/updates/ics200621.asp PROVIDED AND/OR DISCOVERED BY: 1) Manuel Santamarina Suarez, reported via iDefense Labs. 2) An anonymous person, reported via iDefense Labs. 3, 4) The vendor credits TippingPoint and the Zero Day Initiative. ORIGINAL ADVISORY: IPSwitch: http://www.ipswitch.com/support/imail/releases/im200621.asp http://www.ipswitch.com/support/ics/updates/ics200621.asp iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=563 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Multiple buffer overflows in Ipswitch IMail before 2006.21 allow remote attackers or authenticated users to execute arbitrary code via (1) the authentication feature in IMailsec.dll, which triggers heap corruption in the IMail Server, or (2) a long SUBSCRIBE IMAP command, which triggers a stack-based buffer overflow in the IMAP Daemon. This vulnerability allows attackers to execute arbitrary code on vulnerable installations of Ipswitch IMail and ICS server. Authentication is not required to exploit this vulnerability.The specific flaw resides in IMailsec.dll while attempting to authenticate users. The affected component is used by multiple services that listen on a default installation. The authentication mechanism copies user-supplied data into fixed length heap buffers using the lstrcpyA() function. The unbounded copy operation can cause a memory corruption resulting in an exploitable condition. Authentication is required to exploit this vulnerability.The specific flaw exists due to a lack of bounds checking during theparsing of arguments to the SUBSCRIBE IMAP command sent to the IMAP daemon listening by default on TCP port 143. By providing an overly long string as the argument, an exploitable stack-based buffer overflow occurs. Ipswitch IMail Server is prone to multiple buffer-overflow vulnerabilities because the software fails to properly check boundaries on user-supplied data before copying it to an insufficiently sized buffer. Successful attacks allow arbitrary code to run, facilitating the remote compromise of affected computers. Exploit attempts may also cause the application to crash. Ipswitch IMail Server 2006 is vulnerable to these issues; other versions may also be affected. Ipswitch IMail Server is an American Ipswitch company's mail server running on the Microsoft Windows operating system. IMail bundles an IMAP daemon (imapd32.exe) that allows users to access mail. ZDI-07-042: Ipswitch IMail Server GetIMailHostEntry Memory Corruption Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-07-042.html July 24, 2007 -- CVE ID: CVE-2007-2795 -- Affected Vendor: Ipswitch -- Affected Products: Ipswitch IMail Ipswitch Collaboration Suite -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability since July 24, 2007 by Digital Vaccine protection filter ID 5224. -- Vendor Response: Ipswitch has issued an update to correct this vulnerability. More details can be found at: http://www.ipswitch.com/support/imail/releases/im200621.asp -- Disclosure Timeline: 2007.02.26 - Vulnerability reported to vendor 2007.07.24 - Digital Vaccine released to TippingPoint customers 2007.07.24 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by Sebastian Apelt (webmaster@buzzworld.org). -- About the Zero Day Initiative (ZDI): Established by TippingPoint, a division of 3Com, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. 3Com does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, 3Com provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, 3Com provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is being sent by 3Com for the sole use of the intended recipient(s) and may contain confidential, proprietary and/or privileged information. Any unauthorized review, use, disclosure and/or distribution by any recipient is prohibited. If you are not the intended recipient, please delete and/or destroy all copies of this message regardless of form and any included attachments and notify 3Com immediately by contacting the sender via reply e-mail or forwarding to 3Com at postmaster@3com.com

Unspecified vulnerability in mDNSResponder in Apple Mac OS X allows remote attackers to execute arbitrary code via unspecified vectors, a related issue to CVE-2007-2386. The problem is CVE-2007-2386 The problem is related to.A third party may execute arbitrary code. Failed exploit attempts likely result in a denial-of-service condition. NOTE: This has not been confirmed by any other researchers or the vendor. This vulnerability may be related to CVE-2007-2386. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201201-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: mDNSResponder: Multiple vulnerabilities Date: January 20, 2012 Bugs: #290822 ID: 201201-05 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in mDNSResponder, which could lead to execution of arbitrary code with root privileges. Background ========== mDNSResponder is a component of Apple's Bonjour, an initiative for zero-configuration networking. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/mDNSResponder < 212.1 >= 212.1 Description =========== Multiple vulnerabilities have been discovered in mDNSResponder. Please review the CVE identifiers referenced below for details. Workaround ========== There is no known workaround at this time. Resolution ========== All mDNSResponder users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/mDNSResponder-212.1" NOTE: This is a legacy GLSA. Updates for all affected architectures are available since November 21, 2009. It is likely that your system is already no longer affected by this issue. References ========== [ 1 ] CVE-2007-2386 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2386 [ 2 ] CVE-2007-3744 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3744 [ 3 ] CVE-2007-3828 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3828 [ 4 ] CVE-2008-0989 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0989 [ 5 ] CVE-2008-2326 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2326 [ 6 ] CVE-2008-3630 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3630 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201201-05.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5

The eSoft InstaGate EX2 UTM device does not require entry of the old password when changing the admin password, which might allow remote attackers to gain privileges by conducting a CSRF attack, making a password change from an unattended workstation, or other attacks. Instagate Ex2 Utm is prone to a denial-of-service vulnerability. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Full Featured Secunia Network Software Inspector (NSI) is now available: http://secunia.com/network_software_inspector/ The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. ---------------------------------------------------------------------- TITLE: eSoft InstaGate Cross-Site Request Forgery Vulnerability SECUNIA ADVISORY ID: SA26005 VERIFY ADVISORY: http://secunia.com/advisories/26005/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote OPERATING SYSTEM: eSoft InstaGate http://secunia.com/product/14790/ DESCRIPTION: Daniel Weber has reported a vulnerability in eSoft InstaGate, which can be exploited by malicious people to conduct cross-site request forgery attacks. The vulnerability is caused due to the web interface of the device allowing users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited e.g. to change certain settings or to change the administrator's password by enticing a logged-in administrator to visit a malicious site. The vulnerability is reported in eSoft InstaGate EX2. Other versions may also be affected. SOLUTION: Update to firmware version 3.1.20070615 or later. PROVIDED AND/OR DISCOVERED BY: Daniel Weber, Calyptix Security ORIGINAL ADVISORY: http://labs.calyptix.com/CX-2007-05.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

The eSoft InstaGate EX2 UTM device stores the admin password within the settings HTML document, which might allow context-dependent attackers to obtain sensitive information by reading this document. Instagate Ex2 Utm is prone to a information disclosure vulnerability. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Full Featured Secunia Network Software Inspector (NSI) is now available: http://secunia.com/network_software_inspector/ The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. ---------------------------------------------------------------------- TITLE: eSoft InstaGate Cross-Site Request Forgery Vulnerability SECUNIA ADVISORY ID: SA26005 VERIFY ADVISORY: http://secunia.com/advisories/26005/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote OPERATING SYSTEM: eSoft InstaGate http://secunia.com/product/14790/ DESCRIPTION: Daniel Weber has reported a vulnerability in eSoft InstaGate, which can be exploited by malicious people to conduct cross-site request forgery attacks. The vulnerability is caused due to the web interface of the device allowing users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited e.g. to change certain settings or to change the administrator's password by enticing a logged-in administrator to visit a malicious site. The vulnerability is reported in eSoft InstaGate EX2. Other versions may also be affected. SOLUTION: Update to firmware version 3.1.20070615 or later. PROVIDED AND/OR DISCOVERED BY: Daniel Weber, Calyptix Security ORIGINAL ADVISORY: http://labs.calyptix.com/CX-2007-05.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Cross-site request forgery (CSRF) vulnerability on the eSoft InstaGate EX2 UTM device before firmware 3.1.20070615 allows remote attackers to perform privileged actions as administrators. NOTE: the vendor disputes the distribution of the vulnerable software, stating that it was a custom build for a former customer. esoft of instagate ex2 utm Exists in unspecified vulnerabilities.None. A remote attacker can perform privileged operations like an administrator. ---------------------------------------------------------------------- Try a new way to discover vulnerabilities that ALREADY EXIST in your IT infrastructure. The Full Featured Secunia Network Software Inspector (NSI) is now available: http://secunia.com/network_software_inspector/ The Secunia NSI enables you to INSPECT, DISCOVER, and DOCUMENT vulnerabilities in more than 4,000 different Windows applications. ---------------------------------------------------------------------- TITLE: eSoft InstaGate Cross-Site Request Forgery Vulnerability SECUNIA ADVISORY ID: SA26005 VERIFY ADVISORY: http://secunia.com/advisories/26005/ CRITICAL: Less critical IMPACT: Cross Site Scripting WHERE: >From remote OPERATING SYSTEM: eSoft InstaGate http://secunia.com/product/14790/ DESCRIPTION: Daniel Weber has reported a vulnerability in eSoft InstaGate, which can be exploited by malicious people to conduct cross-site request forgery attacks. This can be exploited e.g. to change certain settings or to change the administrator's password by enticing a logged-in administrator to visit a malicious site. The vulnerability is reported in eSoft InstaGate EX2. Other versions may also be affected. SOLUTION: Update to firmware version 3.1.20070615 or later. PROVIDED AND/OR DISCOVERED BY: Daniel Weber, Calyptix Security ORIGINAL ADVISORY: http://labs.calyptix.com/CX-2007-05.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------