ZDI-11-302 : Adobe Reader U3D TIFF Resource Buffer Overflow Remote Code Execution Vulnerability
ZDI-11-302 : Adobe Reader U3D TIFF Resource Buffer Overflow Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-302 October 26, 2011 -- CVE ID: CVE-2011-2432 -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P -- Affected Vendors: Adobe -- Affected Products: Adobe Reader -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Reader X. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within because Adobe Reader X includes an old version of libtiff. Adobe can be tricked in using this library by parsing a specially crafted PDF file containing U3D data. Due to the old version of libtiff Adobe Reader is vulnerable to the issue described in CVE-2006-3459 which can be leveraged to execute remote code under the context of the user running the application. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb11-24.html -- Disclosure Timeline: 2011-05-12 - Vulnerability reported to vendor 2011-10-26 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * binaryproof -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi signature.asc Description: OpenPGP digital signature
ZDI-11-301 : Adobe Reader U3D PICT 0Eh Encoding Remote Code Execution Vulnerability
ZDI-11-301 : Adobe Reader U3D PICT 0Eh Encoding Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-301 October 26, 2011 -- CVE ID: CVE-2011-2434 -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P -- Affected Vendors: Adobe -- Affected Products: Adobe Reader -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the way Adobe handles PICT images. When Adobe parses a PICT image containing an 0x0E opcode. When this opcode is read the following word in the file will be interpreted as a loop counter that copies data from the file into a heap buffer that has been created using the height and with of the picture. The resulting heap overflow can result in remote code execution under the rights of the current user. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb11-24.html -- Disclosure Timeline: 2011-05-12 - Vulnerability reported to vendor 2011-10-26 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * binaryproof -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi signature.asc Description: OpenPGP digital signature
ZDI-11-300 : Adobe Reader U3D PICT 10h Encoding Remote Code Execution Vulnerability
ZDI-11-300 : Adobe Reader U3D PICT 10h Encoding Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-300 October 26, 2011 -- CVE ID: CVE-2011-2433 -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P -- Affected Vendors: Adobe -- Affected Products: Adobe Reader -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the way Adobe handles PICT images. When Adobe parses a PICT image containing an 0x10 opcode the following word in the file will be interpreted as a loop counter that copies data from the file into a heap buffer that has been created using the height and with of the picture. The resulting heap overflow can result in remote code execution under the rights of the current user. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb11-24.html -- Disclosure Timeline: 2011-05-12 - Vulnerability reported to vendor 2011-10-26 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * binaryproof -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi signature.asc Description: OpenPGP digital signature
ZDI-11-299 : Adobe Reader PICT Parsing Remote Code Execution Vulnerability
ZDI-11-299 : Adobe Reader PICT Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-299 October 26, 2011 -- CVE ID: CVE-2011-2435 -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P -- Affected Vendors: Adobe -- Affected Products: Adobe Reader -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the Adobe 2D.x3d PICT image parsing routines. When Adobe Reader parses an PICT image it uses a static buffer to store certain image header values. Due to insufficient checks for the end of the buffer it is possible to write outside the stack buffer. The resulting stack overflow could result in remote code execution under the context of the current user. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb11-24.html -- Disclosure Timeline: 2011-05-12 - Vulnerability reported to vendor 2011-10-26 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * binaryproof -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi signature.asc Description: OpenPGP digital signature
ZDI-11-298 : Adobe Reader U3D IFF RGBA Parsing Remote Code Execution Vulnerability
ZDI-11-298 : Adobe Reader U3D IFF RGBA Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-298 October 26, 2011 -- CVE ID: CVE-2011-2436 -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P -- Affected Vendors: Adobe -- Affected Products: Adobe Reader -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the Adobe Image parsing library. When Adobe Reader tries to parse an .IFF image. While it tries to copy the image data from the RGBA chunk insufficient boundary checks are performed on a row counter which could lead to a heap overflow. This could result in remote code execution with the rights of the current user. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb11-24.html -- Disclosure Timeline: 2011-05-12 - Vulnerability reported to vendor 2011-10-26 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * binaryproof -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi signature.asc Description: OpenPGP digital signature
ZDI-11-297 : Adobe Reader U3D PCX Parsing Remote Code Execution Vulnerability
ZDI-11-297 : Adobe Reader U3D PCX Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-297 October 26, 2011 -- CVE ID: CVE-2011-2437 -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P -- Affected Vendors: Adobe -- Affected Products: Adobe Reader -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the Adobe Image parsing library. When Adobe Reader tries to parse an .PCX image it creates a 32 bits loop counter based on the height and width of the image. It then enters a loop to copy data from the file in to a memory buffer, but the loop counter used in that function is only a 16 bit integer and as such can never reach the end of the loop when the max loop counter is bigger then 0x. Exploitation of this issue allows for remote code execution under the context of the user running the application. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb11-24.html -- Disclosure Timeline: 2011-05-12 - Vulnerability reported to vendor 2011-10-26 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * binaryproof -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi signature.asc Description: OpenPGP digital signature
ZDI-11-296 : Adobe Reader BMP Image RLE Decoding Remote Code Execution Vulnerability
ZDI-11-296 : Adobe Reader BMP Image RLE Decoding Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-296 October 26, 2011 -- CVE ID: CVE-2011-2438 -- CVSS: 7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P -- Affected Vendors: Adobe -- Affected Products: Adobe Reader -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the Adobe Image parsing library. When Adobe Reader tries to parse an malformed .BMP image containing Run Length Encoded data it fails to perform sufficient boundary checks on the data. The effect can be a heap buffer overflow resulting in remote code execution under the context of the current user. -- Vendor Response: Adobe has issued an update to correct this vulnerability. More details can be found at: http://www.adobe.com/support/security/bulletins/apsb11-24.html -- Disclosure Timeline: 2011-05-12 - Vulnerability reported to vendor 2011-10-26 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * binaryproof -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi signature.asc Description: OpenPGP digital signature
Cisco Security Advisory: Cisco Security Agent Remote Code Execution Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Cisco Security Agent Remote Code Execution Vulnerabilities Advisory ID: cisco-sa-20111026-csa Revision 1.0 For Public Release 2011 October 26 16:00 UTC (GMT) + Summary === Cisco Security Agent is affected by vulnerabilities that could allow an unauthenticated attacker to perform remote code execution on the affected device. These vulnerabilities are in a third-party library (Oracle Outside In) and are documented in CERT-CC Vulnerability Note VU#520721 at http://www.kb.cert.org/vuls/id/520721 Cisco has released free software updates that address this vulnerability. No workaround is available to mitigate these vulnerabilities. This advisory is posted at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-csa Note: Effective October 18, 2011, Cisco moved the current list of Cisco Security Advisories and Responses published by Cisco PSIRT. The new location is http://tools.cisco.com/security/center/publicationListing You can also navigate to this page from the Cisco Products and Services menu of the Cisco Security Intelligence Operations (SIO) Portal. Following this transition, new Cisco Security Advisories and Responses will be published to the new location. Although the URL has changed, the content of security documents and the vulnerability policy are not impacted. Cisco will continue to disclose security vulnerabilities in accordance with the published Security Vulnerability Policy Affected Products = Vulnerable Products +-- These vulnerabilities only affect 6.x versions of Cisco Security Agent running on Windows platforms. Products Confirmed Not Vulnerable + No software releases of Cisco Security Agent running on Linux platforms are affected. Software releases prior to 6.0 running on Windows platforms are not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details === The Cisco Security Agent is a security software agent that provides threat protection for server and desktop computing systems. Cisco Security Agents can be standalone agents or can be managed by the Cisco Security Agent Management Center. Version 6.x of Cisco Security Agent running on Windows platforms are affected by the following vulnerabilities: * Vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.5.0 allows local users to affect availability, related to File ID SDK. This vulnerability is assigned Common Vulnerabilities and Exposures (CVE) IDs CVE-2011-0794 * Vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.2.0 and 8.3.5.0 allows local users to affect availability via vectors related to Outside In Filters. This vulnerability is assigned Common Vulnerabilities and Exposures (CVE) IDs CVE-2011-0808 These vulnerabilities are addressed and documented in Cisco bug ID CSCtq29413. These vulnerabilities can be triggered during the normal operation of Cisco Security Agent if Data Loss Prevention (DLP) policies are enabled. The DLP policies are available only on Windows platforms. When inspected by Cisco Security Agent, a crafted file could allow an attacker to execute arbitrary code with Administrator privileges. Vulnerability Scoring Details + Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtq29413, Oracle Onenote library vulnerability in CSA CVSS Base Score - 10 Access Vector -Network Access Complexity -Low Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 8.3 Exploitability - Functional Remediation Level -Official-Fix Report Confidence -Confirmed Impact == Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to perform remote code
Cisco Security Advisory: Buffer Overflow Vulnerabilities in the Cisco WebEx Player
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Buffer Overflow Vulnerabilities in the Cisco WebEx Player Advisory ID: cisco-sa-20111026-webex Revision 1.0 For Public Release 2011 October 26 16:00 UTC (GMT) + Summary === Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Recording Format (WRF) player. In some cases, exploitation of the vulnerabilities could allow a remote attacker to execute arbitrary code on the system with the privileges of a targeted user. The Cisco WebEx Players are applications that are used to play back WebEx meeting recordings that have been recorded on a WebEx meeting site or on the computer of an online meeting attendee. The players can be automatically installed when the user accesses a recording file that is hosted on a WebEx meeting site. The players can also be manually installed for offline playback after downloading the application from www.webex.com If the WRF player was automatically installed, it will be automatically upgraded to the latest, nonvulnerable version when users access a recording file that is hosted on a WebEx meeting site. If the WRF player was manually installed, users will need to manually install a new version of the player after downloading the latest version from www.webex.com Cisco has released free software updates that address these vulnerabilities. This advisory is posted at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-webex Note: Effective October 18, 2011, Cisco moved the current list of Cisco Security Advisories and Responses published by Cisco PSIRT. The new location is http://tools.cisco.com/security/center/publicationListing You can also navigate to this page from the Cisco Products and Services menu of the Cisco Security Intelligence Operations (SIO) Portal. Following this transition, new Cisco Security Advisories and Responses will be published to the new location. Although the URL has changed, the content of security documents and the vulnerability policy are not impacted. Cisco will continue to disclose security vulnerabilities in accordance with the published Security Vulnerability Policy. Affected Products = The vulnerabilities disclosed in this advisory affect the Cisco WRF players. The Microsoft Windows, Apple Mac OS X, and Linux versions of the players are all affected. Review the following table for the list of releases that contain the nonvulnerable code. Affected versions of the players are those prior to client build T26 SP49 EP40 and T27 SP28. These build numbers are available only to WebEx site administrators. End users will see a version such as "Client build: 27.25.4.11889." This indicates the server is running software version T27 SP25 EP4. To determine whether a Cisco WebEx meeting site is running an affected version of the WebEx client build, users can log in to their Cisco WebEx meeting site and go to the Support > Downloads section. The version of the WebEx client build will be displayed on the right side of the page under "About Support Center." See "Software Versions and Fixes" for details. Cisco recommends that users upgrade to the most current version of the player that is available from www.webex.com/ downloadplayer.html. If the player is no longer needed, it can be removed using the "Mac Cisco-WebEx Uninstaller" or "Meeting Services Removal tool" available at support.webex.com/support/ downloads.html. Users can manually verify the installed version of the WRF player to determine whether it is affected by these vulnerabilities. To do so, an administrator must examine the version numbers of the installed files and determine whether the version of the file contains the fixed code. Detailed instructions on how to verify the version numbers are provided in the following sections. The following tables provide the first nonvulnerable version of each object. Microsoft Windows + Two dynamically linked libraries (DLLs) were updated on the Microsoft Windows platform to address the vulnerabilities that are described in this advisory. These files are in the folder C:\ Program Files\WebEx\Record Playback or C:\Program Files (x86)\ Webex\Record Player. The version number of a DLL can be obtained by browsing the Record Playback directory in Windows Explorer, right-clicking on the file name, and choosing Properties. The Version or Details tab of the Properties page provides details on the library version. The following table gives the first fixed version number for each DLL. If the installed versions are equal to or greater than the versions provided in the table, the system is not vulnerable. ++ | Library| T26 SP49 | T27 SP11 | T27 SP21 | T27 SP25 | T27 SP28 | |
Cisco Security Advisory: Cisco Unified Contact Center Express Directory Traversal Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Unified Contact Center Express Directory Traversal Vulnerability Advisory ID: cisco-sa-20111026-uccx Revision 1.0 For Public Release 2011 October 26 16:00 UTC (GMT) +- Summary === Cisco Unified Contact Center Express (UCCX or Unified CCX) and Cisco Unified IP Interactive Voice Response (Unified IP-IVR) contain a directory traversal vulnerability that may allow a remote, unauthenticated attacker to retrieve arbitrary files from the filesystem. Cisco has released free software updates that address this vulnerability. There are no workarounds that mitigate this vulnerability. This advisory is posted at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-uccx Cisco Unified Communications Manager is also affected by this vulnerability and a separate advisory has been published at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-cucm Note: Effective October 18, 2011, Cisco moved the current list of Cisco Security Advisories and Responses published by Cisco PSIRT. The new location is: http://tools.cisco.com/security/center/publicationListing You can also navigate to this page from the Cisco Products and Services menu of the Cisco Security Intelligence Operations (SIO) Portal. Following this transition, new Cisco Security Advisories and Responses will be published to the new location. Although the URL has changed, the content of security documents and the vulnerability policy are not impacted. Cisco will continue to disclose security vulnerabilities in accordance with the published Security Vulnerability Policy. Affected Products = Vulnerable Products +-- The following Cisco UCCX versions are vulnerable: * Cisco UCCX version 6.0(x) * Cisco UCCX version 7.0(x) * Cisco UCCX version 8.0(x) * Cisco UCCX version 8.5(x) Note: Cisco UCCX versions prior to 6.0(x) reached end of software maintenance. Customers running versions prior to 6.0(x) should contact their Cisco support team for assistance in upgrading to a supported version of Cisco UCCX. The following Cisco Unified IP Interactive Voice Response versions are vulnerable: * Cisco Unified IP Interactive Voice Response version 6.0(x) * Cisco Unified IP Interactive Voice Response version 7.0(x) * Cisco Unified IP Interactive Voice Response version 8.0(x) * Cisco Unified IP Interactive Voice Response version 8.5(x) Note: Cisco Unified IP Interactive Voice Response versions prior to 6.0(x) reached end of software maintenance. Customers running versions prior to 6.0(x) should contact their Cisco support team for assistance in upgrading to a supported version of Cisco Unified IP Interactive Voice Response. Products Confirmed Not Vulnerable + With the exception of Cisco Unified Communications Manager, no other Cisco products are currently known to be affected by this vulnerability. Details === The Cisco Unified Contact Center Express is a single/two node server, integrated "contact center in a box" for use in deployments with up to 300 agents until software version 8.0(x) and 400 agents starting at version 8.5(x). The Cisco Unified Interactive Voice Response is a UCCX product package that provides IP call queuing and IP intelligent voice response functionality for contact centers. Cisco Unified Communications Manager and Cisco Unified Contact Center Express Directory Traversal Vulnerability Cisco Unified Communications Manager, Cisco Unified Contact Center Express and Cisco Unified IP Interactive Voice Response contain a directory traversal vulnerability that may allow an unauthenticated, remote attacker to retrieve arbitrary files from the filesystem. The vulnerability is due to improper input validation, and could allow the attacker to traverse the filesystem directory. An attacker could exploit this vulnerability by sending a specially crafted URL to the affected system. The vulnerability in Cisco Unified Contact Center Express and Cisco Unified IP Interactive Voice Response could be exploited over TCP port 8080 in 6.0(x) and 7.0(x) versions and TCP port 9080 starting in 8.0(x) version of the product. Note: In Cisco Unified Contact Center Express and Cisco Unified IP Interactive Voice Response versions 6.0(x) and 7.0(x), port 8080 could be reconfigured on the server. This advisory addresses the vulnerability in Cisco Unified Contact Center Express and Cisco Unified IP Interactive Voice Response, which is documented in Cisco bug ID CSCts44049, and has been assigned CVE ID CVE-2011-3315. Vulnerability Scoring Details = Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS v
Cisco Security Advisory: Denial of Service Vulnerability in Cisco Video Surveillance IP Cameras
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Denial of Service Vulnerability in Cisco Video Surveillance IP Cameras Advisory ID: cisco-sa-20111026-camera Revision 1.0 For Public Release 2011 October 26 16:00 UTC (GMT) +- Summary === A denial of service (DoS) vulnerability exists in the Cisco Video Surveillance IP Cameras 2421, 2500 series and 2600 series of devices. An unauthenticated, remote attacker could exploit this vulnerability by sending crafted RTSP TCP packets to an affected device. Successful exploitation prevents cameras from sending video streams, subsequently causing a reboot. The camera reboot is done automatically and does not require action from an operator. There are no workarounds available to mitigate exploitation of this vulnerability that can be applied on the Cisco Video Surveillance IP Cameras. Mitigations that can be deployed on Cisco devices within the network are available. This advisory is posted at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-camera Note: Effective October 18, 2011, Cisco moved the current list of Cisco Security Advisories and Responses published by Cisco PSIRT. The new location is: http://tools.cisco.com/security/center/publicationListing You can also navigate to this page from the Cisco Products and Services menu of the Cisco Security Intelligence Operations (SIO) Portal. Following this transition, new Cisco Security Advisories and Responses will be published to the new location. Although the URL has changed, the content of security documents and the vulnerability policy are not impacted. Cisco will continue to disclose security vulnerabilities in accordance with the published Security Vulnerability Policy. Affected Products = Vulnerable Products +-- Cisco Video Surveillance IP Cameras 2421, 2500 series, and 2600 series are affected by this vulnerability. For Cisco Video Surveillance 2421 and 2500 series IP Cameras, all 1.1.x software releases and releases prior 2.4.0 are affected by this vulnerability. For Cisco Video Surveillance 2600 IP Camera, all software releases before 4.2.0-13 are affected by this vulnerability. To check the version of system firmware that is running on the device and to determine device model, log in to the device with the web management interface, and navigate to the Status page. Products Confirmed Not Vulnerable + The following Cisco Video Surveillance IP Cameras are confirmed not vulnerable: * Cisco Video Surveillance 2900 Series IP Cameras * Cisco Video Surveillance 4000 Series IP Cameras * Cisco Video Surveillance 5000 Series HD IP Dome Cameras No other Cisco products are currently known to be affected by this vulnerability. Details === The Cisco Video Surveillance IP Cameras are feature-rich digital cameras designed to provide superior performance in a wide variety of video surveillance applications. Cisco Video Surveillance IP Cameras RTSP Crafted Packet Vulnerability The Cisco Video Surveillance IP Cameras 2421, 2500 series, and 2600 series of devices are affected by a RSTP TCP crafted packets denial of service vulnerability that may allow an unauthenticated attacker to cause the device to reload by sending a series of crafted packets. This vulnerability can be exploited from both wired and wireless segments. This vulnerability is documented in the following Cisco bug IDs: * Cisco Video Surveillance 2421 IP Dome in Cisco bug ID: CSCtj96312 * Cisco Video Surveillance 2500 Series IP Cameras in Cisco bug ID: CSCtj39462 * Cisco Video Surveillance 2600 Series IP Cameras in Cisco bug ID: CSCtl80175 This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2011-3318. Vulnerability Scoring Details = Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCtj96312, CSCtj39462, CSCtl80175 - Cisco Video Surveillance IP Cameras RTSP Crafted Packet Vulnerability CVSS Base Score - 7.8 Access Vector -Network Access Complexity -Low
Cisco Security Advisory: Cisco Unified Communications Manager Directory Traversal Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Unified Communications Manager Directory Traversal Vulnerability Advisory ID: cisco-sa-20111026-cucm Revision 1.0 For Public Release 2011 October 26 16:00 UTC (GMT) +- Summary === Cisco Unified Communications Manager contains a directory traversal vulnerability that may allow an unauthenticated, remote attacker to retrieve arbitrary files from the filesystem. Cisco has released free software updates that address this vulnerability. There are no workarounds that mitigate this vulnerability. This advisory is posted at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-cucm Cisco Unified Contact Center Express and Cisco Unified IP Interactive Voice Response are also affected by this vulnerability, and a separate advisory has been published at: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111026-uccx Note: Effective October 18, 2011, Cisco moved the current list of Cisco Security Advisories and Responses published by Cisco PSIRT. The new location is: http://tools.cisco.com/security/center/publicationListing You can also navigate to this page from the Cisco Products and Services menu of the Cisco Security Intelligence Operations (SIO) Portal. Following this transition, new Cisco Security Advisories and Responses will be published to the new location. Although the URL has changed, the content of security documents and the vulnerability policy are not impacted. Cisco will continue to disclose security vulnerabilities in accordance with the published Security Vulnerability Policy. Affected Products = Vulnerable Products +-- The following products are affected by this vulnerability: * Cisco Unified Communications Manager 6.x * Cisco Unified Communications Manager 7.x * Cisco Unified Communications Manager 8.x Note: Cisco Unified Communications Manager version 5.1 reached end of software maintenance on February 13, 2010. Customers who are using Cisco Unified Communications Manager 5.x versions should contact their Cisco support team for assistance in upgrading to a supported version of Cisco Unified Communications Manager. Products Confirmed Not Vulnerable + Cisco Unified Communications Manager 4.x is not affected by this vulnerability. With the exception of the Cisco Unified Contact Center Express and Cisco Unified IP Interactive Voice Response, no other Cisco products are currently known to be affected by this vulnerability. Details === Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices such as IP phones, media processing devices, VoIP gateways, and multimedia applications. Cisco Unified Communications Manager and Cisco Unified Contact Center Express Directory Traversal Vulnerability Cisco Unified Communications Manager, Cisco Unified Contact Center Express and Cisco Unified IP Interactive Voice Response contain a directory traversal vulnerability that may allow an unauthenticated, remote attacker to retrieve arbitrary files from the filesystem. Note: The Cisco Unified Communications Manager web service runs on port 8080. This advisory addresses the vulnerability in Cisco Unified Communications Manager and is documented in Cisco bug ID CSCth09343, and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2011-3315. Vulnerability Scoring Details = Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCth09343, Cisco Unified Communications Manager and Cisco Unified Contact Center Express Directory Traversal Vulnerability CVSS Base Score - 7.8 Access Vector -Network Access Complexity -Low Authentication - None Confidentiality Impact - Complete Integrity Impact - None Availability Impact - None CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level
[security bulletin] HPSBMU02714 SSRT100244 rev.1 - HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows, Remote Unauthorized Disclosure of Information
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03057508 Version: 1 HPSBMU02714 SSRT100244 rev.1 - HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows, Remote Unauthorized Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2011-10-26 Last Updated: 2011-10-26 Potential Security Impact: Remote unauthorized disclosure of information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Network Node Manager i (NNMi) for HP-UX, Linux, Solaris, and Windows. The vulnerability could be remotely exploited resulting in unauthorized disclosure of information. References: CVE-2010-0738 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Network Node Manager i (NNMi) v8.x, v9.0x for HP-UX, Linux, Solaris, and Windows BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2010-0738(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has made a procedure available to resolve the vulnerability. Edit the file $NnmInstallDir/nonOV/jboss/nms/server/nms/deploy/jmx-console.war/WEB-INF/web.xml [HP-UX, Linux, Solaris] %NnmInstallDir%\nonOV\jboss\nms\server\nms\deploy\jmx-console.war\WEB-INF\web.xml [Windows] Remove these lines: GET POST MANUAL ACTIONS: Yes - NonUpdate Edit the web.xml file as described above. PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS (for HP-UX) For HP-UX NNMi v8.x, NNMi v9.0x HP-UX B.11.31 HP-UX B.11.23 (IA) = HPOvNNM.HPNMSJBOSS action: edit the web.xml file as described in the Resolution END AFFECTED VERSIONS (for HP-UX) HISTORY Version:1 (rev.1) - 26 October 2011 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2011 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAk6oDfsACgkQ4B86/C0qfVk9dgCePa/7ktnheXs/uxDmyz1pkjgU 7QkAnRPIM7ossNuBBy0C92C1eUdb4veY =hLvd -END PGP SIGNATURE-
Path disclosure in SPIP
Vulnerability ID: HTB23052 Reference: https://www.htbridge.ch/advisory/path_disclosure_in_spip.html Product: SPIP Vendor: www.spip.net ( http://www.spip.net ) Vulnerable Version: 2.1.11 and probably prior Tested Version: 2.1.11 Vendor Notification: 05 October 2011 Vulnerability Type: Path disclosure Status: Fixed by Vendor Risk level: Low Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.ch/advisory/ ) Vulnerability Details: High-Tech Bridge SA Security Research Lab has discovered path multiple path disclosure vulnerabilities in SPIP. The vulnerabilities exist due to improper error handling in multiple PHP scripts located in /extensions/ folder. It is possible to generate a PHP error that will reveal the full path of the vulnerable script. The following PoC code is available: http://[host]/extensions/filtres_images/filtres/couleurs.php http://[host]/extensions/filtres_images/filtres/images_lib.php http://[host]/extensions/filtres_images/filtres/images_transforme.php http://[host]/extensions/filtres_images/filtres/images_typo.php http://[host]/extensions/filtres_images/inc/filtres_images.php http://[host]/extensions/filtres_images/tests/couleur_extraire.php http://[host]/extensions/filtres_images/tests/multiple_de_trois.php http://[host]/extensions/filtres_images/tests/_couleur_hsl2rgb.php http://[host]/extensions/filtres_images/tests/_couleur_hsv2rgb.php http://[host]/extensions/filtres_images/tests/_couleur_rgb2hsl.php http://[host]/extensions/filtres_images/tests/_couleur_rgb2hsv.php http://[host]/extensions/porte_plume/inc/barre_outils.php Successful exploitation of the vulnerabilities requires that "display_errors" is enabled. Solution: Upgrade to the most recent version Disclaimer: Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on the web page in Reference field.
[ GLSA 201110-23 ] Apache mod_authnz_external: SQL injection
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201110-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Apache mod_authnz_external: SQL injection Date: October 25, 2011 Bugs: #386165 ID: 201110-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis An input sanitation flaw in mod_authnz_external allows remote attacker to conduct SQL injection. Background == mod_authnz_external is a tool for creating custom authentication backends for HTTP basic authentication. Affected packages = --- Package / Vulnerable /Unaffected --- 1 www-apache/mod_authnz_external < 3.2.6>= 3.2.6 Description === mysql/mysql-auth.pl in mod_authnz_external does not properly sanitize input before using it in an SQL query. Impact == A remote attacker could exploit this vulnerability to inject arbitrary SQL statements by using a specially crafted username for HTTP authentication on a site using mod_authnz_external. Workaround == There is no known workaround at this time. Resolution == All Apache mod_authnz_external users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-apache/mod_authnz_external-3.2.6" References == [ 1 ] CVE-2011-2688 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2688 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201110-23.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to secur...@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License === Copyright 2011 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 signature.asc Description: This is a digitally signed message part.