[security bulletin] HPSBMU02836 SSRT101056 rev.1 - HP ArcSight Connector Appliance and ArcSight Logger, Remote Disclosure of Information, Command Injection, Cross-Site Scripting (XSS)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20566.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03606700 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03606700 Version: 1 HPSBMU02836 SSRT101056 rev.1 - HP ArcSight Connector Appliance and ArcSight Logger, Remote Disclosure of Information, Command Injection, Cross-Site Scripting (XSS) NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2013-02-14 Last Updated: 2013-02-14 Potential Security Impact: Remote disclosure of information, command injection, cross-site scripting (XSS) Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP ArcSight Connector Appliance and HP ArcSight Logger. These vulnerabilities could be exploited remotely to allow disclosure of information, command injection and cross-site scripting (XSS). References: SSRT100864 VU#960468 CVE-2012-2960 SSRT101040 VU#829260 CVE-2012-3286 SSRT101056 VU#988100 CVE-2012-5198 SSRT101060 CVE-2012-5199 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP ArcSight Connector Appliance, v6.3 and earlier, HP Arcsight Logger v5.2 and earlier BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2012-2960(AV:L/AC:L/Au:S/C:N/I:P/A:N) 1.7 CVE-2012-3286(AV:N/AC:L/Au:S/C:P/I:P/A:P) 6.5 CVE-2012-5198(AV:N/AC:L/Au:N/C:P/I:N/A:N) 5 CVE-2012-5199(AV:L/AC:L/Au:S/C:C/I:C/A:C) 6.8 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks Michael Rutkowski of Duer Advanced Technology and Aerospace, Inc (DATA), Chris Botelho of Errord Security, and Shawn Asmus of Fishnet Security for reporting a vulnerability to CERT and security-al...@hp.com. The Hewlett-Packard Company thanks TEB Quantum Technology Sdn Bhd (Malaysia) Professional Security Service Team for reporting a vulnerability to security-al...@hp.com. RESOLUTION HP has provided HP ArcSight Connector Appliance v6.4 and HP ArcSight Logger v5.3 to resolve these issues. Please contact HP support to receive updates. Note: CCVE2012-5198 was first addressed in HP ArcSight Connector Appliance v6.3 HP recommends updating to the latest version of HP ArcSight Connector Appliance and HP ArcSight Logger as advised in the resolution. HISTORY Version:1 (rev.1) - 14 February 2013 Initial release Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin List: A list of HP Security Bulletins, updated periodically, is contained in HP Security Notice HPSN-2011-001: https://h2056 6.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02964430 Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-al...@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG &jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save. To update an exist
TeamSHATTER Security Advisory: SQL Injection in Oracle Alter FBA Table (CVE-2012-1751)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 TeamSHATTER Security Advisory SQL Injection in Oracle Alter FBA Table February 20, 2013 Risk Level: High Affected versions: Oracle Database Enterprise Edition 11.1, 11.2 Remote exploitable: Yes Credits: This vulnerability was discovered and researched by Martin Rakhmanov of Application Security Inc. Details: Renaming a table having flashback archive using specially crafted table name triggers internal SQL injection. This allows users to execute code with elevated privileges. Impact: An attacker having control over a flashback-enabled table can get SYSDBA privileges. Vendor Status: Vendor was contacted and a patch was released. Workaround: Do not grant flashback archive privilege to untrusted users. Limit access to flashback-enabled tables to trusted users only. Fix: Apply Oracle Critical Patch Update October 2012 available at Oracle Support. CVE: CVE-2012-1751 Links: http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html https://www.teamshatter.com/?p=4115 Timeline: Vendor Notification - 1/23/2012 Vendor Response - 1/26/2012 Fix - 16/10/2012 Public Disclosure - 2/20/2013 - -- _ Copyright (c) 2013 Application Security, Inc. http://www.appsecinc.com About Application Security, Inc. AppSecInc is a pioneer and leading provider of database security solutions for the enterprise. By providing strategic and scalable software-only solutions - AppDetectivePro for auditors and IT advisors, and DbProtect for the enterprise - AppSecInc supports the database security lifecycle for some of the most complex and demanding environments in the world across more than 1,300 active commercial and government customers. Leveraging the world's most comprehensive database security knowledgebase from the company's renowned team of threat researchers, TeamSHATTER, AppSecInc products help customers achieve unprecedented levels of data security from nefarious or accidental activities, while reducing overall risk and helping to ensure continuous regulatory and industry compliance. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) iEYEARECAAYFAlEmJi0ACgkQRx91imnNIgGSSgCeNs5tl388LdVtPjT1DYu8NcNr j+YAniPtv6/eaFORuczvrLuIphivSTRL =MSFT -END PGP SIGNATURE-
TeamSHATTER Security Advisory: Oracle 11g Stealth Password Cracking Vulnerability (CVE-2012-3137)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 TeamSHATTER Security Advisory Oracle 11g Stealth Password Cracking Vulnerability February 20, 2013 Risk Level: High Affected versions: Oracle Database Server version 11gR1, 11gR2 Remote exploitable: Yes (No authentication to Database Server is needed) Credits: This vulnerability was discovered and researched by Esteban Martinez Fayo of Application Security Inc. Details: There is a flaw in the way that Authentication Session Keys are generated and protected by Oracle Database Server during the authentication process. It is possible to use this flaw to perform unlimited password guesses (cracking) of any user password in a similar way as if the password hash would be available. All users that are authenticated by the database using logon protocol version 11 are affected by this vulnerability. This includes all users created with the "IDENTIFIED BY" clause, including the SYS user. The attack can be performed remotely without the need of a valid username and password. The attacker just needs to know the SID of the database and the name of a valid user. The attack can be done with just a few network packets and without leaving any trace in native auditing facilities. Impact: Remote unauthenticated attackers can perform offline bruteforce on users passwords, testing millions of passwords per second. Vendor Status: Vendor was contacted and a patch was released. Workaround: Some possible workarounds: 1) Use strong user passwords. A strong password will make password guessing more difficult (or impossible) to solve in reasonable time. 2) Use external authentication. Only users that are authenticated by the database are affected by this vulnerability. Users that are authentication by external means are not affected; this includes users authenticated by the Operating System and the Network (SSL or third-parties like Kerberos). 3) Disable protocol version 11 and use version 10 or lower instead. To do this, set initialization parameter SEC_CASE_SENSITIVE_LOGON to FALSE. See https://www.teamshatter.com/?p=3951 for more information about the workarounds. Fix: Apply Oracle Critical Patch Update October 2012 available at Oracle Support. CVE: CVE-2012-3137 Links: http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html https://www.teamshatter.com/?p=4120 https://www.teamshatter.com/?p=3951 Timeline: Vendor Notification - 4/21/2010 Vendor Response - 4/26/2010 Fix - 10/16/2012 Public Disclosure - 2/20/2013 - -- _ Copyright (c) 2013 Application Security, Inc. http://www.appsecinc.com About Application Security, Inc. AppSecInc is a pioneer and leading provider of database security solutions for the enterprise. By providing strategic and scalable software-only solutions - AppDetectivePro for auditors and IT advisors, and DbProtect for the enterprise - AppSecInc supports the database security lifecycle for some of the most complex and demanding environments in the world across more than 1,300 active commercial and government customers. Leveraging the world's most comprehensive database security knowledgebase from the company's renowned team of threat researchers, TeamSHATTER, AppSecInc products help customers achieve unprecedented levels of data security from nefarious or accidental activities, while reducing overall risk and helping to ensure continuous regulatory and industry compliance. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (MingW32) iEYEARECAAYFAlEmKt8ACgkQRx91imnNIgHM8wCeI7rz04b9jdt/uriRs+Su2m4R SDUAoJoTdwrJYSfl6aN9Hb+ieGs7dHk9 =yOaN -END PGP SIGNATURE-
Sonicwall Scrutinizer v9.5.2 - SQL Injection Vulnerability
Title: == Sonicwall Scrutinizer v9.5.2 - SQL Injection Vulnerability Date: = 2013-02-13 References: === http://www.vulnerability-lab.com/get_content.php?id=789 #9984: Investigate Vulnerability Lab issues (this ticket included tracking the creation of our DBI shim to error on semi-colon) #10149: Create a common function to escape characters that can be used for SQL injection #10139: Review all mapping and flow analytics queries to make sure inputs included in SQL are escaped #10141: Review all reporting and filtering queries to make sure inputs included in SQL are escaped #10140: Review all alarm tab and admin tab queries to make sure inputs included in SQL are escaped VL-ID: = 789 Common Vulnerability Scoring System: 7.3 Introduction: = Dell SonicWALL Scrutinizer is a multi-vendor, flow-based application traffic analytics, visualization and reporting tool to measure and troubleshoot network performance and utilization while increasing productivity for enterprises and service providers. Scrutinizer supports a wide range of routers, switches, firewalls, and data-flow reporting protocols, providing unparalleled insight into application traffic analysis from IPFIX/NetFlow data exported by Dell SonicWALL firewalls, as well as support for a wide range of routers, switches, firewalls, and data-flow reporting protocols. IT administrators in charge of high throughput networks can deploy Scrutinizer as a virtual appliance for high performance environments. (Copy of the Vendor Homepage: http://www.sonicwall.com/us/en/products/Scrutinizer.html ) Abstract: = The Vulnerability Laboratory Research Team discovered SQL Injection vulnerability in the Dells Sonicwall OEM Scrutinizer v9.5.2 appliance application. Report-Timeline: 2012-12-05: Researcher Notification & Coordination 2012-12-07: Vendor Notification 2013-01-08: Vendor Response/Feedback 2013-02-10: Vendor Fix/Patch 2013-02-11: Public Disclosure Status: Published Affected Products: == DELL Product: Sonicwall OEM Scrutinizer 9.5.2 Exploitation-Technique: === Remote Severity: = High Details: A blind SQL Injection vulnerability is detected in the Sonicwall OEM Scrutinizer v9.5.2 appliance application. The bug allows remote attackers to execute/inject own sql statement/commands to manipulate the affected vulnerable application dbms. The sql injection vulnerability is located in the fa_web.cgi file with the bound gadget listing module and the vulnerable orderby or gadget parameters. Exploitation requires no user interaction & without privileged application user account. Successful exploitation of the remote sql vulnerability results in dbms & application compromise. Vulnerable File(s): [+] fa_web.cgi Vulnerable Module(s): [+] gadget listing Vulnerable Parameter(s): [+] orderby [+] gadget Proof of Concept: = The remote sql injection vulnerability can be exploited by remote attackers without required privileged application user account and also without user interaction. For demonstration or reproduce ... PoC: http://127.0.0.1:1339/cgi-bin/fa_web.cgi?gadget=applicationsbytes-1%27[SQL INJECTION VULNERABILITY!]&orderby=1&cachebreaker=23_52_5_814-1%27 http://127.0.0.1:1339/cgi-bin/fa_web.cgi?gadget=applicationsbytes&orderby=-1%27[SQL INJECTION VULNERABILITY!]&cachebreaker=23_52_5_814-1%27 Solution: = 1) Scrutinizer team created a own DB layer that will die if a semicolon is found within a SQL query 2) We have changed more queries to pass inputs as bound variables to the DB engine which prevents possible SQL injection Risk: = The security risk of the remote sql injection vulnerability is estimated as high(+). Credits: Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (b...@vulnerability-lab.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln
MyFi Wireless Disk 1.2 iPad iPhone - Multiple Vulnerabilities
Title: == MyFi Wireless Disk 1.2 iPad iPhone - Multiple Vulnerabilities Date: = 2013-02-13 References: === http://www.vulnerability-lab.com/get_content.php?id=864 VL-ID: = 864 Status: Published Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact:ad...@vulnerability-lab.com - supp...@vulnerability-lab.com - resea...@vulnerability-lab.com Section:video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-lab.com or supp...@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: resea...@vulnerability-lab.com
Re: Alt-N MDaemon Email Body HTML/JS Injection Vulnerability
This has been fixed. More information can be found in the first line in the MDaemon release notes: [10385] fix to WorldClient HTML injection vulnerability
Paper - Hiding Data in Hard-drive Service Areas
Hi, We've recently released a paper discussing the ability to hide data in hard-drive service areas. The paper is available for download at: http://www.recover.co.il/SA-cover/SA-cover.pdf The introduction section is pasted below: In this paper we will demonstrate how spinning hard-drives’ service areas can be used to hide data from the operating-system (or any software using the standard OS’s API or the standard ATA commands to access the hard-drive). These reserved areas are used by hard-drive vendors to store modules that in turn operate the drive, and in a sense, together with the ROM, serve as the hard-drive’s internal storage and OS. By sending Vendor Specific Commands (VSCs) directly to the hard-drive, one can manipulate these areas to read and write data that are otherwise inaccessible. This should not be confused with DCO or HPA which can be easily detected, removed and accessed via standard ATA commands. Thanks, Ariel. -- Recover Information Technologies LTD. http://www.recover.co.il
