[SECURITY] [DSA 3013-1] s3ql security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-3013-1 secur...@debian.org http://www.debian.org/security/Florian Weiemr August 27, 2014http://www.debian.org/security/faq - - Package: s3ql CVE ID : CVE-2014-0485 Nikolaus Rath discovered that s3ql, a file system for online data storage, used the pickle functionality of the Python programming language in an unsafe way. As a result, a malicious storage backend or man-in-the-middle attacker was able execute arbitrary code. For the stable distribution (wheezy), this problem has been fixed in version 1.11.1-3+deb7u1. We recommend that you upgrade your s3ql packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJT/jqRAAoJEL97/wQC1SS+DAEH/iFRJmp5zYsGtv3uK5kSQNxz pT4rMsDJnQTulgeo4xGQBSE0C7/mE4cSHkBvx/y8hrwvq41HZcrUcyiAjSnVUXXF LM8nJDj4n53KtXFgmRMDc8HVyiLVM/CPLJFJeJeNPeaKVk26unxvPE7A+Ou4dttH q9ObY+bF1KY27a76gw0lCHo40g3sw6y4Ov2FRgjZkyup/QCCwstnlECkmEFb7Mh/ B8M2l2+XRYBRuzBuUt/yR6O22N7m87DPo5Z7KqhldyaGa9D+psIzU/jhbdVSA+sB TSvW7Z41GQujCzaYR68743gvNv4nvCs328KPlo2PUSVHXiAGzGw5HHmj50A4thE= =Gh9d -END PGP SIGNATURE-
Aerohive Hive Manager and Hive OS Multiple Vulnerabilities
(, ) (,
. '.' ) ('.',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _/ / _ \ _
\ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ |\\ \__( _ ) Y Y \
/__ /\___|__ / \___ /|__|_| /
\/ \/.-.\/ \/:wq
(x.0)
'=.|w|.='
_==.
presents..
Aerohive Hive Manager and Hive OS Multiple Vulnerabilities
Affected Versions: Aerohive Hive Manager (Stand-alone and Cloud) = 6.1R3 and
HiveOS 6.1R3
PDF:
http://www.security-assessment.com/files/documents/advisory/Aerohive%20Hive%20Manager%20and%20Hive%20OS%20Multiple%20Vulnerabilities.pdf
+-+
| Description |
+-+
This document details multiple vulnerabilities found within the Aerohive Hive
Manager and HiveOS software. These
vulnerabilities have been disclosed to the vendor on or before the 24th of
April 2014.
-- Hive Manager Arbitrary File Disclosure --
Leveraging directory traversal, a malicious user can retrieve arbitrary files
from the Hive Manager file system. As the
Tomcat instance serving the Hive Manager software runs as the root user, this
vulnerability can be used to read any
file off the file system, including sensitive files such as /etc/shadow.
-- Hive Manager Arbitrary File Upload --
An authenticated malicious user may send a crafted post to the ‘upload’ servlet
and upload arbitrary files. As the
upload servlet is protected by HTTP basic authentication, this requires the
knowledge of the scpuser’s password.
-- Hive Manager Debugserver Code Execution --
It was discovered that an authenticated user may send a crafted request to the
Hive Manager ‘debugserver’ servlet
and execute arbitrary commands on the Hive Manager server.
-- Hive Manager Multiple Password Disclosure --
Multiple methods within the Hive Manager web interface were found to expose
sensitive information such as
usernames and passwords. A malicious entity may leverage these disclosures to
further compromise the Hive
Manager.
-- Hive Manager Reflected Cross Site Scripting --
Multiple Reflected Cross Site Scripting vulnerabilities were found within the
Hive Manager software. These
vulnerabilities allow a malicious entity to potentially gain JavaScript
execution within a legitimate user’s browser.
This is done with the aim of harming the user’s browser or hijacking their
session.
-- Hive Manager SSH Keys Lacking Passphrase --
An SSH key was found on the Hive Manager file system without any passphrase
set. This allows a malicious user
with access to the file system to gain unauthorised access to the system with
root user privileges.
-- Hive Manager Subshell Bypass --
By using a crafted SSH command, a malicious user may gain root access to the
Hive Manager with a fully functional
bash terminal, effectively bypassing the Aerohive subshell. This allows the
malicious user to perform tasks on the
underlying CentOS Linux operating system, including the retrieval of private
keys, passwords and other sensitive
information
-- Hive Manager Unauthenticated Arbitrary File Upload --
The Hive Manager HHMUploadServlet was found to suffer from an Unauthenticated
Arbitrary File Upload
vulnerability. By sending a crafted packet to the servlet, a malicious entity
is able to gain arbitrary code execution on
the Hive Manager server.
-- HiveOS Local File Inclusion --
Aerohive HiveOS was found to contain a Local File Inclusion Vulnerability
within the web administrative interface.
The Local File Inclusion allows a malicious entity to control what files are
included by the vulnerable PHP page. In
the event that the malicious entity is able to control an element on the file
system, this results in arbitrary code
execution. As user controlled information is present within the log-files of
the application, this is easily achievable.
-- HiveOS Password Disclosure --
Log files within the HiveOS operating system were found to disclose sensitive
information such as usernames and
password. A malicious user may leverage this information to further compromise
the Aerohive deployment or its
users.
-- HiveOS Unauthenticated Firmware Upload --
Insufficient authorisation checking was found to be being performed on certain
firmware upload functions. This
allows for the upload of a backdoored or otherwise malicious firmware by an
attacker.
+--+
| Exploitation |
+--+
Detailed exploitation information and code will be released in December 2014.
++
| Workaround |
++
Update to the latest version of Hive Manager and HiveOS software including the
cloud solutions.
++
| Credit |
++
Denis Andzakovic, Scott Bell, Nick Freeman, Thomas Hibbert, Carl Purvis, Pedro
Worcel.
+-+
|About Security-Assessment.com|
+-+
Security-Assessment.com is a New Zealand based world
leader in web
SEC Consult SA-20140828-0 :: F5 BIG-IP Reflected Cross-Site Scripting
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
SEC Consult Vulnerability Lab Security Advisory 20140828-0
===
title: Reflected Cross-Site Scripting
product: F5 BIG-IP
vulnerable version: = 11.5.1
fixed version: 11.6.0
impact: Medium
CVE number: CVE-2014-4023
homepage: https://f5.com/
found: 2014-07-07
by: Stefan Viehböck
SEC Consult Vulnerability Lab
https://www.sec-consult.com
===
Vendor/product description:
- -
The BIG-IP product suite is a system of application delivery services that
work together on the same best-in-class hardware platform or software virtual
instance. From load balancing and service offloading to acceleration and
security, the BIG-IP system delivers agility—and ensures your applications
are fast, secure, and available.
URL: https://f5.com/products/big-ip
Vulnerability overview/description:
- ---
BIG-IP suffers from a reflected Cross-Site Scripting vulnerability,
which allow an attacker to steal other users sessions, to impersonate other
users and to gain unauthorized access to the admin interface.
Proof of concept:
- -
The following HTTP request triggers the vulnerability:
POST /tmui/dashboard/echo.jsp HTTP/1.1
Host: BIGIP
Cookie: BIGIPAuthCookie=*VALID_COOKIE*
Content-Length: 29
scriptalert('xss')/script
The server does not properly encode user supplied information and returns it
to the user resulting in Cross-Site Scripting.
Vulnerable / tested versions:
- -
More information can be found at:
https://support.f5.com/kb/en-us/solutions/public/15000/500/sol15532.html
Vendor contact timeline:
-
2014-07-08: Sending advisory and proof of concept exploit via encrypted
channel.
2014-07-09: Vendor confirms receipt of advisory. States that fix will be
released in the next 6 weeks or so
2014-07-24: Vendor provides CVE: CVE-2014-4023
2014-08-26: Vendor releases fixed version.
2014-08-28: SEC Consult releases a coordinated security advisory.
Solution:
- -
Update to the newest version.
More information can be found at:
https://support.f5.com/kb/en-us/solutions/public/15000/500/sol15532.html
Workaround:
- ---
No workaround available.
Advisory URL:
- -
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
Interested in working with the experts of SEC Consult?
Write to car...@sec-consult.com
EOF Stefan Viehböck / @2014
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJT/wVOAAoJECyFJyAEdlkKq9cIAKX9MEOpw8p9i8KWZXmkBiBr
S3n9YPNk6bbGbm+YfNCvXvtdSTPhh4I1wBY/WYWENpnQrwdiJ3couS5f2/DQzHTP
uCROxpmtxY1bokMS+ZHOPeGECk8RFr03kBZtGrF2cdGLWzBv7l+CnmopS8lnDVsw
44/R5hj3OdZxhD3btFLXss1RPbUDU1vGV9KpDgJmsssS5pzvG9I2T9xGibd0zBIA
WGA5jjGFitfQwDaxvqoocKgmBG2o3nQpdCShlaRiFklVJQYT1J+w/TWA1OOWZmxs
91m6C9fqAqgeIjmFSOE5c/rpiw7MdzH46yUzoVhbqm6wKcngLDDmZDuqPwaqH18=
=RsbU
-END PGP SIGNATURE-
[SECURITY] [DSA 3014-1] squid3 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3014-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso August 28, 2014http://www.debian.org/security/faq - - Package: squid3 CVE ID : CVE-2014-3609 Debian Bug : 759509 Matthew Daley discovered that Squid3, a fully featured web proxy cache, did not properly perform input validation in request parsing. A remote attacker could use this flaw to mount a denial of service by sending crafted Range requests. For the stable distribution (wheezy), this problem has been fixed in version 3.1.20-2.2+deb7u2. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you upgrade your squid3 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJT/0wVAAoJEAVMuPMTQ89EDHAP/3gCb0fqRCHT2TjAkO2N3Nr4 r+FbG3RIGEhF4iCCeXbVkTMEegDoRctwIU0eVApqVN5sq3ienhk6/mHs7aF9YVHM TLNn1F7qBgbe8kt6QNVkl7BmkZHOTyr6tUyvLcDUL86P1dEITTbTfZtZ3tR3+ZQG aKcaosFgctw2/Qkk06umgUP1UEJQ64qwnO6YGDgV+ufNZPs+179q1egki7NwTcmu HHDGAhdR+TabfYeXJON0phlVuJefpakZHQ9ijy8A1q4dYQmaufjHTdbD1H9XtVLe z2ukKTW0xqEeswx9tDlOl+lBtxYe7Hsj6m4UZUHvs5SWFHP15vN8Iu8/alag2pIn QM8/OI8lEQpT/x/sH49eC1OV+VybYiwvsfHno/sC66z/lJdvAqVjW/LdSzRggsbS MaGZlu2ojxbVZXktOarYC8/d/wRBamlskngKnLDzN1Q6pFEwKqqfIJDOceK+ErcQ kdylGgHtbQoTgp/cdGJ9tnxg5q0AGPe6ZIM4sTeha4hgyz5Zee23TVcnU/z5WVuR S9ggqRTXIqyWm2LyDJTBdiGUBmwyWaioIQX7WjIt8ZkKwI2gR//dkwijRvOCjCrk HLJvu49QaO4PMmDQh82etQ3HjrJBdsGuHEQk0wfwjlMM2jFVvcsEroAidsDnVWp9 sISN74vSxWmaDEQ3CPiQ =S8Ft -END PGP SIGNATURE-
Re: SaaS Marketing platform Hubspot export vulnerability
We at HubSpot take the concerns of the security community seriously, and continuously work to improve our posture in this ever-changing field. We do have predefined roles in the application which allow our customers to segment users permissions based on their role. These horizontal permissions are quite common among SaaS vendors. The export functionality mentioned does have existing auditing capability in the back end. For exports, we have full audit trails for the timestamp, link to the file, customer id, and user id for all requests. We have never exposed this audit data to our customers through the UI because there has never been a high demand for this functionality. This issue is now in queue with our Engineering team and we will be releasing it shortly.
