Nuance PowerPDF Advanced Metadata Information Disclosure Vulnerability (low|local)

[Christopher Hudel]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Vendor:
===
Nuance Communications

Product:

PowerPDF Advanced Version 1.0
PowerPDF Advanced Version 1.1

Advisory Information:
=
Local Information Leakage / Disclosure

Severity Level:
===
Low
 
Vulnerability Details and Impact:
=
The software permits the encoding/editing of meta-data such as Title,
Author, Subject, Keywords, etc.. When the information is removed or
overwritten within the interface, it appears that the previous
information is lost. However, the information remains within the PDF
file. This is a leak of potentially sensitive information after  a user
believes they have edited or removed it.

Individuals or organizations wishing to protect sensitive meta-data of a
PDF file may be unable to do so. This may cause inadvertent leakage of
information (previous authors, keywords, subjects, titles, etc..) that
an individual or organization does not wish to expose.

Exploit Methods:

There are no remote exploit methods for this vulnerability. The steps to
reproduce the vulnerability locally are detailed at the following
location: http://christopher.hudel.com/vulns/Nuance-CVE-Submission.pdf


Disclosure Timeline:

19-Jun-2015: Emailed technical contact of the nuance.com domain
(hostmas...@nuance.com) asking to be contacted regarding potential
information security vulnerability. [no response]

23-Jun-2015: Opened support ticket with Vendor. Through some periodic
email exchange, and a phone call (16-Jul-2015) to their support team,
was unable to have technical support department open the ticket and
receive information about the nature of the security vulnerability. (Was
not the volume purchase owner on record, so ability to submit the
vulnerability was denied).

01-Jul-2015: Reached out via LinkedIn to senior IT person listed in
LinkedIn for Nuance Corporation. [no response]

16-Jul-2015: Submitted vulnerability information to US-CERT. Response
was to (paraphrasing) "try harder". :)

16-Jul-2015: Submitted information and vulnerability details to
supp...@nuance.com, secur...@nuance.com, and me...@nuance.com [no
response]

08-Aug-2015: Submitted vulnerability to BugTraq mailing list.

Author / Role:
==
Christopher Hudel / independent security researcher

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given
to the author. The author is not responsible for any misuse of the
information contained herein and prohibits any malicious use of all
security related information or exploits by the author or elsewhere.
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBAgAGBQJVzNjpAAoJENxeBkNw/wLOQCMIAKZ9X3vhD7VsRdYC1vwYEoR3
XbcJO1RUSRa1S3iS0uiXtNAc2kPoXGeCMeoN7rIL34uPjbtHUH4tHr8aqEajcj/N
4meUgaTCgBBqPundDPhYH+YaRXGYAtpd6oXqaROlHXxPm3vAulXUCgpR4+qeTMHz
vvMyt0BTKKxsSkjCICiav9GbuPF48IeFnEDb6WSZhfpzNUT1jCPAX/tDkR15D83V
fDCfhRk3nHAZ8Kl4XviD3SszVPEyaj5qJjrj60rT+Lt8Y9zV31C3FrH58EM9mc4A
6wU8PBRgXI8rA55rihJBY+x/T4xT8O50nkUdMjTqdbQ/Q9sJNA0e8VK1GjOs/C0=
=/nZC
-END PGP SIGNATURE-

-- 
  Christopher Hudel
  christop...@hudel.com

APPLE-SA-2015-08-13-4 OS X Server v4.1.5

[Apple Product Security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

APPLE-SA-2015-08-13-4 OS X Server v4.1.5

OS X Server v4.1.5 is now available and addresses the following:

BIND
Available for:  OS X Yosemite v10.10.5 or later
Impact:  A remote attacker may be able to cause a denial of service
Description:  An assertion issue existed in the handling of TKEY
packets. This issue was addressed by updating BIND to version
9.9.7-P2.
CVE-ID
CVE-2015-5477


OS X Server v4.1.5 may be obtained from the Mac App Store.

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

-BEGIN PGP SIGNATURE-

iQIcBAEBCAAGBQJVzM4HAAoJEBcWfLTuOo7tu9cP/2It/oKRdKsIVpPwYotWpd4T
z27BBAR0F3IPDA+xtHoe3fVyHjC94jyHNyme7mMNDnU3vlueZRT+3hE5EtjlC8fI
kAtAhX8AnFQMYPhEhWO8XFbbqlObEx96IWUif5+U80466vGyjQqtFnBICLsg32ws
FefIXGbjep8c6JZOCWx+zu9Y8miwjAQdfkQFvySIVbaMwudXufLcUzgpag5gXeHn
hzT+GcHBivxWRh0guVlTZm124cSUjW8327/HM5KZSOfwTTdSXzl37/VJQmu8bBSK
0Ci4gwoFf4gRNhDiW/J1pJ4tHSYEijT+xhPs1D0SX9yhQYldFK9PTgfORnbP6xht
3H/L0PO8t9WUDzhbIoimJIyChJpWMwKoObwVrbn1VSRSwkGiMh4MqxCeJ0ThCcuG
FVjscvsHKtdaCu7Z4+drTHN6exurhnMSRuP81GnIFUU1cbD1YiKOGvG/WvjXD7Ht
w6PtkO4r2QkV+lkv9MgHLTVK066PGKbgdOqyvczIDaB38ot0+F/QU1P9ltaf1eJv
oWF/fcRJFY/gw1UBoLffFk1Cv1SBUauocbsrJdgcMfwvxN2otCfXU66ixySGDS/T
pgivXR19bIZYEQKPf+umLlaHbg0bhtCmdOIzivJESZMO6wbNoyMX+rezxZp1A+30
Vohf/oIuiMLP4o84Mg5n
=fp6V
-END PGP SIGNATURE-

APPLE-SA-2015-08-13-2 OS X Yosemite v10.10.5 and Security Update 2015-006

[Apple Product Security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

APPLE-SA-2015-08-13-2 OS X Yosemite v10.10.5 and Security Update
2015-006

OS X Yosemite v10.10.5 and Security Update 2015-006 is now available
and addresses the following:

apache
Available for:  OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact:  Multiple vulnerabilities existed in Apache 2.4.16, the most
serious of which may allow a remote attacker to cause a denial of
service.
Description:  Multiple vulnerabilities existed in Apache versions
prior to 2.4.16. These were addressed by updating Apache to version
2.4.16.
CVE-ID
CVE-2014-3581
CVE-2014-3583
CVE-2014-8109
CVE-2015-0228
CVE-2015-0253
CVE-2015-3183
CVE-2015-3185

apache_mod_php
Available for:  OS X Mavericks v10.9.5,
OS X Yosemite v10.10 to v10.10.4
Impact:  Multiple vulnerabilities existed in PHP 5.5.20, the most
serious of which may lead to arbitrary code execution.
Description:  Multiple vulnerabilities existed in PHP versions prior
to 5.5.20. These were addressed by updating Apache to version 5.5.27.
CVE-ID
CVE-2015-2783
CVE-2015-2787
CVE-2015-3307
CVE-2015-3329
CVE-2015-3330
CVE-2015-4021
CVE-2015-4022
CVE-2015-4024
CVE-2015-4025
CVE-2015-4026
CVE-2015-4147
CVE-2015-4148

Apple ID OD Plug-in
Available for:  OS X Yosemite v10.10 to v10.10.4
Impact:  A malicious application may be able change the password of a
local user
Description:  In some circumstances, a state management issue existed
in password authentication. The issue was addressed through improved
state management.
CVE-ID
CVE-2015-3799 : an anonymous researcher working with HP's Zero Day
Initiative

AppleGraphicsControl
Available for:  OS X Yosemite v10.10 to v10.10.4
Impact:  A malicious application may be able to determine kernel
memory layout
Description:  An issue existed in AppleGraphicsControl which could
have led to the disclosure of kernel memory layout. This issue was
addressed through improved bounds checking.
CVE-ID
CVE-2015-5768 : JieTao Yang of KeenTeam

Bluetooth
Available for:  OS X Yosemite v10.10 to v10.10.4
Impact:  A local user may be able to execute arbitrary code with
system privileges
Description:  A memory corruption issue existed in
IOBluetoothHCIController. This issue was addressed through improved
memory handling.
CVE-ID
CVE-2015-3779 : Teddy Reed of Facebook Security

Bluetooth
Available for:  OS X Yosemite v10.10 to v10.10.4
Impact:  A malicious application may be able to determine kernel
memory layout
Description:  A memory management issue could have led to the
disclosure of kernel memory layout. This issue was addressed with
improved memory management.
CVE-ID
CVE-2015-3780 : Roberto Paleari and Aristide Fattori of Emaze
Networks

Bluetooth
Available for:  OS X Yosemite v10.10 to v10.10.4
Impact:  A malicious app may be able to access notifications from
other iCloud devices
Description:  An issue existed where a malicious app could access a
Bluetooth-paired Mac or iOS device's Notification Center
notifications via the Apple Notification Center Service. The issue
affected devices using Handoff and logged into the same iCloud
account. This issue was resolved by revoking access to the Apple
Notification Center Service.
CVE-ID
CVE-2015-3786 : Xiaolong Bai (Tsinghua University), System Security
Lab (Indiana University), Tongxin Li (Peking University), XiaoFeng
Wang (Indiana University)

Bluetooth
Available for:  OS X Yosemite v10.10 to v10.10.4
Impact:  An attacker with privileged network position may be able to
perform denial of service attack using malformed Bluetooth packets
Description:  An input validation issue existed in parsing of
Bluetooth ACL packets. This issue was addressed through improved
input validation.
CVE-ID
CVE-2015-3787 : Trend Micro

Bluetooth
Available for:  OS X Yosemite v10.10 to v10.10.4
Impact:  A local attacker may be able to cause unexpected application
termination or arbitrary code execution
Description:  Multiple buffer overflow issues existed in blued's
handling of XPC messages. These issues were addressed through
improved bounds checking.
CVE-ID
CVE-2015-3777 : mitp0sh of [PDX]

bootp
Available for:  OS X Yosemite v10.10 to v10.10.4
Impact:  A malicious Wi-Fi network may be able to determine networks
a device has previously accessed
Description:  Upon connecting to a Wi-Fi network, iOS may have
broadcast MAC addresses of previously accessed networks via the DNAv4
protocol. This issue was addressed through disabling DNAv4 on
unencrypted Wi-Fi networks.
CVE-ID
CVE-2015-3778 : Piers O'Hanlon of Oxford Internet Institute,
University of Oxford (on the EPSRC Being There project)

CloudKit
Available for:  OS X Yosemite v10.10 to v10.10.4
Impact:  A malicious application may be able to access the iCloud
user record of a previously signed in user
Description:  A state inconsistency existed in CloudKit when signing
out users. This issue was addressed through improved state handling.
CVE-ID
CVE-2015-3782 : Deepkanwal Plaha of University of Toronto

CoreMedia Playback
Availab

APPLE-SA-2015-08-13-3 iOS 8.4.1

[Apple Product Security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

APPLE-SA-2015-08-13-3 iOS 8.4.1

iOS 8.4.1 is now available and addresses the following:

AppleFileConduit
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A maliciously crafted afc command may allow access to
protected parts of the filesystem
Description:  An issue existed in the symbolic linking mechanism of
afc. This issue was addressed by adding additional path checks.
CVE-ID
CVE-2015-5746 : evad3rs, TaiG Jailbreak Team

Air Traffic
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  AirTraffic may have allowed access to protected parts of the
filesystem
Description:  A path traversal issue existed in asset handling. This
was addressed with improved validation.
CVE-ID
CVE-2015-5766 : TaiG Jailbreak Team

Backup
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A malicious application may be able to create symlinks to
protected regions of the disk
Description:  An issue existed within the path validation logic for
symlinks. This issue was addressed through improved path
sanitization.
CVE-ID
CVE-2015-5752 : TaiG Jailbreak Team

bootp
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A malicious Wi-Fi network may be able to determine networks
a device has previously accessed
Description:  Upon connecting to a Wi-Fi network, iOS may have
broadcast MAC addresses of previously accessed networks via the DNAv4
protocol. This issue was addressed through disabling DNAv4 on
unencrypted Wi-Fi networks.
CVE-ID
CVE-2015-3778 : Piers O'Hanlon of Oxford Internet Institute,
University of Oxford (on the EPSRC Being There project)

Certificate UI
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  An attacker with a privileged network position may be able
to accept untrusted certificates from the lock screen
Description:  Under certain circumstances, the device may have
presented a certificate trust dialog while in a locked state. This
issue was addressed through improved state management.
CVE-ID
CVE-2015-3756 : Andy Grant of NCC Group

CloudKit
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A malicious application may be able to access the iCloud
user record of a previously signed in user
Description:  A state inconsistency existed in CloudKit when signing
out users. This issue was addressed through improved state handling.
CVE-ID
CVE-2015-3782 : Deepkanwal Plaha of University of Toronto

CFPreferences
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A malicious app may be able to read other apps' managed
preferences
Description:  An issue existed in the third-party app sandbox. This
issue was addressed by improving the third-party sandbox profile.
CVE-ID
CVE-2015-3793 : Andreas Weinlein of the Appthority Mobility Threat
Team

Code Signing
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A malicious application may be able to execute unsigned code
Description:  An issue existed that allowed unsigned code to be
appended to signed code in a specially crafted executable file. This
issue was addressed through improved code signature validation.
CVE-ID
CVE-2015-3806 : TaiG Jailbreak Team

Code Signing
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A specially crafted executable file could allow unsigned,
malicious code to execute
Description:  An issue existed in the way multi-architecture
executable files were evaluated that could have allowed unsigned code
to be executed. This issue was addressed through improved validation
of executable files.
CVE-ID
CVE-2015-3803 : TaiG Jailbreak Team

Code Signing
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  A local user may be able to execute unsigned code
Description:  A validation issue existed in the handling of Mach-O
files. This was addressed by adding additional checks.
CVE-ID
CVE-2015-3802 : TaiG Jailbreak Team
CVE-2015-3805 : TaiG Jailbreak Team

CoreMedia Playback
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Viewing a maliciously crafted movie file may lead to an
unexpected application termination or arbitrary code execution
Description:  A memory corruption issue existed in CoreMedia
Playback. This issue was addressed through improved memory handling.
CVE-ID
CVE-2015-5777 : Apple
CVE-2015-5778 : Apple

CoreText
Available for:  iPhone 4s and later,
iPod touch (5th generation) and later, iPad 2 and later
Impact:  Processing a maliciously crafted font file may lead to an
unexpected application termination or arbitrary code execution
Description:  A memory

APPLE-SA-2015-08-13-1 Safari 8.0.8, Safari 7.1.8, and Safari 6.2.8

[Apple Product Security]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

APPLE-SA-2015-08-13-1 Safari 8.0.8, Safari 7.1.8, and Safari 6.2.8

Safari 8.0.8, Safari 7.1.8, and Safari 6.2.8 is now available and
addresses the following:

Safari Application
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
and OS X Yosemite v10.10.4
Impact:  Visiting a malicious website may lead to user interface
spoofing
Description:  A malicious website could open another site and prompt
for user input without a way for the user to tell where the prompt
came from. The issue was addressed by displaying the prompt origin to
the user.
CVE-ID
CVE-2015-3729 : Code Audit Labs of VulnHunt.com

WebKit
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
and OS X Yosemite v10.10.4
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  Multiple memory corruption issues existed in WebKit.
These issues were addressed through improved memory handling.
CVE-ID
CVE-2015-3730 : Apple
CVE-2015-3731 : Apple
CVE-2015-3732 : Apple
CVE-2015-3733 : Apple
CVE-2015-3734 : Apple
CVE-2015-3735 : Apple
CVE-2015-3736 : Apple
CVE-2015-3737 : Apple
CVE-2015-3738 : Apple
CVE-2015-3739 : Apple
CVE-2015-3740 : Apple
CVE-2015-3741 : Apple
CVE-2015-3742 : Apple
CVE-2015-3743 : Apple
CVE-2015-3744 : Apple
CVE-2015-3745 : Apple
CVE-2015-3746 : Apple
CVE-2015-3747 : Apple
CVE-2015-3748 : Apple
CVE-2015-3749 : Apple

WebKit
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
and OS X Yosemite v10.10.4
Impact:  A malicious website may trigger plaintext requests to an
origin under HTTP Strict Transport Security
Description:  An issue existed where Content Security Policy report
requests would not honor HTTP Strict Transport Security. This issue
was addressed through improved HTTP Strict Transport Security
enforcement.
CVE-ID
CVE-2015-3750 : Muneaki Nishimura (nishimunea)

WebKit
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
and OS X Yosemite v10.10.4
Impact:  Image loading may violate a website's Content Security
Policy directive
Description:  An issue existed where websites with video controls
would load images nested in object elements in violation of the
website's Content Security Policy directive. This issue was addressed
through improved Content Security Policy enforcement.
CVE-ID
CVE-2015-3751 : Muneaki Nishimura (nishimunea)

WebKit
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
and OS X Yosemite v10.10.4
Impact:  Content Security Policy report requests may leak cookies
Description:  Two issues existed in how cookies were added to Content
Security Policy report requests. Cookies were sent in cross-origin
report requests in violation of the standard. Cookies set during
regular browsing were sent in private browsing. These issues were
addressed through improved cookie handling.
CVE-ID
CVE-2015-3752 : Muneaki Nishimura (nishimunea)

WebKit Canvas
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
and OS X Yosemite v10.10.4
Impact:  A malicious website may exfiltrate image data cross-origin
Description:  Images fetched through URLs that redirected to a
data:image resource could have been exfiltrated cross-origin. This
issue was addressed through improved canvas taint tracking.
CVE-ID
CVE-2015-3753 : Antonio Sanso and Damien Antipa of Adobe

WebKit Page Loading
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
and OS X Yosemite v10.10.4
Impact:  Cached authentication state may reveal private browsing
history
Description:  An issue existed in caching of HTTP authentication.
Credentials entered in private browsing mode were carried over to
regular browsing which would reveal parts of the user's private
browsing history. This issue was addressed through improved caching
restrictions.
CVE-ID
CVE-2015-3754 : Dongsung Kim (@kid1ng)

WebKit Process Model
Available for:  OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5,
and OS X Yosemite v10.10.4
Impact:  Visiting a malicious website may lead to user interface
spoofing
Description:  Navigating to a malformed URL may have allowed a
malicious website to display an arbitrary URL. This issue was
addressed through improved URL handling.
CVE-ID
CVE-2015-3755 : xisigr of Tencent's Xuanwu Lab

Safari 8.0.8, Safari 7.1.8, and Safari 6.2.8 may be obtained from
the Mac App Store.

Information will also be posted to the Apple Security Updates
web site: https://support.apple.com/kb/HT201222

This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

-BEGIN PGP SIGNATURE-

iQIcBAEBCAAGBQJVzM3yAAoJEBcWfLTuOo7tYZcP/1LnHEMuFI+SqUczpBZssu+S
k5VHU4YHg37SVeGXWPYhmWnz1NG+t3h5UZmPKwupqHWgA1JbzRcUAEozBLt6kHoL
V8FQJPdiMNHwuqvgHlE8YK8Z9Ep3bS0bvVr/EyE/QghaJxi9IUXGZPNQt5ikP2LA
ZafmMrgQF5GRyYeaWsOw12tEiD/wc9f6ThMwtgsOW8LyjTLwf7qPt084sxj2XLTC
GZym1TPjlu6FodGk2ZCSP1a4WwHljBjXyaUlRG

Re: Windows Platform Binary Table (WPBT) - BIOS PE backdoor

[Stefan Kanthak]

"Kevin Beaumont"  wrote:

[...]

> Microsoft documented a feature in Windows 8 and above called Windows
> Platform Binary Table.

Cf.  where WPBT is linked to
 alias


> Up until two days ago, this was a single Word
> document not referenced elsewhere on Google:
>
>
http://webcache.googleusercontent.com/search?q=cache:H-SSYRAB0usJ:download.microsoft.com/download/8/A/2/8A2FB72D-9B96-4E2D-A559-4A27CF905A80/windows-platform-binary-table.docx+&cd=1&hl=en&ct=clnk&gl=us
>
> This feature allows a BIOS to deliver the payload of an executable,
> which is run in memory, silently, each time a system is booted.  The
> executable code is run under under Session Manager context (i.e.
> SYSTEM).

This sort of feature is NOT new: with Windows 2003 Microsoft introduced
the loading of "virtual OEM device drivers" during Windows setup, see


AFAIK at least HP and Dell used this method to deploy [F6] drivers
embedded in their BIOS.

[...]

stay tuned
Stefan Kanthak

[security bulletin] HPSBGN03393 rev.1 - HP Operations Manager i, Remote Code Execution

[security-alert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04762687

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04762687
Version: 1

HPSBGN03393 rev.1 - HP Operations Manager i, Remote Code Execution

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-08-12
Last Updated: 2015-08-12

Potential Security Impact: Remote code execution

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP Operations
Manager i (OMi) running on Linux and Windows. The vulnerability could be
exploited remotely to execute code.

References: CVE-2015-2137, SSRT102189

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Operations Manager i v9.22, v9.23, v9.24, v9.25, v10.00 and v10.01 running
on Linux and Windows

BACKGROUND

CVSS 2.0 Base Metrics
===
  Reference  Base Vector Base Score
CVE-2015-2137(AV:N/AC:M/Au:N/C:C/I:C/A:C)   9.3
===
 Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has provided patches for HP Operations Manager i (OMi) to resolve the
vulnerabilities. These patches are available at HP Software Support Online
here: http://support.openview.hp.com/selfsolve/patches Some impacted versions
require a Rollup Hotfix as a prerequisite for installation, this hotfix is
included in the package of OMI_00114 and OMI_00115, respectively.

Note: For HP Operations Manager i v9.22, v9.23, v9.24, v9.25, v10.00 and
v10.01 running on Linux and Windows, follow the recommendation to install the
needed service packs and hotfixes.

Impacted OMi version and OS
 OMi Service pack
 Required IP
 Patch

OMi 9.22, 9.23 on Linux
 Service Pack 9.24

https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsea
rch/document/LID/OMI_00062
 IP1

https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsea
rch/document/LID/OMI_00069
 https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetse
arch/document/lid/OMI_00115

OMi 9.22, 9.23 on Windows
 Service Pack 9.24

https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsea
rch/document/LID/OMI_00063
 IP1

https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsea
rch/document/LID/OMI_00068
 https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetse
arch/document/lid/OMI_00114

OMi 9.24 on Linux
 none
 IP1

https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsea
rch/document/LID/OMI_00069
 https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetse
arch/document/lid/OMI_00115

OMi 9.24 on Windows
 none
 IP1

https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsea
rch/document/LID/OMI_00068
 https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetse
arch/document/lid/OMI_00114

OMi 9.25 on Linux
 none
 IP1

https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsea
rch/document/LID/OMI_00091
 https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetse
arch/document/lid/OMI_00113

OMi 9.25 on Windows
 none
 IP1

https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsea
rch/document/LID/OMI_00090
 https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetse
arch/document/lid/OMI_00112

OMi 10.00 on Linux
 none
 IP2

https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsea
rch/document/LID/OMI_00085
 https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetse
arch/document/lid/OMI_00109

OMi 10.00 on Windows
 none
 IP2

https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsea
rch/document/LID/OMI_00086
 https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetse
arch/document/lid/OMI_00108

OMi 10.01 on Linux
 none
 IP1

https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsea
rch/document/LID/OMI_00094
 https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetse
arch/document/lid/OMI_00111

OMi 10.01 on Windows
 none
 IP1

https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsea
rch/document/LID/OMI_00095
 https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetse
arch/document/lid/OMI_00110

HISTORY
Version:1 (rev.1) - 12 August 2015 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues abou

[security bulletin] HPSBGN03386 rev.1 - HP Central View Fraud Risk Management, Revenue Leakage Control, Dealer Performance Audit, Credit Risk Control, Roaming Fraud Control, Subscription Fraud Prevent

[security-alert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04751893

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04751893
Version: 1

HPSBGN03386 rev.1 - HP Central View Fraud Risk Management, Revenue Leakage
Control, Dealer Performance Audit, Credit Risk Control, Roaming Fraud
Control, Subscription Fraud Prevention, Remote Disclosure of Information,
Local Disclosure of Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-08-12
Last Updated: 2015-08-12

Potential Security Impact: Remote disclosure of information, local disclosure
of information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP Central View
Fraud Risk Management, Revenue Leakage Control, Dealer Performance Audit,
Credit Risk Control, Roaming Fraud Control, and Subscription Fraud
Prevention. The vulnerabilities could be exploited remotely and locally to
allow disclosure of information.

References:

CVE-2015-5406 (SSRT101995)
CVE-2015-5407
CVE-2015-5408

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

HP CentralView Fraud Risk Management v11.1, v11.2, v11.3 Windows Client
HP CentralView Revenue Leakage Control v4.1, v4.2, v4.3 Windows Client
HP CentralView Dealer Performance Audit v2.0, v2.1 Windows Client Software
HP CentralView Credit Risk Control v2.1, v2.2, v2.3 Windows Client Software
HP CentralView Roaming Fraud Control v2.1, v2.2, v2.3 Windows Client Software
HP CentralView Subscription Fraud Prevention v2.0, v2.1 Windows Client
Software

BACKGROUND

CVSS 2.0 Base Metrics
===
  Reference  Base Vector Base Score
CVE-2015-5406(AV:N/AC:L/Au:S/C:C/I:C/A:C)9
CVE-2015-5407(AV:L/AC:H/Au:S/C:C/I:C/A:C)6
CVE-2015-5408(AV:L/AC:H/Au:S/C:C/I:C/A:C)6
===
 Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002

The Hewlett-Packard Company thanks Spyridon Chatzimichail for reporting this
issue to security-al...@hp.com.

RESOLUTION

Customers are recommended to use the latest product versions that provide a
web client for secure access to HP CentralView systems.

The windows client has been deprecated and replaced by the web client in the
latest releases. Remote access to information issues will be addressed with a
patch on the latest available minor version, customers will be required to
update to that minor version to obtain the corrections.

HISTORY
Version:1 (rev.1) - 12 August 2015 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running HP software products should be applied in
accordance with the customer's patch management policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HP Services support channel.  For other issues about
the content of this Security Bulletin, send e-mail to security-al...@hp.com.

Report: To report a potential security vulnerability with any HP supported
product, send Email to: security-al...@hp.com

Subscribe: To initiate a subscription to receive future HP Security Bulletin
alerts via Email:
http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins

Security Bulletin Archive: A list of recently released Security Bulletins is
available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HP General Software
HF = HP Hardware and Firmware
MP = MPE/iX
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PI = Printing and Imaging
PV = ProCurve
ST = Storage Software
TU = Tru64 UNIX
UX = HP-UX

Copyright 2015 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or
its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice.
Hewlett-Packard Company and the names of Hewlett-Packard products referenced
herein are trademarks of Hewlett-Packard Company in the United States and
other countries. Other product and company names mentioned herein may be
trademarks of their res

Update: Backdoor and RCE found in 8 TOTOLINK router models

[Pierre Kim]

Hello,

This is an update to:
  - Backdoor and RCE found in 8 TOTOLINK router models
(http://seclists.org/fulldisclosure/2015/Jul/80 )
  - Backdoor credentials found in 4 TOTOLINK router models
(http://seclists.org/fulldisclosure/2015/Jul/79 )
  - 4 TOTOLINK router models vulnerable to CSRF and XSS attacks
(http://seclists.org/fulldisclosure/2015/Jul/78 )
  - 15 TOTOLINK router models vulnerable to multiple RCEs
(http://seclists.org/fulldisclosure/2015/Jul/77 )

Totolink has released new firmwares on 2015-07-25 and also removed the
old firmwares from their website.

The backdoor is still present in the new firmware images but it is not
launched at the startup anymore.

You can check yourself by downloading the images and by using binwalk:

Example with N300RH-V2:
  $ wget -O 'TOTOLINK%20N300RH-V2.0.1_20150725.zip'
'http://www.totolink.net/include/download.asp?path=down/010500&file=TOTOLINK%20N300RH-V2.0.1_20150725.zip'
  $ 7z x TOTOLINK%20N300RH-V2.0.1_20150725.zip
  [...]
  $ binwalk -e *web
  DECIMAL   HEXADECIMAL DESCRIPTION
  

  160x10bzip2 compressed data, block size = 900k
  3094030x4B89B LZMA compressed data, properties:
0x88, dictionary size: 1048576 bytes, uncompressed size: 65535 bytes
  3201820x4E2B6 LZMA compressed data, properties:
0x5D, dictionary size: 8388608 bytes, uncompressed size: 3414764 bytes
  1274560   0x1372C0Squashfs filesystem, little endian,
version 4.0, compression:lzma, size: 2251972 bytes,  321 inodes,
blocksize: 131072 bytes, created: Thu May  4 11:47:12 2006
  $ cd _*/
  $ 7z x *squashfs
  Processing archive: 1372C0.squashfs

  Extracting  bin
  Extracting  dev
  [...]
  Everything is Ok
  $ strings bin/skt | grep iptables
  iptables -I INPUT -p tcp --dport 80 -i eth1 -j ACCEPT
  iptables -D INPUT -p tcp --dport 80 -i eth1 -j ACCEPT
  $ tail -n 5 etc/init.d/rcS

  # start web server
  boa
  #skt&

They commented the `skt&` execution in the /etc/init.d/rcS.
The bin/skt backdoor is still there but not activated.
I encourage TOTOLINK users to audit next firmwares to make sure the
backdoor is not reactivated by "error".

There are no security indications in the "Firmware Update Release
Information" ( 
http://www.totolink.net/sub/news/board_content.asp?b_type=BOARD1&idx=164
) and I don't want to waste my time to check if they patched the other
security holes (RCE, XSS, CSRF ...) described here:
  - 
https://pierrekim.github.io/blog/2015-07-16-15-TOTOLINK-products-vulnerable-to-multiple-RCEs.html
  - 
https://pierrekim.github.io/blog/2015-07-16-4-TOTOLINK-products-vulnerable-to-CSRF-and-XSS-attacks.html
  - 
https://pierrekim.github.io/blog/2015-07-16-backdoor-credentials-found-in-4-TOTOLINK-products.html
  - 
https://pierrekim.github.io/blog/2015-07-16-backdoor-and-RCE-found-in-8-TOTOLINK-products.html

By the way, Totolink released a statement the 2015-07-30 saying that
there are no backdoors in their routers and threatened to sue medias
regarding "totally irresponsible behavior", stating my research
contains "some unverified information" (From:
http://www.totolink.net/sub/news/board_content.asp?b_type=BOARD1&idx=165
):


 ZIONCOM (HK) Technology Ltd (ZIONCOM, the manufacturer of
TOTOLINK Router), would like to make an official announcement
regarding some inappropriately news report from network media that
were totally irresponsible behavior for reporting some unverified
information to damage our company reputation.

 1. TOTOLINK do not compromise user privacy and security, TOTOLINK
 product has not been installed any monitor software on user
behavior after we verified all of our current inventory in Hong Kong
market so it is impossible to monitor user behavior. ZIONCOM will
reserve the right to take legal action against the media report on the
wrong information broadcasting that may damage our company and product
reputations.

 2. Regarding the problem of a default login password of a TOTOLINK
 router may trigger an invasion from hacker through remote
control, we would like to recommend all users to change the default
password at the first time login.We will make an announcement through
our Global website ( http://www.totolink.net )  for launching new
firmware update program for solving the bug soon.



Note that some firmwares have apparently not been correctly updated.
For example, the "this-is-a-feature-not-a-backdoor-executable" is
still activated in the latest N300RH-V3 firmware router (
http://www.totolink.net/include/download.asp?path=down/010500&file=TOTOLINK%20N300RH-V3.0.0_20150331.zip
, from the N300RH webpage ).
You can check by yourself the "unverified information" by using the
precedent commands: the file /etc/init.d/rcS still contains skt& to
execute the "this-is-a-feature-not-a-backdoor-executable" /bin/skt at
startup):

  $ wget -O TOTOLINK%20N300RH-V3.0.0_20150331.zip
'http://www.totol

Re: Windows Platform Binary Table (WPBT) - BIOS PE backdoor

[Jerome Athias]

Some more info

https://www.us-cert.gov/ncas/current-activity/2015/08/12/Lenovo-Service-Engine-LSE-BIOS-Vulnerability


2015-08-12 14:44 GMT+03:00 Kevin Beaumont :
> PRECURSOR
>
> There will be debate about if this is a vulnerability.  It affects a
> majority of user PCs -- including all Enterprise editions of Windows,
> there is no way to disable it, and allows direct code execution into
> secure boot sequences.  I believe it is worth discussing.
>
> SCOPE
>
> Microsoft documented a feature in Windows 8 and above called Windows
> Platform Binary Table.  Up until two days ago, this was a single Word
> document not referenced elsewhere on Google:
>
>  
> http://webcache.googleusercontent.com/search?q=cache:H-SSYRAB0usJ:download.microsoft.com/download/8/A/2/8A2FB72D-9B96-4E2D-A559-4A27CF905A80/windows-platform-binary-table.docx+&cd=1&hl=en&ct=clnk&gl=us
>
> This feature allows a BIOS to deliver the payload of an executable,
> which is run in memory, silently, each time a system is booted.  The
> executable code is run under under Session Manager context (i.e.
> SYSTEM).
>
> This technique is being used by Lenovo and HP to silently deliver
> software, even after systems are completely wiped.  This issue came to
> light in this forum thread:
> http://arstechnica.com/civis/viewtopic.php?p=29551819#p29551819
>
> Additionally, the code is injected and executed in Windows after the
> Windows kernel has booted - meaning hard drives are accessible.  In a
> HP document - http://h10032.www1.hp.com/ctg/Manual/c03857419.pdf page
> 18 - they reference they use Windows Platform Binary Table to inject
> their code into encrypted systems (e.g. BitLocker) ().
>
> MITIGATIONS
>
> It is not possible to disable this functionality.  If you can gain
> access to the BIOS, you can inject code into the Windows boot sequence
> using the documentation linked above.  The BIOS delivered PE code is
> not countersigned by Microsoft.
>
> Microsoft say: "If partners intentionally or unintentionally introduce
> malware or unwanted software though the WPBT, Microsoft may remove
> such software through the use of antimalware software.  Software that
> is determined to be malicious may be subject to immediate removal
> without notice."
>
> However, you are relying on Microsoft being aware of attacks.  Since
> the code is executed in memory and not written to disk prior to
> activation, Windows Defender does not even scan the executed code.

Cisco Unified Communications Manager Multiple Vulnerabilities (VP2015-001)

[Bernhard Mueller]

Vantage Point Security Advisory 2015-001


Title: Cisco Unified Communications Manager Multiple Vulnerabilities
Vendor: Cisco
Vendor URL: http://www.cisco.com/
Versions affected:  <9.2, <10.5.2, <11.0.1.
Severity: Low to medium
Vendor notified: Yes
Reported: Oct. 2014
Public release: Aug. 13th, 2015
Author: Bernhard Mueller 

Summary:


Cisco Unified Communications Manager (CUCM) offers services such as
session management, voice, video, messaging, mobility, and web
conferencing.

During the last year, Vantage Point Security has reported four
security issues to Cisco as listed below.


1. Shellshock command injection


Users of CUCM can access limited functionality via the web interface
and Cisco console (SSH on port 22). Because the SSH server is
configured to process several environment variables from the client
and a vulnerable version of bash is used, it is possible to exploit
command injection via specially crafted environment variables
(CVE-2014-6271 a.k.a. shellshock). This allows an attacker to spawn a
shell running as the user "admin".


Several environment variables can be used to exploit the issue. Example:


$ LC_PAPER="() { x;};/bin/sh" ssh administra...@examplecucm.com


2. Local File Inclusion
---

The application allows users to view the contents of any locally
accessible files on the web server through a vulnerability known as
LFI (Local File Inclusion). LFI vulnerabilities are commonly used to
download application source code, configuration files and files
containing sensitive information such as passwords.


https://cucm.example.com/:8443/reporter-servlet/GetFileContent?Location=/&FileName=/usr/local/thirdparty/jakarta-tomcat/conf/tomcat-users.xml


3. Unauthenticated access to ping command
-

The pingExecute servlet allows unauthenticated users to execute pings
to arbitrary IP addresses. This could be used by an attacker to
enumerate the internal network. The following URL triggers a ping of
the host 10.0.0.1:

https://cucm.example.com:8443/cmplatform/pingExecute?hostname=10.0.0.1&interval=1.0&packetsize=12&count=1000&secure=false


4. Magic session ID allows unauthenticated access to SOAP calls
---

Authentication for some methods in the EPAS SOAP interface can be
bypassed by using a hardcoded session ID. The methods
"GetUserLoginInfoHandler" and "GetLoggedinXMPPUserHandler" are
affected.


Fix Information:


Upgrade to CUCM version 9.2, 10.5.2 or 11.0.1.


References:
---

https://tools.cisco.com/quickview/bug/CSCus88031
https://tools.cisco.com/quickview/bug/CSCur49414
https://tools.cisco.com/quickview/bug/CSCum05290
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
http://tools.cisco.com/security/center/viewAlert.x?alertId=37111


Timeline:
-

2014/10: Issues reported to Cisco;
2015/07: Confirm that all issues have been fixed.


About Vantage Point Security:


Vantage Point is the leading provider for penetration testing and
security advisory services in Singapore. Clients in the Financial,
Banking and Telecommunications industries select Vantage Point
Security based on technical competency and a proven track record to
deliver significant and measurable improvements in their security
posture.

https://www.vantagepoint.sg/
office[at]vantagepoint[dot]sg

RE: Windows Platform Binary Table (WPBT) - BIOS PE backdoor

[Limanovski, Dimitri]

Hi Kevin,
I too was looking at this, and it does look absolutely horrendous. More so, 
that Microsoft does not provide a good measure to control WPBT: in the official 
doc there's some watered down paragraph about "good security measures", but 
there's no way to enforce binary signing, or CA-like validation of the 
signature. One thing is not clear is whether Windows 10 is vulnerable to the 
same functionality, and whether the malicious actors can write to WPBT 
directly, or, like the case with Lenovo, have to hijack "trusted" OEM apps that 
are allowed to do so.

Dimitri

-Original Message-
From: Kevin Beaumont [mailto:kevin.beaum...@gmail.com] 
Sent: Wednesday, August 12, 2015 7:45 AM
To: bugtraq@securityfocus.com
Subject: Windows Platform Binary Table (WPBT) - BIOS PE backdoor

PRECURSOR

There will be debate about if this is a vulnerability.  It affects a majority 
of user PCs -- including all Enterprise editions of Windows, there is no way to 
disable it, and allows direct code execution into secure boot sequences.  I 
believe it is worth discussing.

SCOPE

Microsoft documented a feature in Windows 8 and above called Windows Platform 
Binary Table.  Up until two days ago, this was a single Word document not 
referenced elsewhere on Google:

 
http://webcache.googleusercontent.com/search?q=cache:H-SSYRAB0usJ:download.microsoft.com/download/8/A/2/8A2FB72D-9B96-4E2D-A559-4A27CF905A80/windows-platform-binary-table.docx+&cd=1&hl=en&ct=clnk&gl=us

This feature allows a BIOS to deliver the payload of an executable, which is 
run in memory, silently, each time a system is booted.  The executable code is 
run under under Session Manager context (i.e.
SYSTEM).

This technique is being used by Lenovo and HP to silently deliver software, 
even after systems are completely wiped.  This issue came to light in this 
forum thread:
http://arstechnica.com/civis/viewtopic.php?p=29551819#p29551819

Additionally, the code is injected and executed in Windows after the Windows 
kernel has booted - meaning hard drives are accessible.  In a HP document - 
http://h10032.www1.hp.com/ctg/Manual/c03857419.pdf page
18 - they reference they use Windows Platform Binary Table to inject their code 
into encrypted systems (e.g. BitLocker) ().

MITIGATIONS

It is not possible to disable this functionality.  If you can gain access to 
the BIOS, you can inject code into the Windows boot sequence using the 
documentation linked above.  The BIOS delivered PE code is not countersigned by 
Microsoft.

Microsoft say: "If partners intentionally or unintentionally introduce malware 
or unwanted software though the WPBT, Microsoft may remove such software 
through the use of antimalware software.  Software that is determined to be 
malicious may be subject to immediate removal without notice."

However, you are relying on Microsoft being aware of attacks.  Since the code 
is executed in memory and not written to disk prior to activation, Windows 
Defender does not even scan the executed code.


This message may contain information that is confidential or privileged. If you 
are not the intended recipient, please advise the sender immediately and delete 
this message. See 
http://www.blackrock.com/corporate/en-us/compliance/email-disclaimers for 
further information.  Please refer to 
http://www.blackrock.com/corporate/en-us/compliance/privacy-policy for more 
information about BlackRock’s Privacy Policy.

For a list of BlackRock's office addresses worldwide, see 
http://www.blackrock.com/corporate/en-us/about-us/contacts-locations.

© 2014 BlackRock, Inc. All rights reserved.

[SECURITY] [DSA 3335-1] request-tracker4 security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-3335-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
August 13, 2015   https://www.debian.org/security/faq
- -

Package: request-tracker4
CVE ID : CVE-2015-5475

It was discovered that Request Tracker, an extensible trouble-ticket
tracking system is susceptible to a cross-site scripting attack via the
user an group rights management pages (CVE-2015-5475) and via the
cryptography interface, allowing an attacker with a carefully-crafted
key to inject JavaScript into RT's user interface. Installations which
use neither GnuPG nor S/MIME are unaffected by the second cross-site
scripting vulnerability.

For the oldstable distribution (wheezy), these problems have been fixed
in version 4.0.7-5+deb7u4. The oldstable distribution (wheezy) is only
affected by CVE-2015-5475.

For the stable distribution (jessie), these problems have been fixed in
version 4.2.8-3+deb8u1.

For the unstable distribution (sid), these problems have been fixed in
version 4.2.11-2.

We recommend that you upgrade your request-tracker4 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCgAGBQJVzJhOAAoJEAVMuPMTQ89Exc8P/3jiiaHi58Qd7XKfXtrhiZ9F
C151U/8ohyNmh1bPt2VaxJbKI+7/ILYqDzbuYNhrtDg8zgCcBN3O/kjpuJ7lEJo4
569osYurswsZTknZ3JND0BRazmkHUX4T4NFTMOB2DvsV/cpBy7tMvq4ZzHrMoned
If+NfyuU8FEJKpielUixulzNzowXGOEwsPp9RTEitRhzWnh5GjM92e+9fyFa4d94
Iy9yIMZkKhB3uxJWX52dxA8sqVzn6Q4Pz7IWbKrgccrEb3p7VYoJ72ehWI5sNR/J
FhRJhd09tn/kbl+c4BMG4awNZFLlRbGUsK6Dy0OWz5jdiUx4BF/7hyyJ6k3M/ZIT
wktinMGRPXcteOXt5VFPhCBkGSqnEUwejTUwwFpTcimQ9RPyMjvaYrmOiqVpRIMB
JaDhPVF9vXGvf6TwbLDio8TE1tdDvDupsf54jHYnJm6Xg/FuBJSn6Gu7A0FhWEsS
Viq5ROODuMbmyPdU3KVK9wEh3XLFyWr4HUvKFCInIA2fvc8X+i7Ysopfwm2AmgUl
LN0IYHsvoSTuvtAAUYzY9HaGXdJbRGZMNIje4jv66JqNNrWHr1aWgWXLQhjMZzF8
MNaRffl33jZQAA4Y2X1w0vou44PNxZjNhPp9MjnOkLpgy2CgiftO3jh2wv+kFWFu
VEgGCo6aTDpXbU/3nUL0
=Aes9
-END PGP SIGNATURE-